CRA_Conformity_Assessment_Process.md
June 28, 2026 Β· View on GitHub
π‘οΈ Hack23 AB β CRA Conformity Assessment Process
Evidence-Driven Conformity Through Systematic Assessment
Demonstrating CRA Compliance Excellence for Cybersecurity Consulting
π Document Owner: CEO | π Version: 1.5 | π
Last Updated: 2026-06-28 (UTC)
π Review Cycle: Annual | β° Next Review: 2027-06-28
π― Purpose Statement
Hack23 AB's CRA conformity assessment process demonstrates how systematic regulatory compliance directly enables business growth rather than creating operational burden. Our comprehensive assessment framework serves as both operational tool and client demonstration of our cybersecurity consulting methodologies.
As a cybersecurity consulting company, our approach to CRA compliance becomes a showcase of professional implementation, demonstrating to potential clients how systematic regulatory adherence creates competitive advantages through robust security foundations while enabling EU market access.
Our commitment to transparency means our conformity assessment practices become a reference implementation, showing how comprehensive regulatory compliance enables business expansion while protecting organizational interests and maintaining stakeholder trust.
β James Pether SΓΆrling, CEO/Founder
π Purpose & Scope
This process provides a concise, repeatable CRA Conformity Assessment format (preβmarket & ongoing) for all six Hack23 AB products (CIA, Black Trigram, CIA Compliance Manager, European Parliament MCP Server, EU Parliament Monitor, Riksdagsmonitor). Aligns with CRA Annex I & V, Hack23 classification, secure development, and transparency policies.
Scope: All products within Asset Register requiring EU market placement.
π CRA Regulatory Timeline
The Cyber Resilience Act (Regulation (EU) 2024/2847) entered into force on 10 December 2024, with a phased application schedule that shapes Hack23 AB's readiness milestones:
| π Application Date | π Obligation Taking Effect | π― Hack23 AB Readiness |
|---|---|---|
| 11 June 2026 | Provisions on notifying authorities & conformity assessment bodies | β Standard self-assessment route confirmed for all six products |
| 11 September 2026 | Reporting obligations for actively exploited vulnerabilities & severe incidents (to ENISA/CSIRT) | π Procedures prepared per π¨ Incident Response Plan β see Section 7 |
| 11 December 2027 | Full application β all essential requirements & CE marking obligations | π Self-assessment evidence maintained continuously via this process |
π Quick Use Instructions
Copy this entire template into CRA-ASSESSMENT.md in your project root. Replace all {{PLACEHOLDERS}}, remove unused badge options, tick checkboxes, and commit with project changes when security posture materially changes.
Evidence Integration: All evidence (SBOM, provenance, test reports) stored in GitHub release artifacts and repository documentation. Assessment references current project state and links to immutable evidence.
CRA Regulation Alignment: This template supports CRA Annex V technical documentation requirements and Annex I essential requirements for cybersecurity through systematic self-assessment.
π Reference Implementations
The following Hack23 AB projects demonstrate completed CRA assessments using this template:
| π Project | π¦ Product Type | π·οΈ CRA Classification | π Assessment Status | π Reference Link |
|---|---|---|---|---|
| π΅οΈ CIA (Citizen Intelligence Agency) | Political transparency platform | Standard (Non-commercial OSS) | β Complete | π CRA Assessment |
| β« Black Trigram | Korean martial arts game | Standard (Non-commercial OSS) | β Complete | π CRA Assessment |
| π‘οΈ CIA Compliance Manager | Compliance automation tool | Standard (Non-commercial OSS) | β Complete | π CRA Assessment |
| πͺπΊ European Parliament MCP Server | Political intelligence MCP server | Standard (Non-commercial OSS) | β Complete | π CRA Assessment |
| πͺπΊ EU Parliament Monitor | Automated news generation platform | Standard (Non-commercial OSS) | β Complete | π CRA Assessment |
| π³οΈ Riksdagsmonitor | Swedish parliament intelligence platform | Standard (Non-commercial OSS) | β Complete | π CRA Assessment |
π― Implementation Examples
π Common Template Usage Patterns:
- π Classification: Each reference shows different market categories and CIA classification levels
- π‘οΈ Security Controls: Demonstrates technical documentation across various product types
- π Evidence Links: Examples of GitHub release attestations and ISMS policy integration
- βοΈ Risk Assessment: Different risk profiles for transparency, security, and compliance tools
π Evidence Repository Structure: All reference implementations follow the standardized evidence pattern:
- π¦ GitHub Releases: SBOM, SLSA attestations, and provenance documentation
- π‘οΈ Security Policies: Direct links to ISMS framework policies and procedures
- π Compliance Badges: OpenSSF Scorecard, CII Best Practices, and FOSSA license compliance
- π¨ Vulnerability Disclosure: Standardized
SECURITY.mdand coordinated disclosure processes
π‘ Usage Tips:
- Start with Classification: Use reference implementations with similar CIA levels as templates
- Evidence Alignment: Follow the GitHub attestations pattern from existing assessments
- Risk Context: Adapt risk assessments based on similar product complexity
- ISMS Integration: Reference implementations show policy linkage patterns for different product types
1οΈβ£ Project Identification
Supports CRA Annex V Β§ 1 - Product Description Requirements
| Field | Value |
|---|---|
| π¦ Product | {{PROJECT_NAME}} |
| π·οΈ Version Tag | {{CURRENT_VERSION}} (reflects current project state) |
| π Repository | {{REPO_URL}} |
| π§ Security Contact | security@hack23.org |
| π― Purpose (1β2 lines) | {{INTENT}} |
| πͺ Market | Select one: |
πͺ Market Category (Select One):
π‘οΈ Confidentiality Level (Select One):
β Integrity Level (Select One):
β±οΈ Availability Level (Select One):
π Recovery Time Objective (Select One):
π Recovery Point Objective (Select One):
2οΈβ£ CRA Scope & Classification
Supports CRA Article 6 - Scope and Article 7 - Product Classification Assessment
π’ CRA Applicability (Select One):
π Distribution Method (Select One):
π CRA Classification (Select One):
π CRA Scope Justification: {{JUSTIFICATION}}
π Classification Impact:
- Standard: Self-assessment approach (this template supports documentation)
- Class I/II: Notified body assessment required + additional documentation
3οΈβ£ Technical Documentation
Supports CRA Annex V Β§ 2 - Technical Documentation Requirements
| ποΈ CRA Technical Area | π Implementation Summary | π Evidence Location |
|---|---|---|
| π¨ Product Architecture (Annex V Β§ 2.1) | High-level data & trust boundaries | Repository /docs/architecture/ or README |
| π¦ SBOM & Components (Annex I Β§ 1.1) | Complete dependency enumeration | GitHub Release includes signed SBOM |
| π Cybersecurity Controls (Annex I Β§ 1.2) | Authentication, authorization, encryption | π Access Control Policy + π Cryptography Policy |
| π‘οΈ Supply Chain Security (Annex I Β§ 1.3) | Signed builds + provenance attestation | GitHub Release includes attestations |
| π Update Mechanism (Annex I Β§ 1.4) | Secure software updates with rollback | π Change Management |
| π Security Monitoring (Annex I Β§ 1.5) | Logging, audit trails, incident detection | π¨ Incident Response Plan |
| π·οΈ Data Protection (Annex I Β§ 2.1) | Classification and protection controls | π·οΈ Data Classification Policy |
| π User Guidance (Annex I Β§ 2.2) | Security configuration documentation | Repository: USER_SECURITY_GUIDE.md |
| π Vulnerability Disclosure (Annex I Β§ 2.3) | Coordinated vulnerability disclosure | Repository: SECURITY.md + β οΈ Vulnerability Management |
π ISMS Policy Integration:
- ποΈ Architecture & Design: Implementation aligned with π Information Security Policy
- π¦ Asset Management: All components documented in π» Asset Register
- π Encryption Standards: Cryptographic requirements per π Cryptography Policy
- π Network Security: Infrastructure controls via π Network Security Policy
4οΈβ£ Risk Assessment
Supports CRA Annex V Β§ 3 - Risk Assessment Documentation
Reference: π Risk Assessment Methodology and β οΈ Risk Register
| π¨ CRA Risk Category | π― Asset | π Likelihood | π₯ Impact (C/I/A) | π‘οΈ CRA Control Implementation | βοΈ Residual | π Evidence |
|---|---|---|---|---|---|---|
| Supply Chain Attack (Art. 11) | Build pipeline | M | H/H/M | SBOM + SLSA provenance + dependency pinning | L | GitHub attestations |
| Unauthorized Access (Art. 11) | Authentication | M | H/H/H | MFA + secret scanning + short-lived tokens | L | Access control logs |
| Data Breach (Art. 11) | Data storage | L | H/H/H | Encryption + IAM + least privilege | L | KMS configuration |
| Component Vulnerability (Art. 11) | Dependencies | M | M/H/M | SCA scanning + patch management | L | Vulnerability reports |
| Service Disruption (Art. 11) | Public services | M | L/M/H | WAF + DDoS protection + scaling | M | Infrastructure config |
βοΈ CRA Risk Statement: {{LOW / MODERATE / HIGH}} - Assessment supports CRA essential cybersecurity requirements evaluation
β
Risk Acceptance: {{OWNER_NAME}} - {{DATE}}
π Risk Management Framework:
- π Methodology: Risk assessment per π Risk Assessment Methodology
- β οΈ Risk Tracking: All risks documented in β οΈ Risk Register
- π Business Impact: Continuity planning via π Business Continuity Plan
- π Recovery Planning: Technical recovery per π Disaster Recovery Plan
5οΈβ£ Essential Cybersecurity Requirements
Supports CRA Annex I - Essential Requirements Self-Assessment
| π CRA Annex I Requirement | β Status | π Implementation Evidence |
|---|---|---|
| π‘οΈ Β§ 1.1 - Secure by Design | [ ] | Minimal attack surface via SECURITY_ARCHITECTURE.md |
| π Β§ 1.2 - Secure by Default | [ ] | Hardened default configurations documented |
| π·οΈ Β§ 2.1 - Personal Data Protection | [ ] | GDPR compliance via π·οΈ Data Classification Policy |
| π Β§ 2.2 - Vulnerability Disclosure | [ ] | Public VDP via Repository SECURITY.md + β οΈ Vulnerability Management |
| π¦ Β§ 2.3 - Software Bill of Materials | [ ] | Automated SBOM generation: GitHub Release includes signed SBOM |
| π Β§ 2.4 - Secure Updates | [ ] | Signed updates: GitHub Release includes attestations |
| π Β§ 2.5 - Security Monitoring | [ ] | Comprehensive logging via π¨ Incident Response Plan |
| π Β§ 2.6 - Security Documentation | [ ] | User security guidance: USER_SECURITY_GUIDE.md |
π― CRA Self-Assessment Status: {{REQUIREMENTS_DOCUMENTED / IN_PROGRESS / EVIDENCE_GATHERED}}
π Standard Security Reporting Process:
Each project includes standardized security reporting via SECURITY.md following coordinated vulnerability disclosure:
- π§ Private Reporting: GitHub Security Advisories for confidential disclosure
- β±οΈ Response Timeline: 48h acknowledgment, 7d validation, 30d resolution
- π Recognition Program: Public acknowledgment unless anonymity requested
- π Continuous Support: Latest version maintained with security updates
- π Vulnerability Scope: Authentication bypass, injection attacks, remote code execution, data exposure
ISMS Integration: All vulnerability reports processed through β οΈ Vulnerability Management procedures
6οΈβ£ Conformity Assessment Evidence
Supports CRA Article 19 - Conformity Assessment Documentation
π Quality & Security Automation Status:
Reference: π οΈ Secure Development Policy
| π§ͺ Control | π― Requirement | β Implementation | π Evidence |
|---|---|---|---|
| π§ͺ Unit Testing | β₯80% line coverage, β₯70% branch | {{STATUS}} | Coverage reports + test plans |
| π E2E Testing | Critical user journeys validated | {{STATUS}} | E2E test reports + mochawesome |
| π SAST Scanning | Zero critical/high vulnerabilities | {{STATUS}} | Static analysis reports |
| π¦ SCA Scanning | Zero critical unresolved dependencies | {{STATUS}} | Dependency vulnerability reports |
| π Secret Scanning | Zero exposed secrets/credentials | {{STATUS}} | Secret scan validation |
| π·οΈ DAST Scanning | Zero exploitable high+ findings | {{STATUS}} | Dynamic application security testing |
| π¦ SBOM Generation | SPDX + CycloneDX per release | {{STATUS}} | Software bill of materials |
| π‘οΈ Provenance | SLSA Level 3 attestation | {{STATUS}} | Supply chain attestations |
| π Quality Gates | SonarCloud quality gate passing | {{STATUS}} | Code quality metrics |
ποΈ Security & Compliance Badges:
π Best Practices & Quality:
π Release Evidence:
GitHub Attestations: https://github.com/Hack23/{{REPO_NAME}}/attestations
π¦ Release Evidence Pattern (Following Hack23 Standard):
π― Release Assets Structure:
{{PROJECT_NAME}}-{{VERSION}}.zip # Main application bundle
{{PROJECT_NAME}}-{{VERSION}}.zip.intoto.jsonl # SLSA provenance attestation
{{PROJECT_NAME}}-{{VERSION}}.spdx.json # SPDX SBOM
{{PROJECT_NAME}}-{{VERSION}}.spdx.json.intoto.jsonl # SBOM attestation
π Release Notes Format:
# Highlights
## ποΈ Infrastructure & Performance
- build(deps): automated dependency updates via Dependabot
- ci: enhanced security scanning and compliance checks
- perf: performance optimizations and monitoring improvements
## π¦ Dependencies
- Complete list of dependency updates with version tracking
- Security vulnerability remediation
- License compliance verification
## π Security Compliance
[](https://github.com/Hack23/{{REPO_NAME}}/attestations/)
[](https://bestpractices.coreinfrastructure.org/projects/{{PROJECT_ID}})
[](https://scorecard.dev/viewer/?uri=github.com/Hack23/{{REPO_NAME}})
[](https://app.fossa.io/projects/git%2Bgithub.com%2FHack23%2F{{REPO_NAME}}?ref=badge_shield)
## Contributors
Thanks to @dependabot[bot] for automated security updates!
**Full Changelog**: https://github.com/Hack23/{{REPO_NAME}}/compare/{{PREV_VERSION}}...{{CURRENT_VERSION}}
π Evidence Validation Commands:
# Verify SBOM in GitHub release
gh release view --repo Hack23/{{REPO_NAME}} --json assets
# Check SLSA attestations
gh attestation list --repo Hack23/{{REPO_NAME}}
# Validate security scorecard
curl -s https://api.securityscorecards.dev/projects/github.com/Hack23/{{REPO_NAME}} | jq '.score'
# Verify FOSSA compliance
curl -s https://app.fossa.io/api/projects/git%2Bgithub.com%2FHack23%2F{{REPO_NAME}}/issues | jq '.issues | length'
7οΈβ£ Post-Market Surveillance
Supports CRA Article 23 - Obligations of Economic Operators
Reference: π ISMS Transparency Plan and π Security Metrics
| π‘ CRA Monitoring Obligation | π§ Implementation | β±οΈ Frequency | π― Action Trigger | π Evidence |
|---|---|---|---|---|
| π Vulnerability Monitoring (Art. 23.1) | CVE feeds + GitHub advisories | Continuous | Auto-create security issues | SCA reports |
| π¨ Incident Reporting (Art. 23.2) | Security event detection | Real-time | ENISA 24h notification prep | Monitoring dashboards |
| π Security Posture Tracking (Art. 23.3) | OpenSSF Scorecard monitoring | Weekly | Score decline investigation | Security metrics |
| π Update Distribution (Art. 23.4) | Automated security updates | As needed | Critical vulnerability patches | Release management |
π CRA Reporting Readiness: Documentation and procedures prepared for ENISA incident reporting per π¨ Incident Response Plan
π ISMS Monitoring Integration:
- π Continuous Monitoring: Security posture tracking per π Security Metrics
- π Transparency Framework: Public disclosure strategy via π ISMS Transparency Plan
- π€ Third-Party Monitoring: Supplier surveillance per π€ Third Party Management
- β Compliance Tracking: Regulatory adherence via β Compliance Checklist
- πΎ Data Protection: Backup and recovery per πΎ Backup Recovery Policy
π€ AI Agent-Driven CRA Compliance
Supports CRA Article 16 - Quality Management System through Automated Evidence Generation
π Automated Compliance Workflow
Hack23 AB's curated agent ecosystem (per π Information Security Strategy) monitors and validates CRA evidence generated by automated workflows:
%%{
init: {
'theme': 'base',
'themeVariables': {
'primaryColor': '#1565C0',
'primaryTextColor': '#fff',
'primaryBorderColor': '#0d47a1',
'lineColor': '#1565C0',
'secondaryColor': '#4CAF50',
'tertiaryColor': '#FF9800',
'background': '#ffffff',
'mainBkg': '#1565C0',
'secondBkg': '#4CAF50',
'tertiaryBkg': '#FF9800'
}
}
}%%
flowchart TD
BUILD["π¨ Build Process<br/>GitHub Actions Workflow"] --> SBOM_GEN["π¦ SBOM Generation<br/>Workflow: FOSSA + Dependency Graph"]
SBOM_GEN --> AGENT_REVIEW["π€ Task Agent<br/>SBOM Validation & Gap Detection"]
AGENT_REVIEW --> VULN_SCAN["π Vulnerability Scanning<br/>Workflow: Dependabot + GitHub Security"]
VULN_SCAN --> AGENT_TRIAGE["π€ Agent Triage<br/>CRA Disclosure Requirements"]
AGENT_TRIAGE --> SLSA["ποΈ SLSA Attestation<br/>Workflow: Automated Level 3"]
SLSA --> EVIDENCE["π GitHub Actions<br/>Evidence Package Consolidation"]
EVIDENCE --> CE{"β
CE Marking<br/>Ready?"}
CE -->|Yes| APPROVAL["π¨βπΌ CEO Final Approval"]
CE -->|No| GAP["π Compliance Gap<br/>Agent Issue Creation"]
GAP --> REMEDIATE["π· Specialist Agent<br/>Gap Remediation"]
REMEDIATE --> SBOM_GEN
APPROVAL --> PUBLISH["π CE Marking Published"]
style BUILD fill:#1565C0,color:#fff
style SBOM_GEN fill:#4CAF50,color:#fff
style AGENT_REVIEW fill:#FF9800,color:#fff
style VULN_SCAN fill:#4CAF50,color:#fff
style AGENT_TRIAGE fill:#FF9800,color:#fff
style SLSA fill:#1565C0,color:#fff
style EVIDENCE fill:#4CAF50,color:#fff
style CE fill:#FFC107,color:#000
style APPROVAL fill:#2E7D32,color:#fff
style GAP fill:#D32F2F,color:#fff
style REMEDIATE fill:#FF9800,color:#fff
style PUBLISH fill:#1565C0,color:#fff
π― Agent Responsibilities Matrix
| Agent Type | CRA Compliance Responsibilities | Escalation Criteria | Evidence Generation |
|---|---|---|---|
| π§ Curator-Agent | CRA tool configuration (FOSSA, SLSA) MCP server management Agent profile maintenance | Tool configuration changes require CEO approval | Agent configuration documentation |
| π Task Agents | Compliance gap identification SBOM validation (generated by workflows) Evidence collection automation Issue creation with ISMS mapping | Critical compliance violations: - Missing SBOM - Undisclosed vulnerabilities - Essential requirements gaps | Automated compliance issues Gap analysis reports |
| π· Security Specialist | Vulnerability remediation Security attestation generation SLSA provenance validation CRA security controls implementation | Breaking changes Architectural modifications Security control failures | Security scan reports Remediation tracking |
| π Documentation Specialist | CE marking documentation CRA disclosure updates Technical file maintenance Annex V documentation | Policy conflicts Regulatory interpretation needs Documentation completeness gaps | Technical documentation Compliance evidence packages |
| π¨βπΌ CEO (Human) | Final CE marking approval Regulatory sign-off Legal decisions Strategic compliance direction | All CE marking publications Regulatory submissions Material compliance decisions | Formal approvals Regulatory submissions |
π Automated Compliance Evidence Generation
GitHub Actions CRA Evidence Packages:
| Evidence Type | Automation Level | Generation Method | Agent Role |
|---|---|---|---|
| π¦ SBOM Generation | 100% Automated | Workflows: FOSSA + GitHub Dependency Graph | Task agent validation & gap detection |
| π Vulnerability Status | 100% Automated | Workflows: Dependabot + GitHub Security | Automated triage + specialist remediation |
| ποΈ Security Attestations | 100% Automated | Workflows: SLSA Level 3 build provenance | Automated signature verification |
| π CE Marking Documentation | 80% Automated | Compliance checklist with automated evidence links | Human review + CEO approval |
| π Public Disclosure | 90% Automated | Workflows: GitHub Security advisory generation | Coordinated disclosure review |
π Evidence Integration:
- Workflow Generation: GitHub Actions workflows generate SBOM, attestations, and vulnerability scans per π οΈ Secure Development Policy
- Agent Monitoring: Task agents continuously monitor workflow outputs for CRA compliance indicators
- Gap Detection: Agents automatically create issues for missing evidence or requirements
- Evidence Linking: GitHub Actions consolidates workflow-generated evidence into release packages
- Audit Trail: All workflow runs and agent actions logged in GitHub with immutable provenance
π Agent-Enhanced Conformity Assessment Workflow
Integration with Section 2-7 Assessment Process:
- π Section 2 (CRA Classification): Task agent validates classification based on product features
- ποΈ Section 3 (Technical Documentation): Documentation specialist maintains Annex V compliance
- β οΈ Section 4 (Risk Assessment): Security specialist updates risk register with CRA risks
- β Section 5 (Essential Requirements): Task agent tracks requirement completion status
- π Section 6 (Conformity Evidence): Automated badge and attestation generation
- π‘ Section 7 (Post-Market Surveillance): Continuous monitoring via agent ecosystem
Agent Escalation Workflow:
%%{
init: {
'theme': 'base',
'themeVariables': {
'primaryColor': '#1565C0',
'primaryTextColor': '#fff',
'lineColor': '#1565C0',
'secondaryColor': '#FF9800',
'tertiaryColor': '#D32F2F'
}
}
}%%
flowchart LR
DETECT["π Gap Detection<br/>Task Agent"] --> CLASSIFY{"π Severity?"}
CLASSIFY -->|Low-Medium| AUTO["π€ Automated Fix<br/>Specialist Agent"]
CLASSIFY -->|High| REVIEW["π¨βπΌ CEO Review<br/>Manual Decision"]
CLASSIFY -->|Critical| ESCALATE["π¨ Immediate Escalation<br/>CEO + Issue Creation"]
AUTO --> PR["π Pull Request<br/>Automated Evidence"]
REVIEW --> DECISION{"β
Approve?"}
DECISION -->|Yes| PR
DECISION -->|No| MANUAL["π· Manual Remediation"]
ESCALATE --> MANUAL
PR --> MERGE["β
Merge + Evidence Update"]
MANUAL --> MERGE
style DETECT fill:#1565C0,color:#fff
style CLASSIFY fill:#FFC107,color:#000
style AUTO fill:#4CAF50,color:#fff
style REVIEW fill:#FF9800,color:#fff
style ESCALATE fill:#D32F2F,color:#fff
style PR fill:#1565C0,color:#fff
style DECISION fill:#FFC107,color:#000
style MANUAL fill:#8D6E63,color:#fff
style MERGE fill:#2E7D32,color:#fff
πͺπΊ EU AI Act Integration
Supports EU AI Act (2024/1689) Transparency and Human Oversight Requirements
π AI System Transparency Requirements
Hack23 AB's AI agent ecosystem must comply with EU AI Act transparency obligations (per π€ AI Policy):
Minimal Risk AI Systems (GitHub Copilot, OpenAI):
| AI System | Risk Classification | Transparency Obligations | Human Oversight |
|---|---|---|---|
| π€ GitHub Copilot | Minimal Risk | AI-generated code clearly marked in commits | All code reviewed by CEO before merge |
| π¬ OpenAI GPT | Minimal Risk | AI-generated content documented in issues | Human validation of all outputs |
π Transparency Implementation:
- Clear Attribution: All AI-generated content includes agent attribution in commits/issues
- Audit Trail: Complete provenance chain for all agent actions via GitHub
- Documentation: AI usage documented in agent profiles (
.github/agents/*.md) - Version Control: All AI-generated changes subject to Git history and review
π€ Agent-Assisted CRA Compliance Framework
Human Oversight Framework (Aligned with EU AI Act Best Practices):
%%{
init: {
'theme': 'base',
'themeVariables': {
'primaryColor': '#1565C0',
'primaryTextColor': '#fff',
'lineColor': '#1565C0',
'secondaryColor': '#4CAF50',
'tertiaryColor': '#FF9800'
}
}
}%%
flowchart TD
AGENT["π€ AI Agent<br/>Compliance Analysis"] --> GENERATE["π Evidence Generation<br/>Automated Collection"]
GENERATE --> REVIEW["π¨βπΌ CEO Review<br/>Human Validation"]
REVIEW --> APPROVE{"β
Approve<br/>Evidence?"}
APPROVE -->|Yes| SIGN["βοΈ CEO Sign-off<br/>Compliance Attestation"]
APPROVE -->|No| CORRECT["π§ Correction<br/>Manual Adjustment"]
CORRECT --> GENERATE
SIGN --> PUBLISH["π CE Marking<br/>Public Declaration"]
style AGENT fill:#FF9800,color:#fff
style GENERATE fill:#1565C0,color:#fff
style REVIEW fill:#2E7D32,color:#fff
style APPROVE fill:#FFC107,color:#000
style SIGN fill:#2E7D32,color:#fff
style CORRECT fill:#D32F2F,color:#fff
style PUBLISH fill:#1565C0,color:#fff
π― Key Principles:
- π€ Agents Assist: AI generates evidence and identifies gaps, but does NOT make compliance decisions
- π¨βπΌ Human Decides: CEO maintains final authority for all CE marking and regulatory decisions
- β Validation Required: All agent recommendations subject to human validation before action
- π Explicit Approval: Compliance sign-off requires explicit CEO approval signature
π EU AI Act Compliance Evidence
Transparency Documentation:
| Requirement | Implementation | Evidence Location |
|---|---|---|
| AI System Documentation | Agent profiles and MCP configurations | .github/agents/*.md, .github/copilot-mcp.json |
| Human Oversight Procedures | CEO approval workflow for all PRs | GitHub PR review history |
| Risk Assessment | AI risk classification per AI Policy | π€ AI Policy Section 4 |
| Transparency Obligations | Clear AI attribution in all outputs | Git commit messages, issue descriptions |
| Accountability Framework | CEO ultimate responsibility documented | This policy + π Information Security Strategy |
π Cross-Reference: See π€ AI Policy for complete EU AI Act compliance framework including:
- Article 50: Transparency obligations for limited risk/general-purpose AI systems
- Article 14: Human oversight requirements (high-risk AI systems framework, applied as best practice)
- Article 53: AI system documentation and record-keeping
- Annex IV: Technical documentation requirements
8οΈβ£ EU Declaration of Conformity
Supports CRA Article 28 - EU Declaration of Conformity
π Complete when placing product on EU market
π’ Manufacturer: Hack23 AB, GΓΆteborg, Sweden
π¦ Product: {{PROJECT_NAME}} {{CURRENT_VERSION}}
π CRA Compliance: Self-assessment documentation supporting CRA essential cybersecurity requirements evaluation
π Assessment: {{Self-assessment documentation per Article 24 / Notified body per Article 25}}
π Standards: {{ETSI EN 303 645 / ISO/IEC 27001 / OWASP ASVS / NIST SSDF}}
π Date & Signature: {{CURRENT_DATE}} - {{RESPONSIBLE_PERSON}}, {{TITLE}}
π Technical Documentation: This assessment + evidence bundle supports CRA Annex V technical documentation requirements
9οΈβ£ Assessment Completion & Approval
Supports CRA Article 16 - Quality Management System Documentation
π CRA Self-Assessment Summary
Overall CRA Documentation Status: {{DOCUMENTATION_COMPLETE / IN_PROGRESS / INITIAL_DRAFT}}
Key CRA Documentation Areas:
- β Annex I essential requirements documented and assessed
- β Annex V technical documentation structured
- β Article 11 security measures documented
- β Article 23 post-market surveillance procedures documented
Outstanding Documentation:
{{CRA_GAP_ID}}: {{DESCRIPTION}} β Target: {{DATE}} (Owner: {{OWNER}})
β Formal Approval
| π€ Role | π Name | π Date | βοΈ Assessment Attestation |
|---|---|---|---|
| π CRA Security Assessment | {{CEO}} | {{DATE}} | Essential requirements documented and assessed |
| π― Product Responsibility | {{CEO}} | {{DATE}} | Technical documentation complete and structured |
| βοΈ Legal Compliance Review | {{CEO}} | {{DATE}} | EU regulatory documentation requirements addressed |
π CRA Assessment Status: {{SELF_ASSESSMENT_DOCUMENTED / IN_PROGRESS / DRAFT_STAGE}}
π¨ CRA Assessment Maintenance
π Update Triggers
Per CRA Article 15 - Substantial Modification
CRA assessment updated only when changes constitute "substantial modification" under CRA:
- ποΈ Security Architecture Changes: New authentication methods, trust boundaries, or encryption
- π‘οΈ Essential Requirement Impact: Changes affecting Annex I compliance
- π¦ Critical Dependencies: New supply chain components with security implications
- π Risk Profile Changes: New threats or vulnerability classes
- βοΈ Regulatory Updates: CRA implementing acts or guidance changes
π― Maintenance Principle: Assessment stability preferred - avoid routine updates that don't impact CRA compliance
π CRA Evidence Integration
## Current CRA Self-Assessment Evidence
**π·οΈ Product Version:** {{CURRENT_VERSION}}
**π¦ CRA Technical Documentation:** This assessment + [Latest Release](https://github.com/Hack23/{{REPO_NAME}}/releases/latest)
**π‘οΈ Security Attestations:** [GitHub Attestations](https://github.com/Hack23/{{REPO_NAME}}/attestations)
**π Assessment Status:** 
π Related Documents
π― Strategic & Governance
- π― Information Security Strategy - AI-first operations, Pentagon framework, and strategic CRA direction
- π Information Security Policy - Overall security governance framework with AI Agent Governance & Curated Automation
- π€ AI Policy - EU AI Act compliance and transparency obligations for AI systems
- β Compliance Checklist - Multi-framework regulatory compliance tracking
- π·οΈ Classification Framework - Data and asset classification methodology
- π Risk Assessment Methodology - Risk evaluation framework for CRA assessments
π Security Policies & Controls
- π οΈ Secure Development Policy - Security architecture and SDLC requirements for CRA compliance
- π Vulnerability Management - Security testing and remediation procedures
- π― Threat Modeling - STRIDE analysis and threat assessment methodology
- π Open Source Policy - OSS governance and SBOM requirements
π CRA Regulatory Alignment
π CRA Article Cross-References
- Article 6: Scope determination β Section 2 (CRA Classification)
- Article 11: Essential cybersecurity requirements β Section 5 (Requirements Assessment)
- Article 19: Conformity assessment β Section 6 (Evidence Documentation)
- Article 23: Post-market obligations β Section 7 (Surveillance Documentation)
- Article 28: Declaration of conformity β Section 8 (DoC Template)
- Annex I: Technical requirements β Section 5 (Requirements self-assessment mapping)
- Annex V: Technical documentation β Complete template structure
π ISMS Integration Benefits
- π Operational Continuity: CRA self-assessment integrated with existing security operations
- π Evidence Reuse: Security metrics and monitoring serve dual ISMS/CRA documentation purposes
- π― Business Value: CRA readiness demonstrates cybersecurity consulting expertise through systematic documentation
- π€ Client Confidence: Transparent self-assessment approach showcases professional implementation methodology
π Complete ISMS Policy Framework
π Core Security Governance
- π Information Security Policy β Overall security governance and business value framework
- π·οΈ Classification Framework β Data and asset classification methodology with business impact analysis
- π ISMS Transparency Plan β Public disclosure strategy and stakeholder communication
π‘οΈ Security Control Implementation
- π Cryptography Policy β Encryption standards, key management, and post-quantum readiness
- π Access Control Policy β Identity management, MFA requirements, and privilege management
- π Network Security Policy β Network segmentation, firewall rules, and perimeter security
- π·οΈ Data Classification Policy β Information handling, protection levels, and retention requirements
βοΈ Operational Excellence Framework
- π οΈ Secure Development Policy β SDLC security, testing requirements, and automation gates
- π Change Management β Controlled modification procedures and release management
- π Vulnerability Management β Security testing, coordinated disclosure, and remediation
- π€ Third Party Management β Supplier risk assessment and ongoing monitoring
- π Open Source Policy β OSS governance, license compliance, and contribution management
π¨ Incident Response & Recovery
- π¨ Incident Response Plan β Security event handling, communication, and forensics
- π Business Continuity Plan β Business resilience, recovery objectives, and continuity strategies
- π Disaster Recovery Plan β Technical recovery procedures and system restoration
- πΎ Backup Recovery Policy β Data protection, backup validation, and restore procedures
π Performance Management & Compliance
- π Security Metrics β KPI tracking, performance measurement, and continuous improvement
- π» Asset Register β Comprehensive asset inventory with risk classifications
- π Risk Register β Risk identification, assessment, treatment, and monitoring
- π Risk Assessment Methodology β Systematic risk evaluation framework
- β Compliance Checklist β Regulatory requirement tracking and attestation
π― Framework Benefits for CRA Compliance:
- π Process Maturity: Established ISMS demonstrates systematic security management capabilities
- π Evidence Repository: Comprehensive documentation supports CRA technical file requirements
- π‘οΈ Control Effectiveness: Implemented security measures provide concrete evidence of essential requirements
- π Continuous Improvement: Metrics and review cycles demonstrate ongoing security posture management
- π€ Stakeholder Confidence: Transparent practices showcase professional cybersecurity consulting expertise
π Document Control:
β
Approved by: James Pether SΓΆrling, CEO
π€ Distribution: Public
π·οΈ Classification:
π
Effective Date: 2026-06-28
β° Next Review: 2027-06-28
π― Framework Compliance: