CRA_Conformity_Assessment_Process.md

June 28, 2026 Β· View on GitHub

Hack23 Logo

πŸ›‘οΈ Hack23 AB β€” CRA Conformity Assessment Process

Evidence-Driven Conformity Through Systematic Assessment
Demonstrating CRA Compliance Excellence for Cybersecurity Consulting

Owner Version Effective Date Review Cycle Template Document

πŸ“‹ Document Owner: CEO | πŸ“„ Version: 1.5 | πŸ“… Last Updated: 2026-06-28 (UTC)
πŸ”„ Review Cycle: Annual | ⏰ Next Review: 2027-06-28


🎯 Purpose Statement

Hack23 AB's CRA conformity assessment process demonstrates how systematic regulatory compliance directly enables business growth rather than creating operational burden. Our comprehensive assessment framework serves as both operational tool and client demonstration of our cybersecurity consulting methodologies.

As a cybersecurity consulting company, our approach to CRA compliance becomes a showcase of professional implementation, demonstrating to potential clients how systematic regulatory adherence creates competitive advantages through robust security foundations while enabling EU market access.

Our commitment to transparency means our conformity assessment practices become a reference implementation, showing how comprehensive regulatory compliance enables business expansion while protecting organizational interests and maintaining stakeholder trust.

β€” James Pether SΓΆrling, CEO/Founder


πŸ” Purpose & Scope

This process provides a concise, repeatable CRA Conformity Assessment format (pre‑market & ongoing) for all six Hack23 AB products (CIA, Black Trigram, CIA Compliance Manager, European Parliament MCP Server, EU Parliament Monitor, Riksdagsmonitor). Aligns with CRA Annex I & V, Hack23 classification, secure development, and transparency policies.

Scope: All products within Asset Register requiring EU market placement.

πŸ“… CRA Regulatory Timeline

The Cyber Resilience Act (Regulation (EU) 2024/2847) entered into force on 10 December 2024, with a phased application schedule that shapes Hack23 AB's readiness milestones:

πŸ“† Application DateπŸ“‹ Obligation Taking Effect🎯 Hack23 AB Readiness
11 June 2026Provisions on notifying authorities & conformity assessment bodiesβœ… Standard self-assessment route confirmed for all six products
11 September 2026Reporting obligations for actively exploited vulnerabilities & severe incidents (to ENISA/CSIRT)πŸ”„ Procedures prepared per 🚨 Incident Response Plan β€” see Section 7
11 December 2027Full application β€” all essential requirements & CE marking obligationsπŸ”„ Self-assessment evidence maintained continuously via this process

πŸ“‹ Quick Use Instructions

Copy this entire template into CRA-ASSESSMENT.md in your project root. Replace all {{PLACEHOLDERS}}, remove unused badge options, tick checkboxes, and commit with project changes when security posture materially changes.

Evidence Integration: All evidence (SBOM, provenance, test reports) stored in GitHub release artifacts and repository documentation. Assessment references current project state and links to immutable evidence.

CRA Regulation Alignment: This template supports CRA Annex V technical documentation requirements and Annex I essential requirements for cybersecurity through systematic self-assessment.

πŸ“š Reference Implementations

The following Hack23 AB projects demonstrate completed CRA assessments using this template:

πŸš€ ProjectπŸ“¦ Product Type🏷️ CRA ClassificationπŸ“‹ Assessment StatusπŸ”— Reference Link
πŸ•΅οΈ CIA (Citizen Intelligence Agency)Political transparency platformStandard (Non-commercial OSS)βœ… CompleteπŸ“„ CRA Assessment
⚫ Black TrigramKorean martial arts gameStandard (Non-commercial OSS)βœ… CompleteπŸ“„ CRA Assessment
πŸ›‘οΈ CIA Compliance ManagerCompliance automation toolStandard (Non-commercial OSS)βœ… CompleteπŸ“„ CRA Assessment
πŸ‡ͺπŸ‡Ί European Parliament MCP ServerPolitical intelligence MCP serverStandard (Non-commercial OSS)βœ… CompleteπŸ“„ CRA Assessment
πŸ‡ͺπŸ‡Ί EU Parliament MonitorAutomated news generation platformStandard (Non-commercial OSS)βœ… CompleteπŸ“„ CRA Assessment
πŸ—³οΈ RiksdagsmonitorSwedish parliament intelligence platformStandard (Non-commercial OSS)βœ… CompleteπŸ“„ CRA Assessment

🎯 Implementation Examples

πŸ“ Common Template Usage Patterns:

  • πŸ” Classification: Each reference shows different market categories and CIA classification levels
  • πŸ›‘οΈ Security Controls: Demonstrates technical documentation across various product types
  • πŸ“Š Evidence Links: Examples of GitHub release attestations and ISMS policy integration
  • βš–οΈ Risk Assessment: Different risk profiles for transparency, security, and compliance tools

πŸ”— Evidence Repository Structure: All reference implementations follow the standardized evidence pattern:

  • πŸ“¦ GitHub Releases: SBOM, SLSA attestations, and provenance documentation
  • πŸ›‘οΈ Security Policies: Direct links to ISMS framework policies and procedures
  • πŸ“Š Compliance Badges: OpenSSF Scorecard, CII Best Practices, and FOSSA license compliance
  • 🚨 Vulnerability Disclosure: Standardized SECURITY.md and coordinated disclosure processes

πŸ’‘ Usage Tips:

  1. Start with Classification: Use reference implementations with similar CIA levels as templates
  2. Evidence Alignment: Follow the GitHub attestations pattern from existing assessments
  3. Risk Context: Adapt risk assessments based on similar product complexity
  4. ISMS Integration: Reference implementations show policy linkage patterns for different product types

1️⃣ Project Identification

Supports CRA Annex V Β§ 1 - Product Description Requirements

FieldValue
πŸ“¦ Product{{PROJECT_NAME}}
🏷️ Version Tag{{CURRENT_VERSION}} (reflects current project state)
πŸ”— Repository{{REPO_URL}}
πŸ“§ Security Contactsecurity@hack23.org
🎯 Purpose (1–2 lines){{INTENT}}
πŸͺ MarketSelect one:

πŸͺ Market Category (Select One):

OSS Commercial Internal

πŸ›‘οΈ Confidentiality Level (Select One):

Extreme Very High High Moderate Low Public

βœ… Integrity Level (Select One):

Critical High Moderate Low Minimal

⏱️ Availability Level (Select One):

Mission Critical High Moderate Standard Best Effort

πŸ• Recovery Time Objective (Select One):

Instant Critical High Medium Low Standard

πŸ”„ Recovery Point Objective (Select One):

Zero Loss Near Real-time Minimal Hourly Daily Extended


2️⃣ CRA Scope & Classification

Supports CRA Article 6 - Scope and Article 7 - Product Classification Assessment

🏒 CRA Applicability (Select One):

Non-commercial OSS Commercial

🌐 Distribution Method (Select One):

Community Commercial Internal

πŸ“‹ CRA Classification (Select One):

Standard Class I Class II

πŸ“ CRA Scope Justification: {{JUSTIFICATION}}

πŸ” Classification Impact:

  • Standard: Self-assessment approach (this template supports documentation)
  • Class I/II: Notified body assessment required + additional documentation

3️⃣ Technical Documentation

Supports CRA Annex V Β§ 2 - Technical Documentation Requirements

πŸ—οΈ CRA Technical AreaπŸ“ Implementation SummaryπŸ“‹ Evidence Location
🎨 Product Architecture (Annex V § 2.1)High-level data & trust boundariesRepository /docs/architecture/ or README
πŸ“¦ SBOM & Components (Annex I Β§ 1.1)Complete dependency enumerationGitHub Release includes signed SBOM
πŸ” Cybersecurity Controls (Annex I Β§ 1.2)Authentication, authorization, encryptionπŸ”‘ Access Control Policy + πŸ”’ Cryptography Policy
πŸ›‘οΈ Supply Chain Security (Annex I Β§ 1.3)Signed builds + provenance attestationGitHub Release includes attestations
πŸ”„ Update Mechanism (Annex I Β§ 1.4)Secure software updates with rollbackπŸ“ Change Management
πŸ“Š Security Monitoring (Annex I Β§ 1.5)Logging, audit trails, incident detection🚨 Incident Response Plan
🏷️ Data Protection (Annex I § 2.1)Classification and protection controls🏷️ Data Classification Policy
πŸ“š User Guidance (Annex I Β§ 2.2)Security configuration documentationRepository: USER_SECURITY_GUIDE.md
πŸ” Vulnerability Disclosure (Annex I Β§ 2.3)Coordinated vulnerability disclosureRepository: SECURITY.md + ⚠️ Vulnerability Management

πŸ“‹ ISMS Policy Integration:


4️⃣ Risk Assessment

Supports CRA Annex V Β§ 3 - Risk Assessment Documentation

Reference: πŸ“Š Risk Assessment Methodology and ⚠️ Risk Register

🚨 CRA Risk Category🎯 AssetπŸ“Š LikelihoodπŸ’₯ Impact (C/I/A)πŸ›‘οΈ CRA Control Implementationβš–οΈ ResidualπŸ“‹ Evidence
Supply Chain Attack (Art. 11)Build pipelineMH/H/MSBOM + SLSA provenance + dependency pinningLGitHub attestations
Unauthorized Access (Art. 11)AuthenticationMH/H/HMFA + secret scanning + short-lived tokensLAccess control logs
Data Breach (Art. 11)Data storageLH/H/HEncryption + IAM + least privilegeLKMS configuration
Component Vulnerability (Art. 11)DependenciesMM/H/MSCA scanning + patch managementLVulnerability reports
Service Disruption (Art. 11)Public servicesML/M/HWAF + DDoS protection + scalingMInfrastructure config

βš–οΈ CRA Risk Statement: {{LOW / MODERATE / HIGH}} - Assessment supports CRA essential cybersecurity requirements evaluation
βœ… Risk Acceptance: {{OWNER_NAME}} - {{DATE}}

πŸ“‹ Risk Management Framework:


5️⃣ Essential Cybersecurity Requirements

Supports CRA Annex I - Essential Requirements Self-Assessment

πŸ“‹ CRA Annex I Requirementβœ… StatusπŸ“‹ Implementation Evidence
πŸ›‘οΈ Β§ 1.1 - Secure by Design[ ]Minimal attack surface via SECURITY_ARCHITECTURE.md
πŸ”’ Β§ 1.2 - Secure by Default[ ]Hardened default configurations documented
🏷️ § 2.1 - Personal Data Protection[ ]GDPR compliance via 🏷️ Data Classification Policy
πŸ” Β§ 2.2 - Vulnerability Disclosure[ ]Public VDP via Repository SECURITY.md + ⚠️ Vulnerability Management
πŸ“¦ Β§ 2.3 - Software Bill of Materials[ ]Automated SBOM generation: GitHub Release includes signed SBOM
πŸ” Β§ 2.4 - Secure Updates[ ]Signed updates: GitHub Release includes attestations
πŸ“Š Β§ 2.5 - Security Monitoring[ ]Comprehensive logging via 🚨 Incident Response Plan
πŸ“š Β§ 2.6 - Security Documentation[ ]User security guidance: USER_SECURITY_GUIDE.md

🎯 CRA Self-Assessment Status: {{REQUIREMENTS_DOCUMENTED / IN_PROGRESS / EVIDENCE_GATHERED}}

πŸ” Standard Security Reporting Process: Each project includes standardized security reporting via SECURITY.md following coordinated vulnerability disclosure:

  • πŸ“§ Private Reporting: GitHub Security Advisories for confidential disclosure
  • ⏱️ Response Timeline: 48h acknowledgment, 7d validation, 30d resolution
  • πŸ† Recognition Program: Public acknowledgment unless anonymity requested
  • πŸ”„ Continuous Support: Latest version maintained with security updates
  • πŸ“‹ Vulnerability Scope: Authentication bypass, injection attacks, remote code execution, data exposure

ISMS Integration: All vulnerability reports processed through ⚠️ Vulnerability Management procedures


6️⃣ Conformity Assessment Evidence

Supports CRA Article 19 - Conformity Assessment Documentation

πŸ“Š Quality & Security Automation Status:

Reference: πŸ› οΈ Secure Development Policy

πŸ§ͺ Control🎯 Requirementβœ… ImplementationπŸ“‹ Evidence
πŸ§ͺ Unit Testingβ‰₯80% line coverage, β‰₯70% branch{{STATUS}}Coverage reports + test plans
🌐 E2E TestingCritical user journeys validated{{STATUS}}E2E test reports + mochawesome
πŸ” SAST ScanningZero critical/high vulnerabilities{{STATUS}}Static analysis reports
πŸ“¦ SCA ScanningZero critical unresolved dependencies{{STATUS}}Dependency vulnerability reports
πŸ”’ Secret ScanningZero exposed secrets/credentials{{STATUS}}Secret scan validation
πŸ•·οΈ DAST ScanningZero exploitable high+ findings{{STATUS}}Dynamic application security testing
πŸ“¦ SBOM GenerationSPDX + CycloneDX per release{{STATUS}}Software bill of materials
πŸ›‘οΈ ProvenanceSLSA Level 3 attestation{{STATUS}}Supply chain attestations
πŸ“Š Quality GatesSonarCloud quality gate passing{{STATUS}}Code quality metrics

πŸŽ–οΈ Security & Compliance Badges:

πŸ” Supply Chain Security: SLSA 3 OpenSSF Scorecard

πŸ† Best Practices & Quality: CII Best Practices Quality Gate Status

βš–οΈ License & Compliance: FOSSA Status

πŸ”— Release Evidence: GitHub Attestations: https://github.com/Hack23/{{REPO_NAME}}/attestations

πŸ“¦ Release Evidence Pattern (Following Hack23 Standard):

🎯 Release Assets Structure:

{{PROJECT_NAME}}-{{VERSION}}.zip               # Main application bundle
{{PROJECT_NAME}}-{{VERSION}}.zip.intoto.jsonl  # SLSA provenance attestation
{{PROJECT_NAME}}-{{VERSION}}.spdx.json         # SPDX SBOM
{{PROJECT_NAME}}-{{VERSION}}.spdx.json.intoto.jsonl  # SBOM attestation

πŸ“‹ Release Notes Format:

# Highlights

## πŸ—οΈ Infrastructure & Performance
- build(deps): automated dependency updates via Dependabot
- ci: enhanced security scanning and compliance checks
- perf: performance optimizations and monitoring improvements

## πŸ“¦ Dependencies  
- Complete list of dependency updates with version tracking
- Security vulnerability remediation
- License compliance verification

## πŸ”’ Security Compliance
[![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://github.com/Hack23/{{REPO_NAME}}/attestations/)
[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/{{PROJECT_ID}}/badge)](https://bestpractices.coreinfrastructure.org/projects/{{PROJECT_ID}})
[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/Hack23/{{REPO_NAME}}/badge)](https://scorecard.dev/viewer/?uri=github.com/Hack23/{{REPO_NAME}})
[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2FHack23%2F{{REPO_NAME}}.svg?type=shield)](https://app.fossa.io/projects/git%2Bgithub.com%2FHack23%2F{{REPO_NAME}}?ref=badge_shield)

## Contributors
Thanks to @dependabot[bot] for automated security updates!

**Full Changelog**: https://github.com/Hack23/{{REPO_NAME}}/compare/{{PREV_VERSION}}...{{CURRENT_VERSION}}

πŸ” Evidence Validation Commands:

# Verify SBOM in GitHub release
gh release view --repo Hack23/{{REPO_NAME}} --json assets

# Check SLSA attestations
gh attestation list --repo Hack23/{{REPO_NAME}}

# Validate security scorecard
curl -s https://api.securityscorecards.dev/projects/github.com/Hack23/{{REPO_NAME}} | jq '.score'

# Verify FOSSA compliance
curl -s https://app.fossa.io/api/projects/git%2Bgithub.com%2FHack23%2F{{REPO_NAME}}/issues | jq '.issues | length'

7️⃣ Post-Market Surveillance

Supports CRA Article 23 - Obligations of Economic Operators

Reference: 🌐 ISMS Transparency Plan and πŸ“Š Security Metrics

πŸ“‘ CRA Monitoring ObligationπŸ”§ Implementation⏱️ Frequency🎯 Action TriggerπŸ“‹ Evidence
πŸ” Vulnerability Monitoring (Art. 23.1)CVE feeds + GitHub advisoriesContinuousAuto-create security issuesSCA reports
🚨 Incident Reporting (Art. 23.2)Security event detectionReal-timeENISA 24h notification prepMonitoring dashboards
πŸ“Š Security Posture Tracking (Art. 23.3)OpenSSF Scorecard monitoringWeeklyScore decline investigationSecurity metrics
πŸ”„ Update Distribution (Art. 23.4)Automated security updatesAs neededCritical vulnerability patchesRelease management

πŸ“‹ CRA Reporting Readiness: Documentation and procedures prepared for ENISA incident reporting per 🚨 Incident Response Plan

πŸ”— ISMS Monitoring Integration:


πŸ€– AI Agent-Driven CRA Compliance

Supports CRA Article 16 - Quality Management System through Automated Evidence Generation

πŸ“‹ Automated Compliance Workflow

Hack23 AB's curated agent ecosystem (per πŸ” Information Security Strategy) monitors and validates CRA evidence generated by automated workflows:

%%{
  init: {
    'theme': 'base',
    'themeVariables': {
      'primaryColor': '#1565C0',
      'primaryTextColor': '#fff',
      'primaryBorderColor': '#0d47a1',
      'lineColor': '#1565C0',
      'secondaryColor': '#4CAF50',
      'tertiaryColor': '#FF9800',
      'background': '#ffffff',
      'mainBkg': '#1565C0',
      'secondBkg': '#4CAF50',
      'tertiaryBkg': '#FF9800'
    }
  }
}%%
flowchart TD
    BUILD["πŸ”¨ Build Process<br/>GitHub Actions Workflow"] --> SBOM_GEN["πŸ“¦ SBOM Generation<br/>Workflow: FOSSA + Dependency Graph"]
    SBOM_GEN --> AGENT_REVIEW["πŸ€– Task Agent<br/>SBOM Validation & Gap Detection"]
    
    AGENT_REVIEW --> VULN_SCAN["πŸ” Vulnerability Scanning<br/>Workflow: Dependabot + GitHub Security"]
    VULN_SCAN --> AGENT_TRIAGE["πŸ€– Agent Triage<br/>CRA Disclosure Requirements"]
    
    AGENT_TRIAGE --> SLSA["πŸŽ–οΈ SLSA Attestation<br/>Workflow: Automated Level 3"]
    SLSA --> EVIDENCE["πŸ“Š GitHub Actions<br/>Evidence Package Consolidation"]
    
    EVIDENCE --> CE{"βœ… CE Marking<br/>Ready?"}
    CE -->|Yes| APPROVAL["πŸ‘¨β€πŸ’Ό CEO Final Approval"]
    CE -->|No| GAP["πŸ“‹ Compliance Gap<br/>Agent Issue Creation"]
    
    GAP --> REMEDIATE["πŸ‘· Specialist Agent<br/>Gap Remediation"]
    REMEDIATE --> SBOM_GEN
    APPROVAL --> PUBLISH["🌐 CE Marking Published"]
    
    style BUILD fill:#1565C0,color:#fff
    style SBOM_GEN fill:#4CAF50,color:#fff
    style AGENT_REVIEW fill:#FF9800,color:#fff
    style VULN_SCAN fill:#4CAF50,color:#fff
    style AGENT_TRIAGE fill:#FF9800,color:#fff
    style SLSA fill:#1565C0,color:#fff
    style EVIDENCE fill:#4CAF50,color:#fff
    style CE fill:#FFC107,color:#000
    style APPROVAL fill:#2E7D32,color:#fff
    style GAP fill:#D32F2F,color:#fff
    style REMEDIATE fill:#FF9800,color:#fff
    style PUBLISH fill:#1565C0,color:#fff

🎯 Agent Responsibilities Matrix

Agent TypeCRA Compliance ResponsibilitiesEscalation CriteriaEvidence Generation
πŸ”§ Curator-AgentCRA tool configuration (FOSSA, SLSA)
MCP server management
Agent profile maintenance
Tool configuration changes require CEO approvalAgent configuration documentation
πŸ“‹ Task AgentsCompliance gap identification
SBOM validation (generated by workflows)
Evidence collection automation
Issue creation with ISMS mapping
Critical compliance violations:
- Missing SBOM
- Undisclosed vulnerabilities
- Essential requirements gaps
Automated compliance issues
Gap analysis reports
πŸ‘· Security SpecialistVulnerability remediation
Security attestation generation
SLSA provenance validation
CRA security controls implementation
Breaking changes
Architectural modifications
Security control failures
Security scan reports
Remediation tracking
πŸ“ Documentation SpecialistCE marking documentation
CRA disclosure updates
Technical file maintenance
Annex V documentation
Policy conflicts
Regulatory interpretation needs
Documentation completeness gaps
Technical documentation
Compliance evidence packages
πŸ‘¨β€πŸ’Ό CEO (Human)Final CE marking approval
Regulatory sign-off
Legal decisions
Strategic compliance direction
All CE marking publications
Regulatory submissions
Material compliance decisions
Formal approvals
Regulatory submissions

πŸ“Š Automated Compliance Evidence Generation

GitHub Actions CRA Evidence Packages:

Evidence TypeAutomation LevelGeneration MethodAgent Role
πŸ“¦ SBOM Generation100% AutomatedWorkflows: FOSSA + GitHub Dependency GraphTask agent validation & gap detection
πŸ” Vulnerability Status100% AutomatedWorkflows: Dependabot + GitHub SecurityAutomated triage + specialist remediation
πŸŽ–οΈ Security Attestations100% AutomatedWorkflows: SLSA Level 3 build provenanceAutomated signature verification
πŸ“‹ CE Marking Documentation80% AutomatedCompliance checklist with automated evidence linksHuman review + CEO approval
🌐 Public Disclosure90% AutomatedWorkflows: GitHub Security advisory generationCoordinated disclosure review

πŸ”— Evidence Integration:

  • Workflow Generation: GitHub Actions workflows generate SBOM, attestations, and vulnerability scans per πŸ› οΈ Secure Development Policy
  • Agent Monitoring: Task agents continuously monitor workflow outputs for CRA compliance indicators
  • Gap Detection: Agents automatically create issues for missing evidence or requirements
  • Evidence Linking: GitHub Actions consolidates workflow-generated evidence into release packages
  • Audit Trail: All workflow runs and agent actions logged in GitHub with immutable provenance

πŸ”„ Agent-Enhanced Conformity Assessment Workflow

Integration with Section 2-7 Assessment Process:

  1. πŸ“‹ Section 2 (CRA Classification): Task agent validates classification based on product features
  2. πŸ—οΈ Section 3 (Technical Documentation): Documentation specialist maintains Annex V compliance
  3. ⚠️ Section 4 (Risk Assessment): Security specialist updates risk register with CRA risks
  4. βœ… Section 5 (Essential Requirements): Task agent tracks requirement completion status
  5. πŸ“Š Section 6 (Conformity Evidence): Automated badge and attestation generation
  6. πŸ“‘ Section 7 (Post-Market Surveillance): Continuous monitoring via agent ecosystem

Agent Escalation Workflow:

%%{
  init: {
    'theme': 'base',
    'themeVariables': {
      'primaryColor': '#1565C0',
      'primaryTextColor': '#fff',
      'lineColor': '#1565C0',
      'secondaryColor': '#FF9800',
      'tertiaryColor': '#D32F2F'
    }
  }
}%%
flowchart LR
    DETECT["πŸ” Gap Detection<br/>Task Agent"] --> CLASSIFY{"πŸ“Š Severity?"}
    CLASSIFY -->|Low-Medium| AUTO["πŸ€– Automated Fix<br/>Specialist Agent"]
    CLASSIFY -->|High| REVIEW["πŸ‘¨β€πŸ’Ό CEO Review<br/>Manual Decision"]
    CLASSIFY -->|Critical| ESCALATE["🚨 Immediate Escalation<br/>CEO + Issue Creation"]
    
    AUTO --> PR["πŸ“ Pull Request<br/>Automated Evidence"]
    REVIEW --> DECISION{"βœ… Approve?"}
    DECISION -->|Yes| PR
    DECISION -->|No| MANUAL["πŸ‘· Manual Remediation"]
    ESCALATE --> MANUAL
    
    PR --> MERGE["βœ… Merge + Evidence Update"]
    MANUAL --> MERGE
    
    style DETECT fill:#1565C0,color:#fff
    style CLASSIFY fill:#FFC107,color:#000
    style AUTO fill:#4CAF50,color:#fff
    style REVIEW fill:#FF9800,color:#fff
    style ESCALATE fill:#D32F2F,color:#fff
    style PR fill:#1565C0,color:#fff
    style DECISION fill:#FFC107,color:#000
    style MANUAL fill:#8D6E63,color:#fff
    style MERGE fill:#2E7D32,color:#fff

πŸ‡ͺπŸ‡Ί EU AI Act Integration

Supports EU AI Act (2024/1689) Transparency and Human Oversight Requirements

πŸ“‹ AI System Transparency Requirements

Hack23 AB's AI agent ecosystem must comply with EU AI Act transparency obligations (per πŸ€– AI Policy):

Minimal Risk AI Systems (GitHub Copilot, OpenAI):

AI SystemRisk ClassificationTransparency ObligationsHuman Oversight
πŸ€– GitHub CopilotMinimal RiskAI-generated code clearly marked in commitsAll code reviewed by CEO before merge
πŸ’¬ OpenAI GPTMinimal RiskAI-generated content documented in issuesHuman validation of all outputs

πŸ” Transparency Implementation:

  • Clear Attribution: All AI-generated content includes agent attribution in commits/issues
  • Audit Trail: Complete provenance chain for all agent actions via GitHub
  • Documentation: AI usage documented in agent profiles (.github/agents/*.md)
  • Version Control: All AI-generated changes subject to Git history and review

πŸ€– Agent-Assisted CRA Compliance Framework

Human Oversight Framework (Aligned with EU AI Act Best Practices):

%%{
  init: {
    'theme': 'base',
    'themeVariables': {
      'primaryColor': '#1565C0',
      'primaryTextColor': '#fff',
      'lineColor': '#1565C0',
      'secondaryColor': '#4CAF50',
      'tertiaryColor': '#FF9800'
    }
  }
}%%
flowchart TD
    AGENT["πŸ€– AI Agent<br/>Compliance Analysis"] --> GENERATE["πŸ“‹ Evidence Generation<br/>Automated Collection"]
    GENERATE --> REVIEW["πŸ‘¨β€πŸ’Ό CEO Review<br/>Human Validation"]
    
    REVIEW --> APPROVE{"βœ… Approve<br/>Evidence?"}
    APPROVE -->|Yes| SIGN["✍️ CEO Sign-off<br/>Compliance Attestation"]
    APPROVE -->|No| CORRECT["πŸ”§ Correction<br/>Manual Adjustment"]
    
    CORRECT --> GENERATE
    SIGN --> PUBLISH["🌐 CE Marking<br/>Public Declaration"]
    
    style AGENT fill:#FF9800,color:#fff
    style GENERATE fill:#1565C0,color:#fff
    style REVIEW fill:#2E7D32,color:#fff
    style APPROVE fill:#FFC107,color:#000
    style SIGN fill:#2E7D32,color:#fff
    style CORRECT fill:#D32F2F,color:#fff
    style PUBLISH fill:#1565C0,color:#fff

🎯 Key Principles:

  • πŸ€– Agents Assist: AI generates evidence and identifies gaps, but does NOT make compliance decisions
  • πŸ‘¨β€πŸ’Ό Human Decides: CEO maintains final authority for all CE marking and regulatory decisions
  • βœ… Validation Required: All agent recommendations subject to human validation before action
  • πŸ“‹ Explicit Approval: Compliance sign-off requires explicit CEO approval signature

πŸ“Š EU AI Act Compliance Evidence

Transparency Documentation:

RequirementImplementationEvidence Location
AI System DocumentationAgent profiles and MCP configurations.github/agents/*.md, .github/copilot-mcp.json
Human Oversight ProceduresCEO approval workflow for all PRsGitHub PR review history
Risk AssessmentAI risk classification per AI PolicyπŸ€– AI Policy Section 4
Transparency ObligationsClear AI attribution in all outputsGit commit messages, issue descriptions
Accountability FrameworkCEO ultimate responsibility documentedThis policy + πŸ” Information Security Strategy

πŸ”— Cross-Reference: See πŸ€– AI Policy for complete EU AI Act compliance framework including:

  • Article 50: Transparency obligations for limited risk/general-purpose AI systems
  • Article 14: Human oversight requirements (high-risk AI systems framework, applied as best practice)
  • Article 53: AI system documentation and record-keeping
  • Annex IV: Technical documentation requirements

8️⃣ EU Declaration of Conformity

Supports CRA Article 28 - EU Declaration of Conformity

πŸ“ Complete when placing product on EU market

🏒 Manufacturer: Hack23 AB, Gâteborg, Sweden
πŸ“¦ Product: {{PROJECT_NAME}} {{CURRENT_VERSION}}
πŸ“‹ CRA Compliance: Self-assessment documentation supporting CRA essential cybersecurity requirements evaluation
πŸ” Assessment: {{Self-assessment documentation per Article 24 / Notified body per Article 25}}
πŸ“Š Standards: {{ETSI EN 303 645 / ISO/IEC 27001 / OWASP ASVS / NIST SSDF}}

πŸ“… Date & Signature: {{CURRENT_DATE}} - {{RESPONSIBLE_PERSON}}, {{TITLE}}

πŸ“‚ Technical Documentation: This assessment + evidence bundle supports CRA Annex V technical documentation requirements


9️⃣ Assessment Completion & Approval

Supports CRA Article 16 - Quality Management System Documentation

πŸ“Š CRA Self-Assessment Summary

Overall CRA Documentation Status: {{DOCUMENTATION_COMPLETE / IN_PROGRESS / INITIAL_DRAFT}}

Key CRA Documentation Areas:

  • βœ… Annex I essential requirements documented and assessed
  • βœ… Annex V technical documentation structured
  • βœ… Article 11 security measures documented
  • βœ… Article 23 post-market surveillance procedures documented

Outstanding Documentation:

{{CRA_GAP_ID}}: {{DESCRIPTION}} β†’ Target: {{DATE}} (Owner: {{OWNER}})

βœ… Formal Approval

πŸ‘€ RoleπŸ“ NameπŸ“… Date✍️ Assessment Attestation
πŸ”’ CRA Security Assessment{{CEO}}{{DATE}}Essential requirements documented and assessed
🎯 Product Responsibility{{CEO}}{{DATE}}Technical documentation complete and structured
βš–οΈ Legal Compliance Review{{CEO}}{{DATE}}EU regulatory documentation requirements addressed

πŸ“Š CRA Assessment Status: {{SELF_ASSESSMENT_DOCUMENTED / IN_PROGRESS / DRAFT_STAGE}}


🎨 CRA Assessment Maintenance

πŸ“‹ Update Triggers

Per CRA Article 15 - Substantial Modification

CRA assessment updated only when changes constitute "substantial modification" under CRA:

  1. πŸ—οΈ Security Architecture Changes: New authentication methods, trust boundaries, or encryption
  2. πŸ›‘οΈ Essential Requirement Impact: Changes affecting Annex I compliance
  3. πŸ“¦ Critical Dependencies: New supply chain components with security implications
  4. πŸ” Risk Profile Changes: New threats or vulnerability classes
  5. βš–οΈ Regulatory Updates: CRA implementing acts or guidance changes

🎯 Maintenance Principle: Assessment stability preferred - avoid routine updates that don't impact CRA compliance

πŸ”— CRA Evidence Integration

## Current CRA Self-Assessment Evidence

**🏷️ Product Version:** {{CURRENT_VERSION}}
**πŸ“¦ CRA Technical Documentation:** This assessment + [Latest Release](https://github.com/Hack23/{{REPO_NAME}}/releases/latest)
**πŸ›‘οΈ Security Attestations:** [GitHub Attestations](https://github.com/Hack23/{{REPO_NAME}}/attestations)
**πŸ“Š Assessment Status:** ![CRA Status](https://img.shields.io/badge/CRA_Self_Assessment-{{STATUS}}-{{COLOR}})

🎯 Strategic & Governance

πŸ” Security Policies & Controls


πŸ“š CRA Regulatory Alignment

πŸ” CRA Article Cross-References

  • Article 6: Scope determination β†’ Section 2 (CRA Classification)
  • Article 11: Essential cybersecurity requirements β†’ Section 5 (Requirements Assessment)
  • Article 19: Conformity assessment β†’ Section 6 (Evidence Documentation)
  • Article 23: Post-market obligations β†’ Section 7 (Surveillance Documentation)
  • Article 28: Declaration of conformity β†’ Section 8 (DoC Template)
  • Annex I: Technical requirements β†’ Section 5 (Requirements self-assessment mapping)
  • Annex V: Technical documentation β†’ Complete template structure

🌐 ISMS Integration Benefits

  • πŸ”„ Operational Continuity: CRA self-assessment integrated with existing security operations
  • πŸ“Š Evidence Reuse: Security metrics and monitoring serve dual ISMS/CRA documentation purposes
  • 🎯 Business Value: CRA readiness demonstrates cybersecurity consulting expertise through systematic documentation
  • 🀝 Client Confidence: Transparent self-assessment approach showcases professional implementation methodology

πŸ“‹ Complete ISMS Policy Framework

πŸ” Core Security Governance

πŸ›‘οΈ Security Control Implementation

βš™οΈ Operational Excellence Framework

🚨 Incident Response & Recovery

πŸ“Š Performance Management & Compliance

🎯 Framework Benefits for CRA Compliance:

  • πŸ”„ Process Maturity: Established ISMS demonstrates systematic security management capabilities
  • πŸ“‹ Evidence Repository: Comprehensive documentation supports CRA technical file requirements
  • πŸ›‘οΈ Control Effectiveness: Implemented security measures provide concrete evidence of essential requirements
  • πŸ“Š Continuous Improvement: Metrics and review cycles demonstrate ongoing security posture management
  • 🀝 Stakeholder Confidence: Transparent practices showcase professional cybersecurity consulting expertise


πŸ“‹ Document Control:
βœ… Approved by: James Pether SΓΆrling, CEO
πŸ“€ Distribution: Public
🏷️ Classification: Confidentiality: Public
πŸ“… Effective Date: 2026-06-28
⏰ Next Review: 2027-06-28
🎯 Framework Compliance: ISO 27001 NIST CSF 2.0 CIS Controls