doc: security: standards: add EU Cyber Resilience Act (CRA) FAQ

kartben · kartben · commit 5eea187d201c · 2025-11-22T23:29:27.000+01:00
Add comprehensive FAQ documentation explaining how the EU Cyber Resilience Act relates to both manufacturers using Zephyr in commercial products and to the Zephyr Project as an open-source software steward. Fixes #83964 Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
diff --git a/doc/security/security-citations.rst b/doc/security/security-citations.rst
@@ -47,3 +47,8 @@ Security Document Citations
 
 .. [CIIBPB] Core Infrastructure Initiative Best Practices Badge. [Online].
    Available: https://github.com/linuxfoundation/cii-best-practices-badge
+
+.. [CRA24] Regulation (EU) 2024/2847 of the European Parliament and of the Council
+   of 23 October 2024 on horizontal cybersecurity requirements for products with
+   digital elements (Cyber Resilience Act). [Online].
+   Available: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847
diff --git a/doc/security/standards/cyber-resilience-act.rst b/doc/security/standards/cyber-resilience-act.rst
@@ -0,0 +1,354 @@
+.. _cra_faq:
+
+EU Cyber Resilience Act (CRA)
+#############################
+
+.. warning::
+   This document is for informational purposes only and does not constitute legal advice.
+   Consult with competent legal counsel for compliance guidance specific to your situation.
+
+Overview
+********
+
+The Cyber Resilience Act ([CRA24]_) is an EU regulation that establishes cybersecurity requirements for
+products with digital elements (PDEs) placed on the EU market.
+It entered into force on December 10, 2024.
+
+.. admonition:: Key Dates
+   :class: important
+
+   * **June 11, 2026**: Assessment bodies operational
+   * **September 11, 2026**: Manufacturers must report vulnerabilities and incidents
+   * **December 11, 2027**: Full regulation applies
+
+This FAQ explains how the Cyber Resilience Act relates both to manufacturers using Zephyr in
+commercial products and to the Zephyr Project itself in its role as an open-source software steward.
+
+For Manufacturers Using Zephyr
+******************************
+
+Does the CRA apply to my product?
+=================================
+
+The CRA applies if you place a product with digital elements (PDE) on the EU market for commercial
+purposes. This includes hardware devices with embedded software, and standalone software products.
+
+Which category does my product belong to?
+=========================================
+
+The CRA classifies products into categories based on risk: **Important Products** (`Annex III`_) and
+**Critical Products** (`Annex IV`_). Products not listed in either category are considered
+**Default** products and have lower requirements.
+
+For example, default products can typically rely on self-assessment (see :ref:`compliance_path`)
+with fewer documentation and assurance requirements.
+
+.. list-table::
+   :header-rows: 1
+   :widths: 15 25 60
+
+   * - Category
+     - Short description
+     - Example Zephyr Use Cases
+   * - Default
+     - Products with digital elements that are not listed as "important" or "critical".
+     - - Wi-Fi smart bulb or switch (e.g., running Matter over Thread/Wi-Fi).
+       - Wearable activity tracker or smartwatch for personal wellness.
+       - Bluetooth LE audio accessory or wireless sensor tag.
+   * - Important (Class I)
+     - Higher-risk products, often consumer-facing, performing security- or access-relevant
+       functions.
+     - - Smart door lock or access control reader for residential use.
+       - Smart home hub or router managing network traffic.
+       - Connected alarm system or security sensor.
+   * - Important (Class II)
+     - Higher-risk products used in enterprise/industrial/infra contexts or with privileged network
+       roles.
+     - - Industrial Programmable Logic Controller (PLC) or robot controller.
+       - Micro-controllers with Secure Enclave/TEEs used for device identity.
+       - Industrial IoT gateway performing edge processing.
+   * - Critical
+     - Products whose compromise could severely impact critical infrastructure or essential
+       services.
+     - - Smart electricity meter or water meter with remote shut-off.
+       - Hardware Security Module (HSM) or smartcard firmware.
+       - Safety-critical sensors used in energy or transport grids.
+
+.. admonition:: Core Functionality vs. Integration
+   :class: important
+
+   Classification is determined by the **core functionality** of the final product, not by the
+   individual components it integrates (`Article 7`_).
+
+   * If you build a network firewall using Zephyr, the core function is security, making the
+     product an Important Product (Class II).
+   * If you build a coffee machine using Zephyr, and you utilize Zephyr's networking stack features
+     protect the device, the core function remains making coffee. This is a "default" product.
+
+   In a nutshell, using security-critical Zephyr features (like cryptography or secure boot) in a
+   device does **not** elevate that device to a higher risk class.
+
+For detailed classification, see `Annex III`_  and `Annex IV`_.
+
+.. _compliance_path:
+
+Which compliance path must I choose?
+====================================
+
+The CRA defines different conformity assessment procedures based on your product category.
+You must choose the path that corresponds to your classification and reliance on harmonized
+standards.
+
+.. list-table:: CRA Product Categories & Assessment Routes
+  :widths: 20 55 25
+  :header-rows: 1
+
+  * - Category
+    - Conformity Assessment Procedure
+    - Third-Party Audit?
+  * - Default
+    - Module A (Internal Control). Self-assessment by the manufacturer.
+    - No
+  * - Important Class I
+    - Module A **ONLY IF** harmonized standards are fully applied. Otherwise: Module B + Module C,
+      or Module H.
+    - Yes, if standards not fully used
+  * - Important Class II
+    - Module B + Module C, or Module H. (Self-assessment is **NOT** allowed).
+    - Yes (Mandatory)
+  * - Critical
+    - **European Cybersecurity Certification** (e.g., EUCC) or Module B + Module C + Module H
+      (pending delegate acts).
+    - Yes (Mandatory)
+
+The "Modules" refer to specific assessment procedures defined in `Decision No 768/2008/EC`_
+("New legislative framework") and adapted by the CRA in `Annex VIII`_:
+
+* `Module A`_ (Internal production control): You create the technical documentation, perform the
+  risk assessment, and declare conformity yourself. No external auditor is required.
+* `Module B`_ (EC-type examination) + `Module C`_ (Conformity to type): A Notified Body [#nb]_
+  examines the technical design (Module B) and issues a certificate. You then ensure production
+  conforms to that type (Module C).
+* `Module H`_ (Full Quality Assurance): A Notified Body [#nb]_ audits your Quality Management System
+  (QMS) governing design, production, and testing.
+
+.. [#nb]  Notified Bodies will become operational by **June 11, 2026**.
+
+What are my main obligations as a manufacturer?
+===============================================
+
+Regardless of a product's classification, the following core obligations apply to all manufacturers
+of products with digital elements.
+
+**Risk assessment**
+  Assess and document cybersecurity risks throughout the product lifecycle.
+
+**Due diligence**
+  Exercise due diligence when integrating third-party components (including open-source software
+  like Zephyr).
+
+**Vulnerability handling**
+  Handle vulnerabilities for at least 5 years (support period), including receiving reports and
+  applying updates.
+
+**Incident reporting**
+  Report actively exploited vulnerabilities and severe incidents to the relevant CSIRT and ENISA.
+
+**Technical documentation**
+  Create documentation per `Article 31`_ and `Annex VII`_.
+
+**Conformity assessment**
+  Assess conformity per `Article 32`_ and `Annex VIII`_.
+
+**CE marking**
+  Affix CE mark and draw up EU declaration of conformity.
+
+What are the penalties for non-compliance?
+==========================================
+
+* Up to **EUR 15,000,000 or 2.5%** of worldwide annual turnover (`Article 13`_ & `Article 14`_
+  violations).
+* Up to **EUR 10,000,000 or 2%** of turnover (violations of other obligations).
+
+What Zephyr features help with CRA compliance?
+==============================================
+
+Zephyr provides several features to support manufacturers in meeting these obligations.
+
+Software Bill of Materials (SBOM)
+  Automatically generate SPDX-compliant (inc. ISO/IEC 5962:2021) SBOMs during build.
+  See :ref:`west-spdx` for details.
+
+Secure boot and updates
+  * :ref:`ota` support.
+
+:ref:`cryptography`
+  * Hardware-backed crypto APIs.
+  * :ref:`psa_crypto` support.
+  * :ref:`Trusted Firmware <tfm>` integration for attestation and secret management.
+
+:ref:`Long-Term Support (LTS) <release_process_lts>` with 5-year support period.
+
+:ref:`Vulnerability tracking <reporting>`
+  * `Vulnerability Alert Registry <https://zephyrproject.org/vulnerability-alert-registry/>`_.
+  * Receive early notifications during Zephyr's 90-day embargo window.
+  * CVEs tracked at `CVE Details <https://www.cvedetails.com/vendor/19255/Zephyrproject.html>`_.
+
+Quality assurance
+  * Continuous integration.
+  * Coding guidelines
+  * Static code analysis
+  * Automated code quality checks on every pull request.
+  * OpenSSF Best Practices Gold Badge.
+
+How do I handle Zephyr vulnerabilities?
+=======================================
+
+1. **Register**: Sign up for Zephyr's `Vulnerability Alert Registry`_.
+2. **Monitor**: Receive notifications when vulnerabilities are discovered.
+3. **Assess**: Evaluate impact on your product (consider your configuration/Kconfig).
+4. **Update**: Apply fixes from LTS branches.
+5. **Report**: If the vulnerability affects your product and is actively exploited, report per
+   `Article 14`_ timelines.
+
+**Zephyr's vulnerability handling timeline:**
+
+* **7 days**: PSIRT feedback to reporter.
+* **14 days**: Manufacturers notified via alert registry.
+* **30 days**: Fix available from Zephyr project.
+* **60 days**: Additional time for manufacturers before public disclosure.
+
+What are the deadlines for reporting vulnerabilities?
+=====================================================
+
+If you detect an actively exploited vulnerability or a severe incident, you must report it according
+to strict timelines:
+
+* **24 hours**: Early warning notification to CSIRT/ENISA.
+* **72 hours**: Vulnerability notification with general information.
+* **14 days**: Final report after corrective measures are available.
+
+Must I report vulnerabilities I find in Zephyr?
+===============================================
+
+**Yes**, under `Article 13(6)`_, if you discover a vulnerability in a component (including Zephyr),
+you **must** report it to the entity maintaining it. See :ref:`reporting`.
+
+Additionally, consider voluntary reporting to CSIRT or ENISA per `Article 15`_.
+
+For Zephyr as an Open Source Steward
+************************************
+
+What is Zephyr's role under the CRA?
+====================================
+
+Zephyr is an **"open-source software steward"** under `Article 3`_ (14): a legal person that
+systematically provides sustained support for developing PDEs intended for commercial activities.
+
+Zephyr's obligations under Article 24:
+
+**Cybersecurity policy**
+  Document security policies and vulnerability handling.
+
+**Cooperation**
+  Work with market surveillance authorities to mitigate risks.
+
+**Incident reporting**
+  Report actively exploited vulnerabilities and severe incidents affecting Zephyr's infrastructure
+  (to the extent Zephyr is involved).
+
+Does the CRA apply to Zephyr contributors?
+==========================================
+
+**No.** The CRA does not apply to individual contributors to Zephyr (`Recital 18`_).
+
+Contributors developing features or fixing bugs are not subject to CRA obligations.
+
+How is Zephyr meeting its steward obligations?
+==============================================
+
+`Article 24(1)`_: Security policy (Complete)
+  * Documented at :ref:`security-overview`
+  * Vulnerability reporting process: :ref:`reporting`
+  * Secure coding guidelines: :ref:`secure code`
+
+`Article 24(2)`_: Cooperation with authorities (In Progress)
+  * Registered CVE Numbering Authority (CNA) since 2017
+  * Active Zephyr Project Security Incident Response Team (PSIRT)
+  * **In Progress**: Identifying CSIRT coordinator for EU
+
+`Article 14(1)`_ & `Article 14(3)`_: Incident reporting (In Progress)
+  * **In Progress**: Determining if NVD processes work for CSIRT/ENISA reporting
+  * Plan to align with EU reporting requirements
+
+`Article 14(8)`_: User notification (Complete)
+  * Vulnerability Alert Registry for manufacturers and integrators
+  * CVE publication and security advisories
+
+`Article 52(3)`_: Corrective actions (Complete)
+  * Established processes in place with CVE authorities
+  * Timely response through PSIRT
+
+External Resources
+******************
+
+Official CRA documentation
+==========================
+
+* `EU CRA Regulation 2024/2847
+  <https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847>`_
+* `ENISA CRA Requirements-Standards Mapping
+  <https://www.enisa.europa.eu/publications/cyber-resilience-act-requirements-standards-mapping>`_
+
+Educational resources
+=====================
+
+* `Linux Foundation: Understanding the EU CRA
+  <https://training.linuxfoundation.org/express-learning/understanding-the-eu-cyber-resilience-act-cra-lfel1001>`_
+* `Linux Foundation CRA Readiness Report <https://www.linuxfoundation.org/research/cra-readiness>`_
+* `Linux Foundation CRA Compliance Best Practices
+  <https://www.linuxfoundation.org/research/cra-compliance-best-practices>`_
+* `OpenSSF CRA Guidance <https://openssf.org/cra/>`_
+
+Zephyr-specific resources
+=========================
+
+* :ref:`security-overview`
+* :ref:`reporting`
+* `Vulnerability Alert Registry <https://zephyrproject.org/vulnerability-alert-registry/>`_
+* :ref:`Zephyr Vulnerabilities <vulnerabilities>`
+
+..
+
+.. _`Decision No 768/2008/EC`: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32008D0768
+.. _`Module A`: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32008D0768#d1e41-98-1
+.. _`Module B`: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32008D0768#d1e288-98-1
+.. _`Module C`: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32008D0768#d1e439-98-1
+.. _`Module H`: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32008D0768#d1e1719-98-1
+
+.. _`CRA Requirements-Standards Mapping`: https://www.enisa.europa.eu/publications/cyber-resilience-act-requirements-standards-mapping
+
+.. _`Recital 18`: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_18
+
+.. _`Article 3`: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_3
+.. _`Article 7`: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_7
+.. _`Article 13`: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_13
+.. _`Article 13(6)`: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#013.006
+.. _`Article 13(14)`: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#013.014
+.. _`Article 14`: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_14
+.. _`Article 14(1)`: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#014.001
+.. _`Article 14(3)`: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#014.003
+.. _`Article 14(8)`: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#014.008
+.. _`Article 15`: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_15
+.. _`Article 24(1)`: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#024.001
+.. _`Article 24(2)`: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#024.002
+.. _`Article 31`: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_31
+.. _`Article 32`: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_32
+.. _`Article 52(3)`: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#052.003
+
+.. _`Annex III`: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_III
+.. _`Annex IV`: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_IV
+.. _`Annex VII`: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_VII
+.. _`Annex VIII`: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_VIII
+
+.. _`Vulnerability Alert Registry`: https://zephyrproject.org/vulnerability-alert-registry/
diff --git a/doc/security/standards/index.rst b/doc/security/standards/index.rst
@@ -15,4 +15,5 @@ needed to build certifiable, compliant products using Zephyr.
 .. toctree::
    :maxdepth: 1
 
+   cyber-resilience-act.rst
    etsi-303645.rst
