CRA Compliance Kit for IoT Devices - EU Cyber Resilience Act compliance in one pip install
Project description
CRA Compliance Kit for IoT Devices
Meet EU Cyber Resilience Act (CRA) requirements in one pip install.
Key Deadlines
| Obligation | Date | Status |
|---|---|---|
| Vulnerability reporting (24h to ENISA) | September 11, 2026 | 94 days |
| Full CRA conformity assessment | December 11, 2027 | 18 months |
| Penalties for non-compliance | Up to EUR 15M or 2.5% of global turnover | Active |
What This Kit Provides
| Module | CRA Requirement | License |
|---|---|---|
DeviceIdentityService (identity.py) |
Device identity, access control — Art. 10(2-3) | MIT |
FirmwareHealthService (firmware.py) |
Vulnerability tracking, CVE matching — Art. 13(1-3) | MIT |
InputClassifier (input_guard.py) |
Secure by default input handling — Art. 10(1) | MIT |
PhysicalActionGuard (action_guard.py) |
Hard-blocked & confirm-required actions — Art. 10(3) | MIT |
CycloneDX SBOM Generator (sbom/generator.py) |
SBOM maintenance for ENISA — Art. 13(8) | MIT |
GuardianSubsystem (commercial) |
Central security health scoring | License req. |
BehaviouralBaselineService (commercial) |
Welford anomaly detection | License req. |
MemoryProvenance (commercial) |
HMAC-SHA256 tamper-evident audit chain | License req. |
CrossOracleSigner (commercial) |
Inter-service request signing & escalation | License req. |
Quickstart
pip install cra-compliance-kit
from cra_kit.identity import DeviceIdentityService, TrustTier
from cra_kit.firmware import FirmwareHealthService
from cra_kit.input_guard import InputClassifier
from cra_kit.action_guard import PhysicalActionGuard
# 1. Enrol devices with tiered trust
identity = DeviceIdentityService()
identity.enrol_device("sensor-01", "temperature_sensor", trust_tier=TrustTier.ENVIRONMENTAL)
# 2. Check firmware against CVE database
fw = FirmwareHealthService()
check = fw.check_device("sensor-01", "gateway", "1.5.3")
print(f"Vulnerable to {len(check.vulnerabilities_found)} CVEs")
# 3. Sanitize every input
classifier = InputClassifier()
safe, findings = classifier.is_safe(user_input)
# 4. Restrict dangerous actions
guard = PhysicalActionGuard()
result = guard.check_action("format_storage")
assert result["allowed"] == False # Hard blocked
# 5. Generate SBOM
python -m sbom.generator --product "MyIoTGateway" --version "2.1.0" --output sbom.xml
CRA Article Mapping
| Article | Requirement | How We Satisfy It |
|---|---|---|
| Article 10(1) | Secure by default configuration | InputClassifier blocks injection, sanitises inputs before processing |
| Article 10(2) | Device identity & authentication | DeviceIdentityService — 5-tier trust model with certificate-based enrollment |
| Article 10(3) | Access control mechanisms | PhysicalActionGuard — 10 hard-blocked + 11 confirm-required actions, time-aware |
| Article 13(1-3) | Vulnerability handling & remediation | FirmwareHealthService — CVE matching, semantic version gating, severity scoring |
| Article 13(8) | SBOM accessible to ENISA on request | CycloneDX 1.5 generator with automatic installed-package scanning |
Architecture Overview
Each module is self-contained with zero external dependencies (stdlib only).
Modules store state in SQLite at ~/.cra_kit/ for persistence.
User Input
|
v
InputClassifier ── detects 8 injection families (prompt, code, SQL, command, XSS, SSRF, traversal, format string)
|
v
DeviceIdentityService ── authenticates, checks trust tier (0-4)
|
v
PhysicalActionGuard ── blocks/confirms dangerous actions, time-gated at night
|
v
FirmwareHealthService ── matches version against CVE database
|
v
SBOM Generator (CycloneDX 1.5 XML)
Open-Core Licensing
| Package Type | Modules | License | Price |
|---|---|---|---|
| Open Source | identity.py, firmware.py, input_guard.py, action_guard.py, sbom/generator.py | MIT | Free |
| Professional (coming soon) | Guardian + Baselines + Provenance + Signing | Commercial | 1,500/yr |
| Enterprise (coming soon) | All pro + priority support + SLA | Commercial | 7,500/yr |
Requirements
- Python 3.9+
- SQLite (built into Python standard library)
- Zero external dependencies
Who Built This
StarTeQ Ltd — the team behind Starcaller, a privacy-first AI appliance with a 9.3/10 security trust score and 8-module security stack in production.
Contact: sydney@starcaller.uk Website: starcaller.uk/cra-compliance
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file cra_compliance_kit-1.0.4.tar.gz.
File metadata
- Download URL: cra_compliance_kit-1.0.4.tar.gz
- Upload date:
- Size: 13.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f7ad1f5100da7c87ce5c2da22ac2e7fb708e04fddac79c8aa4a2b596362c53e9
|
|
| MD5 |
6eeae5ee90759f6c8911d5477dbcb10c
|
|
| BLAKE2b-256 |
6a1ede591d66ff7edfa68b27a94a234cf4dcdea6908c2149d4f2a15ad2c8057c
|
File details
Details for the file cra_compliance_kit-1.0.4-py3-none-any.whl.
File metadata
- Download URL: cra_compliance_kit-1.0.4-py3-none-any.whl
- Upload date:
- Size: 16.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4cc12df44c141a010064d2be7ce9e71f355b42bea8c1b97669dd8b1721ce67a2
|
|
| MD5 |
88e65e35c03054678870064fcbaffc8e
|
|
| BLAKE2b-256 |
85f66061a98aaa0861f84a85675d316aecd6546d4d88252a6848e9611d4ada5c
|