Skip to main content

CRA Compliance Kit for IoT Devices - EU Cyber Resilience Act compliance in one pip install

Project description

CRA Compliance Kit for IoT Devices

Meet EU Cyber Resilience Act (CRA) requirements in one pip install.

PyPI version Python License: MIT


Key Deadlines

Obligation Date Status
Vulnerability reporting (24h to ENISA) September 11, 2026 94 days
Full CRA conformity assessment December 11, 2027 18 months
Penalties for non-compliance Up to EUR 15M or 2.5% of global turnover Active

What This Kit Provides

Module CRA Requirement License
DeviceIdentityService (identity.py) Device identity, access control — Art. 10(2-3) MIT
FirmwareHealthService (firmware.py) Vulnerability tracking, CVE matching — Art. 13(1-3) MIT
InputClassifier (input_guard.py) Secure by default input handling — Art. 10(1) MIT
PhysicalActionGuard (action_guard.py) Hard-blocked & confirm-required actions — Art. 10(3) MIT
CycloneDX SBOM Generator (sbom/generator.py) SBOM maintenance for ENISA — Art. 13(8) MIT
GuardianSubsystem (commercial) Central security health scoring License req.
BehaviouralBaselineService (commercial) Welford anomaly detection License req.
MemoryProvenance (commercial) HMAC-SHA256 tamper-evident audit chain License req.
CrossOracleSigner (commercial) Inter-service request signing & escalation License req.

Quickstart

pip install cra-compliance-kit
from cra_kit.identity import DeviceIdentityService, TrustTier
from cra_kit.firmware import FirmwareHealthService
from cra_kit.input_guard import InputClassifier
from cra_kit.action_guard import PhysicalActionGuard

# 1. Enrol devices with tiered trust
identity = DeviceIdentityService()
identity.enrol_device("sensor-01", "temperature_sensor", trust_tier=TrustTier.ENVIRONMENTAL)

# 2. Check firmware against CVE database
fw = FirmwareHealthService()
check = fw.check_device("sensor-01", "gateway", "1.5.3")
print(f"Vulnerable to {len(check.vulnerabilities_found)} CVEs")

# 3. Sanitize every input
classifier = InputClassifier()
safe, findings = classifier.is_safe(user_input)

# 4. Restrict dangerous actions
guard = PhysicalActionGuard()
result = guard.check_action("format_storage")
assert result["allowed"] == False  # Hard blocked

# 5. Generate SBOM
python -m sbom.generator --product "MyIoTGateway" --version "2.1.0" --output sbom.xml

CRA Article Mapping

Article Requirement How We Satisfy It
Article 10(1) Secure by default configuration InputClassifier blocks injection, sanitises inputs before processing
Article 10(2) Device identity & authentication DeviceIdentityService — 5-tier trust model with certificate-based enrollment
Article 10(3) Access control mechanisms PhysicalActionGuard — 10 hard-blocked + 11 confirm-required actions, time-aware
Article 13(1-3) Vulnerability handling & remediation FirmwareHealthService — CVE matching, semantic version gating, severity scoring
Article 13(8) SBOM accessible to ENISA on request CycloneDX 1.5 generator with automatic installed-package scanning

Architecture Overview

Each module is self-contained with zero external dependencies (stdlib only). Modules store state in SQLite at ~/.cra_kit/ for persistence.

User Input
    |
    v
InputClassifier  ── detects 8 injection families (prompt, code, SQL, command, XSS, SSRF, traversal, format string)
    |
    v
DeviceIdentityService  ── authenticates, checks trust tier (0-4)
    |
    v
PhysicalActionGuard  ── blocks/confirms dangerous actions, time-gated at night
    |
    v
FirmwareHealthService  ── matches version against CVE database
    |
    v
SBOM Generator (CycloneDX 1.5 XML)

Open-Core Licensing

Package Type Modules License Price
Open Source identity.py, firmware.py, input_guard.py, action_guard.py, sbom/generator.py MIT Free
Professional (coming soon) Guardian + Baselines + Provenance + Signing Commercial 1,500/yr
Enterprise (coming soon) All pro + priority support + SLA Commercial 7,500/yr

Requirements

  • Python 3.9+
  • SQLite (built into Python standard library)
  • Zero external dependencies

Who Built This

StarTeQ Ltd — the team behind Starcaller, a privacy-first AI appliance with a 9.3/10 security trust score and 8-module security stack in production.

Contact: sydney@starcaller.uk Website: starcaller.uk/cra-compliance

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cra_compliance_kit-1.0.4.tar.gz (13.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

cra_compliance_kit-1.0.4-py3-none-any.whl (16.1 kB view details)

Uploaded Python 3

File details

Details for the file cra_compliance_kit-1.0.4.tar.gz.

File metadata

  • Download URL: cra_compliance_kit-1.0.4.tar.gz
  • Upload date:
  • Size: 13.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.9

File hashes

Hashes for cra_compliance_kit-1.0.4.tar.gz
Algorithm Hash digest
SHA256 f7ad1f5100da7c87ce5c2da22ac2e7fb708e04fddac79c8aa4a2b596362c53e9
MD5 6eeae5ee90759f6c8911d5477dbcb10c
BLAKE2b-256 6a1ede591d66ff7edfa68b27a94a234cf4dcdea6908c2149d4f2a15ad2c8057c

See more details on using hashes here.

File details

Details for the file cra_compliance_kit-1.0.4-py3-none-any.whl.

File metadata

File hashes

Hashes for cra_compliance_kit-1.0.4-py3-none-any.whl
Algorithm Hash digest
SHA256 4cc12df44c141a010064d2be7ce9e71f355b42bea8c1b97669dd8b1721ce67a2
MD5 88e65e35c03054678870064fcbaffc8e
BLAKE2b-256 85f66061a98aaa0861f84a85675d316aecd6546d4d88252a6848e9611d4ada5c

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page