Skip to main content

CRA Compliance Kit for IoT Devices - EU Cyber Resilience Act compliance in one pip install

Project description

CRA Compliance Kit for IoT Devices

Meet EU Cyber Resilience Act (CRA) requirements in one pip install.

PyPI version Python License: MIT


Key Deadlines

Obligation Date Status
Vulnerability reporting (24h to ENISA) September 11, 2026 94 days
Full CRA conformity assessment December 11, 2027 18 months
Penalties for non-compliance Up to EUR 15M or 2.5% of global turnover Active

What This Kit Provides

Module CRA Requirement License
DeviceIdentityService (identity.py) Device identity, access control — Art. 10(2-3) MIT
FirmwareHealthService (firmware.py) Vulnerability tracking, CVE matching — Art. 13(1-3) MIT
InputClassifier (input_guard.py) Secure by default input handling — Art. 10(1) MIT
PhysicalActionGuard (action_guard.py) Hard-blocked & confirm-required actions — Art. 10(3) MIT
CycloneDX SBOM Generator (sbom/generator.py) SBOM maintenance for ENISA — Art. 13(8) MIT
GuardianSubsystem (commercial) Central security health scoring License req.
BehaviouralBaselineService (commercial) Welford anomaly detection License req.
MemoryProvenance (commercial) HMAC-SHA256 tamper-evident audit chain License req.
CrossOracleSigner (commercial) Inter-service request signing & escalation License req.

Quickstart

pip install cra-compliance-kit
from cra_kit.identity import DeviceIdentityService, TrustTier
from cra_kit.firmware import FirmwareHealthService
from cra_kit.input_guard import InputClassifier
from cra_kit.action_guard import PhysicalActionGuard

# 1. Enrol devices with tiered trust
identity = DeviceIdentityService()
identity.enrol_device("sensor-01", "temperature_sensor", trust_tier=TrustTier.ENVIRONMENTAL)

# 2. Check firmware against CVE database
fw = FirmwareHealthService()
check = fw.check_device("sensor-01", "gateway", "1.5.3")
print(f"Vulnerable to {len(check.vulnerabilities_found)} CVEs")

# 3. Sanitize every input
classifier = InputClassifier()
safe, findings = classifier.is_safe(user_input)

# 4. Restrict dangerous actions
guard = PhysicalActionGuard()
result = guard.check_action("format_storage")
assert result["allowed"] == False  # Hard blocked

# 5. Generate SBOM
python -m sbom.generator --product "MyIoTGateway" --version "2.1.0" --output sbom.xml

CRA Article Mapping

Article Requirement How We Satisfy It
Article 10(1) Secure by default configuration InputClassifier blocks injection, sanitises inputs before processing
Article 10(2) Device identity & authentication DeviceIdentityService — 5-tier trust model with certificate-based enrollment
Article 10(3) Access control mechanisms PhysicalActionGuard — 10 hard-blocked + 11 confirm-required actions, time-aware
Article 13(1-3) Vulnerability handling & remediation FirmwareHealthService — CVE matching, semantic version gating, severity scoring
Article 13(8) SBOM accessible to ENISA on request CycloneDX 1.5 generator with automatic installed-package scanning

Architecture Overview

Each module is self-contained with zero external dependencies (stdlib only). Modules store state in SQLite at ~/.cra_kit/ for persistence.

User Input
    |
    v
InputClassifier  ── detects 8 injection families (prompt, code, SQL, command, XSS, SSRF, traversal, format string)
    |
    v
DeviceIdentityService  ── authenticates, checks trust tier (0-4)
    |
    v
PhysicalActionGuard  ── blocks/confirms dangerous actions, time-gated at night
    |
    v
FirmwareHealthService  ── matches version against CVE database
    |
    v
SBOM Generator (CycloneDX 1.5 XML)

Open-Core Licensing

Package Type Modules License Price
Open Source identity.py, firmware.py, input_guard.py, action_guard.py, sbom/generator.py MIT Free
Professional (coming soon) Guardian + Baselines + Provenance + Signing Commercial 1,500/yr
Enterprise (coming soon) All pro + priority support + SLA Commercial 7,500/yr

Requirements

  • Python 3.9+
  • SQLite (built into Python standard library)
  • Zero external dependencies

Who Built This

StarTeQ Ltd — the team behind Starcaller, a privacy-first AI appliance with a 9.3/10 security trust score and 8-module security stack in production.

Contact: sydney@starcaller.uk Website: starcaller.uk/cra-compliance

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cra_compliance_kit-1.0.1.tar.gz (12.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

cra_compliance_kit-1.0.1-py3-none-any.whl (13.2 kB view details)

Uploaded Python 3

File details

Details for the file cra_compliance_kit-1.0.1.tar.gz.

File metadata

  • Download URL: cra_compliance_kit-1.0.1.tar.gz
  • Upload date:
  • Size: 12.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.9

File hashes

Hashes for cra_compliance_kit-1.0.1.tar.gz
Algorithm Hash digest
SHA256 d717c9cf828e73b654b11d18f97baa930c54396fc5d58bb6178d7adf75195f8e
MD5 f49c67b0fd2192020cc45766f0f9a4e0
BLAKE2b-256 870daabd07211b6da873e453461c3a314902b0ad8e6b20702c7791a5f5a5afbb

See more details on using hashes here.

File details

Details for the file cra_compliance_kit-1.0.1-py3-none-any.whl.

File metadata

File hashes

Hashes for cra_compliance_kit-1.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 fd7bbc700f6c425b82745c21659c782e835931c716025b0e8fcd1c26835d77ec
MD5 dad958ca0bca50b2c9dcb617ec51e6fd
BLAKE2b-256 7f740abf6142d6417891812080b3ebf6962f60a53e709713b71a5ee031b48589

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page