Skip to main content

CRA Compliance Kit for IoT Devices - EU Cyber Resilience Act compliance in one pip install

Project description

CRA Compliance Kit for IoT Devices

Meet EU Cyber Resilience Act (CRA) requirements in one pip install.

PyPI version Python License: MIT


Key Deadlines

Obligation Date Status
Vulnerability reporting (24h to ENISA) September 11, 2026 94 days
Full CRA conformity assessment December 11, 2027 18 months
Penalties for non-compliance Up to EUR 15M or 2.5% of global turnover Active

What This Kit Provides

Module CRA Requirement License
DeviceIdentityService (identity.py) Device identity, access control — Art. 10(2-3) MIT
FirmwareHealthService (firmware.py) Vulnerability tracking, CVE matching — Art. 13(1-3) MIT
InputClassifier (input_guard.py) Secure by default input handling — Art. 10(1) MIT
PhysicalActionGuard (action_guard.py) Hard-blocked & confirm-required actions — Art. 10(3) MIT
CycloneDX SBOM Generator (sbom/generator.py) SBOM maintenance for ENISA — Art. 13(8) MIT
GuardianSubsystem (commercial) Central security health scoring License req.
BehaviouralBaselineService (commercial) Welford anomaly detection License req.
MemoryProvenance (commercial) HMAC-SHA256 tamper-evident audit chain License req.
CrossOracleSigner (commercial) Inter-service request signing & escalation License req.

Quickstart

pip install cra-compliance-kit
from cra_kit.identity import DeviceIdentityService, TrustTier
from cra_kit.firmware import FirmwareHealthService
from cra_kit.input_guard import InputClassifier
from cra_kit.action_guard import PhysicalActionGuard

# 1. Enrol devices with tiered trust
identity = DeviceIdentityService()
identity.enrol_device("sensor-01", "temperature_sensor", trust_tier=TrustTier.ENVIRONMENTAL)

# 2. Check firmware against CVE database
fw = FirmwareHealthService()
check = fw.check_device("sensor-01", "gateway", "1.5.3")
print(f"Vulnerable to {len(check.vulnerabilities_found)} CVEs")

# 3. Sanitize every input
classifier = InputClassifier()
safe, findings = classifier.is_safe(user_input)

# 4. Restrict dangerous actions
guard = PhysicalActionGuard()
result = guard.check_action("format_storage")
assert result["allowed"] == False  # Hard blocked

# 5. Generate SBOM
python -m sbom.generator --product "MyIoTGateway" --version "2.1.0" --output sbom.xml

CRA Article Mapping

Article Requirement How We Satisfy It
Article 10(1) Secure by default configuration InputClassifier blocks injection, sanitises inputs before processing
Article 10(2) Device identity & authentication DeviceIdentityService — 5-tier trust model with certificate-based enrollment
Article 10(3) Access control mechanisms PhysicalActionGuard — 10 hard-blocked + 11 confirm-required actions, time-aware
Article 13(1-3) Vulnerability handling & remediation FirmwareHealthService — CVE matching, semantic version gating, severity scoring
Article 13(8) SBOM accessible to ENISA on request CycloneDX 1.5 generator with automatic installed-package scanning

Architecture Overview

Each module is self-contained with zero external dependencies (stdlib only). Modules store state in SQLite at ~/.cra_kit/ for persistence.

User Input
    |
    v
InputClassifier  ── detects 8 injection families (prompt, code, SQL, command, XSS, SSRF, traversal, format string)
    |
    v
DeviceIdentityService  ── authenticates, checks trust tier (0-4)
    |
    v
PhysicalActionGuard  ── blocks/confirms dangerous actions, time-gated at night
    |
    v
FirmwareHealthService  ── matches version against CVE database
    |
    v
SBOM Generator (CycloneDX 1.5 XML)

Open-Core Licensing

Package Type Modules License Price
Open Source identity.py, firmware.py, input_guard.py, action_guard.py, sbom/generator.py MIT Free
Professional (coming soon) Guardian + Baselines + Provenance + Signing Commercial 1,500/yr
Enterprise (coming soon) All pro + priority support + SLA Commercial 7,500/yr

Requirements

  • Python 3.9+
  • SQLite (built into Python standard library)
  • Zero external dependencies

Who Built This

StarTeQ Ltd — the team behind Starcaller, a privacy-first AI appliance with a 9.3/10 security trust score and 8-module security stack in production.

Contact: sydney@starcaller.uk Website: starcaller.uk/cra-compliance

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cra_compliance_kit-1.0.2.tar.gz (12.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

cra_compliance_kit-1.0.2-py3-none-any.whl (13.3 kB view details)

Uploaded Python 3

File details

Details for the file cra_compliance_kit-1.0.2.tar.gz.

File metadata

  • Download URL: cra_compliance_kit-1.0.2.tar.gz
  • Upload date:
  • Size: 12.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.9

File hashes

Hashes for cra_compliance_kit-1.0.2.tar.gz
Algorithm Hash digest
SHA256 6c627aba7716cf33e5dd6ad035f725585007365be670f853060bae960b8cb142
MD5 e7b7d69de635011c4a6eb27de90f3624
BLAKE2b-256 c6a0bc6dbad53504a9c471e8edd50e1f0648472960d7ea99df0ae420a63fb3d4

See more details on using hashes here.

File details

Details for the file cra_compliance_kit-1.0.2-py3-none-any.whl.

File metadata

File hashes

Hashes for cra_compliance_kit-1.0.2-py3-none-any.whl
Algorithm Hash digest
SHA256 1cb02b88c73c1d26ca18261deea06ad30c245c26024117ee80be1b49b2a1d714
MD5 53fdec035cbc83453aa76d78a9ad1f43
BLAKE2b-256 99bd53cbb17d47fcaef1a5cb6821875b39239a8386ed3b50268ca3f655cbbabf

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page