Skip to main content

CRA Compliance Kit for IoT Devices - EU Cyber Resilience Act compliance in one pip install

Project description

CRA Compliance Kit for IoT Devices

Meet EU Cyber Resilience Act (CRA) requirements in one pip install.

PyPI version Python License: MIT


Key Deadlines

Obligation Date Status
Vulnerability reporting (24h to ENISA) September 11, 2026 94 days
Full CRA conformity assessment December 11, 2027 18 months
Penalties for non-compliance Up to EUR 15M or 2.5% of global turnover Active

What This Kit Provides

Module CRA Requirement License
DeviceIdentityService (identity.py) Device identity, access control — Art. 10(2-3) MIT
FirmwareHealthService (firmware.py) Vulnerability tracking, CVE matching — Art. 13(1-3) MIT
InputClassifier (input_guard.py) Secure by default input handling — Art. 10(1) MIT
PhysicalActionGuard (action_guard.py) Hard-blocked & confirm-required actions — Art. 10(3) MIT
CycloneDX SBOM Generator (sbom/generator.py) SBOM maintenance for ENISA — Art. 13(8) MIT
GuardianSubsystem (commercial) Central security health scoring License req.
BehaviouralBaselineService (commercial) Welford anomaly detection License req.
MemoryProvenance (commercial) HMAC-SHA256 tamper-evident audit chain License req.
CrossOracleSigner (commercial) Inter-service request signing & escalation License req.

Quickstart

pip install cra-compliance-kit
from cra_kit.identity import DeviceIdentityService, TrustTier
from cra_kit.firmware import FirmwareHealthService
from cra_kit.input_guard import InputClassifier
from cra_kit.action_guard import PhysicalActionGuard

# 1. Enrol devices with tiered trust
identity = DeviceIdentityService()
identity.enrol_device("sensor-01", "temperature_sensor", trust_tier=TrustTier.ENVIRONMENTAL)

# 2. Check firmware against CVE database
fw = FirmwareHealthService()
check = fw.check_device("sensor-01", "gateway", "1.5.3")
print(f"Vulnerable to {len(check.vulnerabilities_found)} CVEs")

# 3. Sanitize every input
classifier = InputClassifier()
safe, findings = classifier.is_safe(user_input)

# 4. Restrict dangerous actions
guard = PhysicalActionGuard()
result = guard.check_action("format_storage")
assert result["allowed"] == False  # Hard blocked

# 5. Generate SBOM
python -m sbom.generator --product "MyIoTGateway" --version "2.1.0" --output sbom.xml

CRA Article Mapping

Article Requirement How We Satisfy It
Article 10(1) Secure by default configuration InputClassifier blocks injection, sanitises inputs before processing
Article 10(2) Device identity & authentication DeviceIdentityService — 5-tier trust model with certificate-based enrollment
Article 10(3) Access control mechanisms PhysicalActionGuard — 10 hard-blocked + 11 confirm-required actions, time-aware
Article 13(1-3) Vulnerability handling & remediation FirmwareHealthService — CVE matching, semantic version gating, severity scoring
Article 13(8) SBOM accessible to ENISA on request CycloneDX 1.5 generator with automatic installed-package scanning

Architecture Overview

Each module is self-contained with zero external dependencies (stdlib only). Modules store state in SQLite at ~/.cra_kit/ for persistence.

User Input
    |
    v
InputClassifier  ── detects 8 injection families (prompt, code, SQL, command, XSS, SSRF, traversal, format string)
    |
    v
DeviceIdentityService  ── authenticates, checks trust tier (0-4)
    |
    v
PhysicalActionGuard  ── blocks/confirms dangerous actions, time-gated at night
    |
    v
FirmwareHealthService  ── matches version against CVE database
    |
    v
SBOM Generator (CycloneDX 1.5 XML)

Open-Core Licensing

Package Type Modules License Price
Open Source identity.py, firmware.py, input_guard.py, action_guard.py, sbom/generator.py MIT Free
Professional (coming soon) Guardian + Baselines + Provenance + Signing Commercial 1,500/yr
Enterprise (coming soon) All pro + priority support + SLA Commercial 7,500/yr

Requirements

  • Python 3.9+
  • SQLite (built into Python standard library)
  • Zero external dependencies

Who Built This

StarTeQ Ltd — the team behind Starcaller, a privacy-first AI appliance with a 9.3/10 security trust score and 8-module security stack in production.

Contact: sydney@starcaller.uk Website: starcaller.uk/cra-compliance

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cra_compliance_kit-1.0.3.tar.gz (13.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

cra_compliance_kit-1.0.3-py3-none-any.whl (16.1 kB view details)

Uploaded Python 3

File details

Details for the file cra_compliance_kit-1.0.3.tar.gz.

File metadata

  • Download URL: cra_compliance_kit-1.0.3.tar.gz
  • Upload date:
  • Size: 13.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.9

File hashes

Hashes for cra_compliance_kit-1.0.3.tar.gz
Algorithm Hash digest
SHA256 dd0d151dee05bb728fec638e94ee676cfdf8b5740bb1a93181f85c511df74bb4
MD5 51a0be238709939872379d4fca2efc43
BLAKE2b-256 cb7c4f3879d2f8017c0a063c76c775ba13a93095955f0f73f2ac4f8dabe9a093

See more details on using hashes here.

File details

Details for the file cra_compliance_kit-1.0.3-py3-none-any.whl.

File metadata

File hashes

Hashes for cra_compliance_kit-1.0.3-py3-none-any.whl
Algorithm Hash digest
SHA256 fe3e7fb32e3257fce8dd8413862252b388a57f0532345c4c1b0702b9c01b3d11
MD5 f52be822a516021ee18caa7449778fc0
BLAKE2b-256 fb5b9696329507c000153258a2e815b6d1a94a2b2caa43eb9d598307bf56f79f

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page