Skip to main content

Glossary of CRA and Software Cybersecurity Terms

This glossary defines key terms from the Cyber Resilience Act (CRA) and general cybersecurity that are essential for software developers to understand.

CRA Specific Terms (from Article 3)

  • Product with Digital Elements: A software or hardware product and its remote data processing solutions, including software or hardware components placed on the market separately. This is what the CRA covers.
  • Manufacturer: The person or entity who develops a product (or has it developed) and markets it under their name or trademark. For an app or game, this is likely you.
  • Placing on the Market: The first time a product with digital elements is made available on the EU market.
  • Making Available on the Market: Supplying a product for distribution or use on the EU market in the course of a commercial activity.
  • Support Period: The period during which you, the manufacturer, are required to handle vulnerabilities effectively.
  • Substantial Modification: A change to the software after its release that affects its compliance with the CRA's essential requirements or changes its intended purpose.
  • Actively Exploited Vulnerability: A vulnerability for which there is reliable evidence that a malicious actor has used it. This triggers mandatory reporting.
  • Software Bill of Materials (SBOM): A formal record of the software components and dependencies included in your product.

General Cybersecurity Terms

  • Coordinated Vulnerability Disclosure (CVD): The process by which security researchers report vulnerabilities to a manufacturer, allowing them to fix the issue before it is publicly disclosed.
  • Secure Software Development Lifecycle (SSDLC): A methodology that integrates security practices into every phase of the software development process.
  • Static Application Security Testing (SAST): Analysis of an application's source code or binary in a non-running state to find security vulnerabilities.
  • Software Composition Analysis (SCA): The process of identifying the open-source and third-party components in a codebase to assess security, license compliance, and quality.

Key Takeway

Understanding the specific definitions used in the CRA is crucial for accurate compliance. Terms like Manufacturer, Support Period, and Substantial Modification have precise legal meanings that guide your obligations.