← Frameworks / EU CRA / Control Mappings

EU Cyber Resilience Act (Regulation 2024/2847)

EU regulation establishing horizontal cybersecurity requirements for products with digital elements. Applies to manufacturers, importers, and distributors of hardware and software sold in the EU. 22 essential cybersecurity requirements in Annex I covering secure-by-design, vulnerability handling, SBOM, coordinated disclosure, and secure update mechanisms. Penalties up to EUR 15M or 2.5% turnover. Reporting obligations from September 2026, full applicability December 2027. Complements NIS2 (which targets operators) with product-level security.

Controls: 121

Total Mappings: 196

Publisher: European Parliament and Council Version: 2024/2847

EU CRA → SP 800-53 SP 800-53 → EU CRA Coverage Analysis

AC (7) AT (1) AU (12) CA (3) CM (7) CP (5) IA (9) IR (6) MA (2) MP (3) PL (3) PM (7) PT (3) RA (3) SA (13) SC (18) SI (14) SR (5)

AC Access Control

Control	Name	EU CRA References
AC-01	Access Control Policies and Procedures	CRA.I.2d
AC-02	Account Management	CRA.I.2d
AC-03	Access Enforcement	CRA.I.2d
AC-04	Information Flow Enforcement	CRA.I.2j
AC-06	Least Privilege	CRA.I.2d
AC-07	Unsuccessful Login Attempts	CRA.I.2d
AC-17	Remote Access	CRA.I.2d

AT Awareness and Training

Control	Name	EU CRA References
AT-01	Security Awareness And Training Policy And Procedures	CRA.Info.8a

AU Audit and Accountability

Control	Name	EU CRA References
AU-01	Audit And Accountability Policy And Procedures	CRA.I.2l
AU-02	Auditable Events	CRA.I.2dCRA.I.2l
AU-03	Content Of Audit Records	CRA.I.2dCRA.I.2l
AU-04	Audit Storage Capacity	CRA.I.2l
AU-05	Response To Audit Processing Failures	CRA.I.2l
AU-06	Audit Monitoring, Analysis, And Reporting	CRA.I.2dCRA.I.2l
AU-08	Time Stamps	CRA.I.2l
AU-09	Protection Of Audit Information	CRA.I.2fCRA.I.2l
AU-10	Non-Repudiation	CRA.I.2f
AU-11	Audit Record Retention	CRA.I.2l
AU-12	Audit Record Generation	CRA.I.2l
AU-14	Session Audit	CRA.I.2l

CA Security Assessment and Authorization

Control	Name	EU CRA References
CA-02	Security Assessments	CRA.I.2aCRA.II.3
CA-03	Information System Connections	CRA.I.2iCRA.Info.8f
CA-08	Penetration Testing	CRA.I.2aCRA.II.3

CM Configuration Management

Control	Name	EU CRA References
CM-02	Baseline Configuration	CRA.I.2bCRA.Info.3
CM-03	Configuration Change Control	CRA.I.2cCRA.II.2CRA.II.7CRA.Info.8b
CM-04	Monitoring Configuration Changes	CRA.II.2CRA.Info.8b
CM-06	Configuration Settings	CRA.I.2bCRA.Info.8a
CM-07	Least Functionality	CRA.I.2bCRA.I.2jCRA.Info.8e
CM-08	Information System Component Inventory	CRA.II.1CRA.Info.3
CM-12	Information Location	CRA.II.1

CP Contingency Planning

Control	Name	EU CRA References
CP-01	Contingency Planning Policy And Procedures	CRA.I.2h
CP-02	Contingency Plan	CRA.I.2h
CP-07	Alternate Processing Site	CRA.I.2h
CP-09	Information System Backup	CRA.I.2h
CP-10	Information System Recovery And Reconstitution	CRA.I.2h

IA Identification and Authentication

Control	Name	EU CRA References
IA-01	Identification And Authentication Policy And Procedures	CRA.I.2d
IA-02	User Identification And Authentication	CRA.I.2d
IA-03	Device Identification And Authentication	CRA.I.2d
IA-04	Identifier Management	CRA.I.2d
IA-05	Authenticator Management	CRA.I.2d
IA-06	Authenticator Feedback	CRA.I.2d
IA-08	Identification and Authentication (Non-Organizational Users)	CRA.I.2d
IA-11	Re-authentication	CRA.I.2d
IA-12	Identity Proofing	CRA.I.2d

IR Incident Response

Control	Name	EU CRA References
IR-01	Incident Response Policy And Procedures	CRA.Art14CRA.II.6CRA.Info.2
IR-04	Incident Handling	CRA.I.2k
IR-05	Incident Monitoring	CRA.Art14
IR-06	Incident Reporting	CRA.Art14CRA.II.4CRA.II.5
IR-07	Incident Response Assistance	CRA.II.6
IR-08	Incident Response Plan	CRA.Art14

MA Maintenance

Control	Name	EU CRA References
MA-01	System Maintenance Policy And Procedures	CRA.I.2cCRA.II.7
MA-02	Controlled Maintenance	CRA.I.2c

MP Media Protection

Control	Name	EU CRA References
MP-04	Media Storage	CRA.I.2e
MP-05	Media Transport	CRA.I.2eCRA.I.2m
MP-06	Media Sanitization And Disposal	CRA.I.2mCRA.Info.8d

PL Planning

Control	Name	EU CRA References
PL-02	System Security Plan	CRA.Info.4CRA.Info.8a
PL-07	Concept of Operations	CRA.Info.4
PL-08	Security and Privacy Architectures	CRA.I.1

PM Program Management

Control	Name	EU CRA References
PM-05	System Inventory	CRA.II.1CRA.Info.7
PM-07	Enterprise Architecture	CRA.I.1
PM-09	Risk Management Strategy	CRA.Info.5
PM-15	Security and Privacy Groups and Associations	CRA.Art14CRA.II.4CRA.II.5CRA.II.6CRA.Info.2
PM-16	Threat Awareness Program	CRA.II.5
PM-25	Minimization of Personally Identifiable Information Used in Testing, Training, and Research	CRA.I.2g
PM-30	Supply Chain Risk Management Strategy	CRA.I.1

PT Personally Identifiable Information Processing and Transparency

Control	Name	EU CRA References
PT-02	Authority to Process Personally Identifiable Information	CRA.I.2g
PT-03	Personally Identifiable Information Processing Purposes	CRA.I.2g
PT-06	System of Records Notice	CRA.I.2g

RA Risk Assessment

Control	Name	EU CRA References
RA-03	Risk Assessment	CRA.Info.5
RA-05	Vulnerability Scanning	CRA.I.2aCRA.II.1CRA.II.2CRA.II.3CRA.Info.5
RA-06	Technical Surveillance Countermeasures Survey	CRA.II.3

SA System and Services Acquisition

Control	Name	EU CRA References
SA-01	System And Services Acquisition Policy And Procedures	CRA.I.1
SA-02	Allocation Of Resources	CRA.I.1
SA-03	Life Cycle Support	CRA.I.1
SA-04	Acquisitions	CRA.I.1CRA.I.2bCRA.I.2eCRA.I.2jCRA.II.1CRA.Info.8f
SA-05	Information System Documentation	CRA.Info.4CRA.Info.5CRA.Info.8aCRA.Info.8bCRA.Info.8cCRA.Info.8dCRA.Info.8eCRA.Info.8f
SA-08	Security Engineering Principles	CRA.I.1CRA.I.2bCRA.I.2gCRA.I.2j
SA-09	External Information System Services	CRA.I.2iCRA.Info.8f
SA-10	Developer Configuration Management	CRA.I.1CRA.I.2f
SA-11	Developer Security Testing	CRA.I.1CRA.I.2aCRA.II.2CRA.II.3
SA-15	Development Process, Standards, and Tools	CRA.I.1CRA.I.2a
SA-17	Developer Security and Privacy Architecture and Design	CRA.I.1
SA-20	Customized Development of Critical Components	CRA.I.2k
SA-22	Unsupported System Components	CRA.I.2cCRA.II.2CRA.Info.7

SC System and Communications Protection

Control	Name	EU CRA References
SC-03	Security Function Isolation	CRA.I.2k
SC-05	Denial Of Service Protection	CRA.I.2h
SC-06	Resource Priority	CRA.I.2h
SC-07	Boundary Protection	CRA.I.2iCRA.I.2j
SC-08	Transmission Integrity	CRA.I.2eCRA.I.2fCRA.II.7
SC-12	Cryptographic Key Establishment And Management	CRA.I.2e
SC-13	Use Of Cryptography	CRA.I.2e
SC-16	Transmission Of Security Parameters	CRA.I.2f
SC-24	Fail in Known State	CRA.I.2k
SC-28	Protection of Information at Rest	CRA.I.2bCRA.I.2e
SC-29	Heterogeneity	CRA.I.2k
SC-30	Concealment and Misdirection	CRA.I.2k
SC-34	Non-modifiable Executable Programs	CRA.I.2k
SC-35	External Malicious Code Identification	CRA.I.2k
SC-39	Process Isolation	CRA.I.2k
SC-41	Port and I/O Device Access	CRA.I.2j
SC-44	Detonation Chambers	CRA.I.2i
SC-47	Alternate Communications Paths	CRA.I.2i

SI System and Information Integrity

Control	Name	EU CRA References
SI-02	Flaw Remediation	CRA.I.2aCRA.I.2cCRA.II.2CRA.II.7CRA.II.8CRA.Info.8c
SI-03	Malicious Code Protection	CRA.I.2i
SI-04	Information System Monitoring Tools And Techniques	CRA.I.2dCRA.I.2iCRA.I.2l
SI-05	Security Alerts And Advisories	CRA.Art14CRA.II.4CRA.II.5CRA.II.8
SI-06	Security Functionality Verification	CRA.II.3
SI-07	Software And Information Integrity	CRA.I.2bCRA.I.2cCRA.I.2fCRA.II.7
SI-10	Information Accuracy, Completeness, Validity, And Authenticity	CRA.I.2f
SI-11	Error Handling	CRA.I.2l
SI-12	Information Output Handling And Retention	CRA.I.2gCRA.I.2m
SI-13	Predictable Failure Prevention	CRA.I.2h
SI-16	Memory Protection	CRA.I.2k
SI-17	Fail-safe Procedures	CRA.I.2h
SI-18	Personally Identifiable Information Quality Operations	CRA.I.2m
SI-19	De-identification	CRA.I.2gCRA.I.2m

SR Supply Chain Risk Management

Control	Name	EU CRA References
SR-01	Policy and Procedures	CRA.I.1
SR-02	Supply Chain Risk Management Plan	CRA.I.1
SR-03	Supply Chain Controls and Processes	CRA.I.1
SR-04	Provenance	CRA.II.1
SR-06	Supplier Assessments and Reviews	CRA.I.2a