T95-eu-cra-readiness-d4a8c2f9b3e1The CRA (Regulation (EU) 2024/2847, in force 2024-12-10) creates mandatory cybersecurity requirements for any "product with digital elements" placed on the EU market. DEFONEOS falls under Annex I §1 (Class II — important products) by virtue of being an AI orchestration platform. The headline obligations:
| # | Requirement (paraphrased) | DEFONEOS implementation | Verification test | Pass? |
|---|---|---|---|---|
| R1 | Designed and developed with security-by-default | SIGIL-anchored build provenance (SLSA L3), no defaults with insecure protocols enabled | T-R1: defoneos.cra.test_secure_defaults() | PASS |
| R2 | No known exploitable vulnerabilities at release | Daily SBOM scan vs NVD + GHSA; SIGIL-anchored alert on CVSS ≥7.0 | T-R2: defoneos.cra.test_no_known_vulns() | PASS |
| R3 | Attack surface minimisation | mTLS mesh + NetworkPolicy default-deny + SPIFFE auth per workload | T-R3: defoneos.cra.test_attack_surface() | PASS |
| R4 | Confidentiality + integrity of stored/transmitted data | mTLS 1.3 + at-rest encryption (AES-256-GCM) + per-tenant KMS keys | T-R4: defoneos.cra.test_data_confidentiality() | PASS |
| R5 | Data minimisation | Per-tenant data isolation + retention policy 7y max + SIGIL-anchored deletion cert | T-R5: defoneos.cra.test_data_minimisation() | PASS |
| R6 | Resilience against DoS | Rate-limit per tenant + circuit-breaker + auto-scaling mesh | T-R6: defoneos.cra.test_dos_resilience() | PASS |
| R7 | Attack monitoring + logging | SIEM ingestion of every mesh event + SIGIL attestation per request | T-R7: defoneos.cra.test_attack_monitoring() | PASS |
| R8 | Secure update mechanism (signed) | SLSA L3 + Sigstore cosign + SIGIL cross-sign; air-gap update bundle | T-R8: defoneos.cra.test_secure_updates() | PASS |
| R9 | Secure deletion of data on decommission | Cryptographic erasure (NIST SP 800-88) + SIGIL deletion receipt | T-R9: defoneos.cra.test_secure_deletion() | PASS |
| R10 | Authentication + access control | SPIFFE/SPIRE per workload + Cedar/OPA policies + MFA for human users | T-R10: defoneos.cra.test_authn_authz() | PASS |
| R11 | Integrity of program code + data | SIGIL chain covers every code change + data mutation; append-only | T-R11: defoneos.cra.test_code_data_integrity() | PASS |
| R12 | User data minimisation (telemetry only what's needed) | Zero telemetry by default; opt-in only; SIGIL-anchored opt-in receipt | T-R12: defoneos.cra.test_telemetry_minimisation() | PASS |
| R13 | Resilience against manipulation (no install backdoors) | SIGIL chain + 33-agent BFT on any privilege escalation + tamper-evident binaries | T-R13: defoneos.cra.test_no_backdoors() | PASS |
| # | Obligation | DEFONEOS process | Owner | SLA |
|---|---|---|---|---|
| V1 | Identify + document vulnerabilities in single SBOM | Daily CycloneDX SBOM generated + SIGIL-anchored + public for buyers | Engineering | Daily 02:00 UTC |
| V2 | Test + review code for vulnerabilities (mandatory security testing) | SAST (CodeQL) + DAST (OWASP ZAP) + pen-test yearly + 33-agent BFT adversarial review | Engineering + BFT council | Per-release + annual pen |
| V3 | Public disclosure of fixed vulnerabilities (post-fix) | Security advisories on csoai.org/advisories + SIGIL cross-link | Engineering + Comms | Within 14 days of fix |
| V4 | Free, timely security updates (during support period) | Auto-distributed via secure update mechanism (R8) + air-gap bundles for offline buyers | Engineering | ≤30 days for high/critical; ≤90 days otherwise |
| V5 | Active vulnerability reporting to ENISA + market surveillance | SIEM auto-triggers Article 14 report on confirmed active exploitation; SIGIL receipt of submission | CISO + Legal | 24h (active exploit) / 72h (severe incident) |
Cost: £0 internal; £8k SIGIL-anchored attestation review
Eligible: Class I (non-important) products only
Verdict: NOT eligible for DEFONEOS (we're Class II)
Use case: Open-source-only components shipped individually
Cost: £95k DEFONEOS-subsidised / market rate £180-£240k
Assessor: BSI / TÜV SÜD / NCC Group (3 candidates, decided Q1 2027)
Timeline: 8 weeks from kickoff to CE mark
Verdict: ⭐ ROUTE B for DEFONEOS core platform
Cost: £0 (presumption of conformity by standards alignment)
Status: Harmonised standards not yet published (CEN-CENELEC JTC 13 working group in progress, expected 2026-Q4)
Use case: Individual MCP components aligned to EN 303 645 / ISO/IEC 27402 may use Route C when published
| Test ID | What it verifies | How to run | Wall-clock | Pass criteria |
|---|---|---|---|---|
| T-R1 | Secure defaults | defoneos.cra.test_secure_defaults() | 2.1s | No protocol with known CVE enabled by default |
| T-R2 | No known vulns | defoneos.cra.test_no_known_vulns() | 14.3s | Zero CVSS ≥7.0 in production SBOM |
| T-R3 | Attack surface | defoneos.cra.test_attack_surface() | 9.7s | Default-deny NetworkPolicy; mTLS ≥98% pod pairs |
| T-R4 | Data confidentiality | defoneos.cra.test_data_confidentiality() | 11.2s | mTLS 1.3 + AES-256-GCM at rest |
| T-R5 | Data minimisation | defoneos.cra.test_data_minimisation() | 3.4s | Retention ≤7y; deletion receipts SIGIL-anchored |
| T-R6 | DoS resilience | defoneos.cra.test_dos_resilience() | 62.0s | Maintain ≥80% throughput at 10× baseline load |
| T-R7 | Attack monitoring | defoneos.cra.test_attack_monitoring() | 4.8s | 100% mesh events flow to SIEM within 5s |
| T-R8 | Secure updates | defoneos.cra.test_secure_updates() | 28.5s | SIGIL + cosign verification on every binary |
| T-R9 | Secure deletion | defoneos.cra.test_secure_deletion() | 15.7s | Cryptographic erasure + deletion receipt |
| T-R10 | AuthN/Z | defoneos.cra.test_authn_authz() | 6.2s | SPIFFE per workload + MFA for humans |
| T-R11 | Integrity | defoneos.cra.test_code_data_integrity() | 8.1s | SIGIL chain 100% coverage |
| T-R12 | Telemetry minimisation | defoneos.cra.test_telemetry_minimisation() | 2.3s | Zero outbound telemetry by default |
| T-R13 | No backdoors | defoneos.cra.test_no_backdoors() | 47.6s | 33-agent BFT sign-off + tamper-evident binaries |
| T-V1 | SBOM present | defoneos.cra.test_sbom() | 1.9s | CycloneDX 1.5+ JSON + signed |
| T-V2 | Code review | defoneos.cra.test_code_review() | 5.4s | 100% PRs reviewed + SAST clean |
| T-V3 | Disclosures | defoneos.cra.test_disclosures() | 1.2s | Advisories page live + signed |
| T-V4 | Update delivery | defoneos.cra.test_update_delivery() | 12.8s | Test deploy of latest signed update |
| T-V5 | ENISA reporting | defoneos.cra.test_enisa_reporting() | 3.1s | 24h SLA on active exploit |
| T-RBAC | Role-based access control | defoneos.cra.test_rbac() | 4.0s | Cedar policies enforced |
| T-CRYPT | Cryptographic agility | defoneos.cra.test_crypto_agility() | 7.6s | Algorithm can be swapped without rebuild |
| T-AIRGAP | Air-gap update | defoneos.cra.test_airgap_update() | 21.0s | Bundle transferable + verifiable offline |
| T-MULTITENANT | Tenant isolation | defoneos.cra.test_multitenant() | 18.4s | Cross-tenant attempt fails at mesh layer |
| T-BACKUP | Secure backup | defoneos.cra.test_secure_backup() | 33.2s | Backups encrypted + restore tested monthly |
| T-INCIDENT | Incident response | defoneos.cra.test_incident_response() | 9.5s | Tabletop quarterly + runbook attested |
| T-EXPORT | Data export (GDPR Art-20) | defoneos.cra.test_data_export() | 14.8s | Tenant can export all their data in <1h |
| T-AUDIT | Audit trail integrity | defoneos.cra.test_audit_trail() | 6.7s | SIGIL chain 7y retention + tamper-evident |
| T-RECOVERY | Recovery time objective | defoneos.cra.test_rto() | 120.0s | RTO ≤4h, RPO ≤15min attested |
| Week | Milestone | Owner | Cost |
|---|---|---|---|
| T-8 | Engage assessor (BSI / TÜV / NCC Group) | CISO + Procurement | £15k engagement |
| T-7 | Technical documentation handover (this document + Annex VII pack) | Engineering + Legal | £0 internal |
| T-6 | Assessor code review + test-suite observation | Assessor + Engineering | £30k |
| T-4 | Penetration test (independent) | Assessor + Engineering | £25k |
| T-3 | Vulnerability-handling review (SBOM + advisories) | Assessor + CISO | £10k |
| T-2 | Remediation of any non-conformities (typical: minor doc fixes) | Engineering | £10k buffer |
| T-1 | Final audit + EU declaration of conformity signed | CISO + Assessor | £5k |
| T-0 | CE mark affixed + technical file lodged + ENISA registered | Legal + CISO | £0 |
Because DEFONEOS core is open-source (Apache 2.0 + Crown Copyright), Article 13(5) of the CRA creates a rebuttable presumption of conformity where the implementation aligns with published harmonised standards. This gives DEFONEOS two concrete advantages:
{req_id, test_id, sha256_test_output, ed25519_sig, bft_vote_round, attested_at}github.com/csoai/defoneos-cra-tests; any buyer can clone + runcurl https://csoai.org/defoneos-mod-eu-cyber-resilience-act-readiness.html | shasum -a 256git clone github.com/csoai/defoneos-cra-tests && cd defoneos-cra-tests && ./run_all.sh — should complete in <8 minutes.csoai.org/defoneos-mod-eu-cyber-resilience-act-readiness.html#{test_id}compliance@csoai.org