A Mapping Analysis of Requirements Between the CRA and the GDPR

• URL: http://arxiv.org/abs/2503.01816v1
• Date: Mon, 03 Mar 2025 18:42:12 GMT
• Title: A Mapping Analysis of Requirements Between the CRA and the GDPR
• Authors: Jukka Ruohonen, Kalle Hjerppe, Eun-Young Kang,
• Abstract summary: The Cyber Resilience Act (CRA) was recently agreed upon by the European Union (EU) Union.<n>This paper contributes to requirements engineering research specialized into legal requirements, demonstrating how new laws may affect existing requirements.
• Score: 0.19116784879310028
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: A new Cyber Resilience Act (CRA) was recently agreed upon in the European Union (EU). The paper examines and elaborates what new requirements the CRA entails by contrasting it with the older General Data Protection Regulation (GDPR). According to the results, there are overlaps in terms confidentiality, integrity, and availability guarantees, data minimization, traceability, data erasure, and security testing. The CRA's seven new essential requirements originate from obligations to (1) ship products without known exploitable vulnerabilities and (2) with secure defaults, to (3) provide security patches typically for a minimum of five years, to (4) minimize attack surfaces, to (5) develop and enable exploitation mitigation techniques, to (6) establish a software bill of materials (SBOM), and to (7) improve vulnerability coordination, including a mandate to establish a coordinated vulnerability disclosure policy. With these results and an accompanying discussion, the paper contributes to requirements engineering research specialized into legal requirements, demonstrating how new laws may affect existing requirements.

Related papers

• AILuminate: Introducing v1.0 of the AI Risk and Reliability Benchmark from MLCommons [62.374792825813394]
  This paper introduces AILuminate v1.0, the first comprehensive industry-standard benchmark for assessing AI-product risk and reliability. The benchmark evaluates an AI system's resistance to prompts designed to elicit dangerous, illegal, or undesirable behavior in 12 hazard categories.
  arXiv  Detail & Related papers  (2025-02-19T05:58:52Z)
• Classification or Prompting: A Case Study on Legal Requirements Traceability [6.411835643029738]
  New regulations are continuously introduced to ensure that software development complies with the ethical concerns and prioritizes public safety.<n>A prerequisite for demonstrating compliance involves tracing software requirements to legal provisions.<n>This paper investigates two automated solutions to predict trace links between requirements and legal provisions.
  arXiv  Detail & Related papers  (2025-02-07T13:33:40Z)
• Vulnerability Coordination Under the Cyber Resilience Act [0.21485350418225244]
  The Cyber Resilience Act (CRA) was recently agreed upon in the European Union (EU)<n>It imposes many new cyber security requirements practically to all information technology products.<n>The paper examines and elaborates the CRA's new requirements for vulnerability coordination, including vulnerability disclosure.
  arXiv  Detail & Related papers  (2024-12-09T07:19:30Z)
• Securing Legacy Communication Networks via Authenticated Cyclic Redundancy Integrity Check [98.34702864029796]
  We propose Authenticated Cyclic Redundancy Integrity Check (ACRIC) ACRIC preserves backward compatibility without requiring additional hardware and is protocol agnostic. We show that ACRIC offers robust security with minimal transmission overhead ( 1 ms)
  arXiv  Detail & Related papers  (2024-11-21T18:26:05Z)
• Development of a threat modelling framework and a web-based threat modelling tool for micro businesses [0.0]
  Micro-businesses (MBs) are often overlooked when it comes to cybersecurity.<n>Having fewer than 10 employees, they tend to lack cybersecurity expertise.<n> MBs are often the victims of security breaches and cyber-attacks every year.
  arXiv  Detail & Related papers  (2024-11-10T12:14:43Z)
• Knowledge-Augmented Reasoning for EUAIA Compliance and Adversarial Robustness of LLMs [1.368472250332885]
  The EU AI Act (EUAIA) introduces requirements for AI systems which intersect with the processes required to establish adversarial robustness. This paper presents a functional architecture that focuses on bridging the two properties. We aim to support developers and auditors with a reasoning layer based on knowledge augmentation.
  arXiv  Detail & Related papers  (2024-10-04T18:23:14Z)
• Certifiably Byzantine-Robust Federated Conformal Prediction [49.23374238798428]
  We introduce a novel framework Rob-FCP, which executes robust federated conformal prediction effectively countering malicious clients. We empirically demonstrate the robustness of Rob-FCP against diverse proportions of malicious clients under a variety of Byzantine attacks.
  arXiv  Detail & Related papers  (2024-06-04T04:43:30Z)
• Service Level Agreements and Security SLA: A Comprehensive Survey [51.000851088730684]
  This survey paper identifies state of the art covering concepts, approaches, and open problems of SLA management. It contributes by carrying out a comprehensive review and covering the gap between the analyses proposed in existing surveys and the most recent literature on this topic. It proposes a novel classification criterium to organize the analysis based on SLA life cycle phases.
  arXiv  Detail & Related papers  (2024-01-31T12:33:41Z)
• POSTER: Towards Secure 5G Infrastructures for Production Systems [1.856919806607829]
  We present approaches to prevent attacks through authentication and redundant communication. We also present approaches to detect anomalies and jamming, and respond to detected attacks through device exclusion and accountability measures.
  arXiv  Detail & Related papers  (2024-01-24T09:01:02Z)
• A Survey and Comparative Analysis of Security Properties of CAN Authentication Protocols [92.81385447582882]
  The Controller Area Network (CAN) bus leaves in-vehicle communications inherently non-secure. This paper reviews and compares the 15 most prominent authentication protocols for the CAN bus. We evaluate protocols based on essential operational criteria that contribute to ease of implementation.
  arXiv  Detail & Related papers  (2024-01-19T14:52:04Z)
• The risks of risk-based AI regulation: taking liability seriously [46.90451304069951]
  The development and regulation of AI seems to have reached a critical stage. Some experts are calling for a moratorium on the training of AI systems more powerful than GPT-4. This paper analyses the most advanced legal proposal, the European Union's AI Act.
  arXiv  Detail & Related papers  (2023-11-03T12:51:37Z)
• Trustworthy AI [75.99046162669997]
  Brittleness to minor adversarial changes in the input data, ability to explain the decisions, address the bias in their training data, are some of the most prominent limitations. We propose the tutorial on Trustworthy AI to address six critical issues in enhancing user and public trust in AI systems.
  arXiv  Detail & Related papers  (2020-11-02T20:04:18Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.