EU CRA
How Scrydon supports the EU Cyber Resilience Act — security requirements for digital products placed on the EU market.
The EU Cyber Resilience Act (Regulation 2024/2847) imposes cybersecurity requirements on manufacturers of "products with digital elements" sold in the EU. It takes effect in stages, with full enforcement from December 2027.
This page covers what the CRA requires of a platform like Scrydon and how the platform supports your compliance.
Who's on the hook
The CRA applies to manufacturers placing digital products on the EU market. For Scrydon:
- Scrydon (the vendor) is the manufacturer of the platform. Scrydon is on the hook for the platform's CRA conformance.
- You (the deployer) are not the manufacturer of Scrydon. You may be the manufacturer of your own products built on Scrydon (e.g. a chatbot offered to EU end-users) — in which case the CRA applies to your product too.
Scrydon's CRA posture
Scrydon takes the following CRA-relevant measures:
| CRA requirement | Scrydon measure |
|---|---|
| Annex I.1.1(a) — Security by design | Authorisation, mTLS, ingress hardening, secrets management, audit — all on by default. |
| Annex I.1.2(a) — Vulnerability handling | Coordinated vulnerability disclosure programme + signed advisories. |
| Annex I.1.2(b) — Security updates | Quarterly minor releases with security fixes; emergency patches as needed. |
| Annex I.1.2(c) — Default secure configuration | All hardening is on by default; turning it down requires explicit opt-out. |
| Annex I.1.2(g) — Authentication | mTLS internal, SSO + SCIM external. |
| Annex I.1.2(h) — Integrity | Signed Helm charts, signed images, SBOM at every release. |
| Annex I.1.2(j) — Logging | Audit log with structured events. |
| Annex II — Information to user | This documentation site, including security and operations guidance. |
| Article 11 — Reporting | Active exploits + serious incidents reportable to ENISA within 24 hours. |
What this means for deployers
If you're building a CRA-regulated product on top of Scrydon (a chatbot, a customer portal, a regulated AI agent), you inherit Scrydon's CRA posture for the platform layer. Your own product still needs:
- Your own security-by-design analysis.
- Your own vulnerability disclosure programme.
- Your own incident reporting process.
- Your own product-level documentation for users.
Scrydon provides the platform-level controls; you wrap them in your product-level governance.
Supply chain
The CRA requires SBOMs and integrity verification. Scrydon emits:
- A CycloneDX SBOM for each release.
- Cosign signatures on every published Helm chart and OCI image.
- A reproducible-build manifest.
Verification instructions are in Deployment → Operations.
Related
- Deployment — signed releases, SBOM, integrity verification.
- Security — the security-by-design measures.
- Compliance → AI governance — overlaps with CRA's product-level documentation requirements.