CRA control catalogs in OSCAL
The CRA Portal Cyber Resilience Act control set, published as NIST Open Security Controls Assessment Language catalogs. Standard JSON that governance, risk, and compliance tools ingest directly, generated from the same source that drives the platform.
Why OSCAL
OSCAL is NIST's open standard for expressing security controls and assessment data as structured, machine-readable documents. Tools like compliance-trestle, RegScale, and Xacta read it natively. Publishing the CRA controls this way means a manufacturer can pull the requirements into an existing GRC pipeline instead of transcribing them by hand or parsing a bespoke format.
These are the first public renderings of the CRA vulnerability-handling requirements as OSCAL catalogs. They are generated from the platform's own control constants and validated on every build, so what you download matches what the product enforces.
Download the catalogs
CRA Vulnerability Handling Control Catalog
The full vulnerability-handling control set (applicability through post-release), each control carrying its requirement items and assessment objectives.
26 controls · OSCAL 1.1.2 · JSONGET https://cvdportal.com/oscal/catalog-cvd-vuln-handling.jsonEN 40000-1-3 Clause Catalog
The EN 40000-1-3 clauses, cross-linked to the controls that satisfy each clause.
24 clauses · OSCAL 1.1.2 · JSONGET https://cvdportal.com/oscal/catalog-en-40000-1-3.jsonEN 40000-1-3 is a draft harmonised standard, not yet cited in the Official Journal of the EU. These catalogs are a working blueprint for a traceable vulnerability-handling process. On their own they do not confer presumption of conformity with Regulation (EU) 2024/2847.
Run these controls, don't just read them
CRA Portal implements the intake, tracking, and evidence for every control in the catalog.
Get Started for Free