An Alignment Between the CRA's Essential Requirements and the ATT&CK's Mitigations

The paper presents an alignment evaluation between the mitigations present in the MITRE's ATT&CK framework and the essential cyber security requirements of the recently introduced Cyber Resilience Act (CRA) in the European Union. In overall, the two align well with each other. With respect to the CRA, there are notable gaps only in terms of data minimization, data erasure, and vulnerability coordination. In terms of the ATT&CK framework, gaps are present only in terms of threat intelligence, training, out-of-band communication channels, and residual risks. The evaluation presented contributes to narrowing of a common disparity between law and technical frameworks.

@article{ruohonen2025_2505.13641,
  title={ An Alignment Between the CRA's Essential Requirements and the ATT&CK's Mitigations },
  author={ Jukka Ruohonen and Eun-Young Kang and Qusai Ramadan },
  journal={arXiv preprint arXiv:2505.13641},
  year={ 2025 }
}