title: OSPS Baseline to EU Cyber Resilience Act (CRA) Annex I metadata: id: OSPS-CRA-MAP-001 version: "1.0.0" type: MappingDocument gemara-version: "0.20.0" description: > Maps OSPS Baseline controls to essential cybersecurity requirements in Annex I of the EU Cyber Resilience Act (Regulation 2024/2847). OSPS classifies all external guideline mappings as relates-to. Downstream consumers may refine the relationship type based on their applicability context. author: id: gemara-example name: Gemara Example Author type: Human applicability-groups: - id: manufacturer title: Manufacturer description: > Entity placing a product with digital elements on the EU market. Subject to full CRA Annex I obligations. - id: open-source-steward title: Open Source Software Steward description: > Entity systematically providing support for open source products intended for commercial use. Subject to reduced obligations under CRA Article 24. - id: ML1 title: Maturity Level 1 description: > OSPS Baseline entry-level maturity. Projects at this level satisfy foundational security requirements. - id: ML2 title: Maturity Level 2 description: > OSPS Baseline intermediate maturity. Projects at this level satisfy enhanced security requirements including vulnerability disclosure and release practices. - id: ML3 title: Maturity Level 3 description: > OSPS Baseline advanced maturity. Projects at this level satisfy the most rigorous security requirements including SBOM, VEX, and automated enforcement. mapping-references: - id: OSPS title: Open Source Project Security Baseline version: "2025.03.03" url: "https://baseline.openssf.org/" - id: CRA title: EU Cyber Resilience Act - Annex I version: "2024/2847" url: "https://eur-lex.europa.eu/eli/reg/2024/2847/oj" source-reference: reference-id: OSPS target-reference: reference-id: CRA remarks: > CRA Annex I Part I (1.x) covers security requirements for products with digital elements; Part II (2.x) covers vulnerability handling. mappings: - id: QA02-2.1-mfr source: entry-id: OSPS-QA-02 entry-type: Control target: entry-id: "2.1" entry-type: Guideline relationship: relates-to strength: 6 confidence-level: Medium applicability: - "manufacturer" rationale: > OSPS-QA-02 requires dependency lists and SBOMs. CRA 2.1 requires identifying and documenting vulnerabilities and components. SBOMs address component identification but not the full manufacturer obligation. - id: QA02-2.1-steward source: entry-id: OSPS-QA-02 entry-type: Control target: entry-id: "2.1" entry-type: Guideline relationship: implements strength: 9 confidence-level: High applicability: - "open-source-steward" rationale: > For open-source stewards, CRA Article 24 narrows 2.1 to a best-effort duty around vulnerability facilitation. OSPS-QA-02 dependency tracking and SBOM generation fulfills this scoped-down obligation. - id: VM01.01-2.5 source: entry-id: OSPS-VM-01.01 entry-type: AssessmentRequirement target: entry-id: "2.5" entry-type: Guideline relationship: relates-to confidence-level: High applicability: - "ML2" - "ML3" rationale: > OSPS-VM-01.01 requires a CVD policy with a clear timeframe for response. This assessment requirement activates at Maturity Level 2. At Level 1, no CVD policy is required, so the CRA 2.5 relationship does not hold. - id: VM04.02-2.4 source: entry-id: OSPS-VM-04.02 entry-type: AssessmentRequirement target: entry-id: "2.4" entry-type: Guideline relationship: relates-to confidence-level: High applicability: - "ML3" rationale: > OSPS-VM-04.02 requires a VEX document for vulnerabilities in components that do not affect the project. This Maturity Level 3 requirement strengthens the CRA 2.4 relationship by providing machine-readable exploitability data beyond basic disclosure. - id: GV01-no-match source: entry-id: OSPS-GV-01 entry-type: Control relationship: no-match confidence-level: High rationale: > OSPS-GV-01 requires publishing project roles and responsibilities. CRA Annex I has no corresponding requirement for governance documentation.