CRA RACI Matrix
Role responsibilities for Cyber Resilience Act compliance
A RACI matrix clarifies who does what for each CRA obligation. Clear ownership prevents gaps and duplication, especially important given the regulation's broad scope across engineering, security, legal, and business functions.
Note: The CRA places obligations on "manufacturers" as a legal entity—it does not prescribe internal organizational roles. This matrix is a suggested starting point based on common industry practices, not a regulatory requirement. Adapt it to your organization's structure, size, and existing processes.
RACI Definitions
Responsible
Does the work
Accountable
Ultimate owner / sign-off
Consulted
Provides input
Informed
Kept aware
Governance & Regulatory RACI
| Obligation Area | Eng | Sec | Legal | Prod | QA | Ops | Supply | Support | Exec |
|---|---|---|---|---|---|---|---|---|---|
| Secure SDLC implementation | R | A | I | C | C | I | I | I | I |
| Threat modeling & risk assessment | C | R/A | I | C | I | I | I | I | I |
| SBOM generation & maintenance | R | A | I | C | I | I | C | I | I |
| Vulnerability handling (PSIRT) | C | R/A | C | I | I | C | I | C | I |
| Coordinated vulnerability disclosure | I | R/A | C | I | I | I | I | R | I |
| Technical documentation | R | C | C | C | A | I | I | I | I |
| Conformity assessment selection | C | C | C | I | R | I | I | I | A |
| CE marking readiness | C | C | C | I | R/A | I | I | I | I |
| Post-market monitoring | R | A | C | C | C | R | I | C | I |
| 24h incident notification | I | R/A | C | I | I | C | I | I | I |
| Regulatory communication | I | C | R | I | C | I | I | I | A |
| Product security roadmap | C | C | I | R/A | I | I | I | I | I |
| Support period definition | C | C | C | R/A | I | I | I | I | I |
| User notification of vulnerabilities | I | R | C | C | I | C | I | A | I |
| Supply chain due diligence | C | C | C | C | C | I | R/A | I | I |
| Record keeping (10-year) | C | C | R | I | A | C | C | I | I |
| Training & competency | C | R | I | I | C | C | I | I | A |
Security Features & Controls RACI
| Security Control | Eng | Sec | Legal | Prod | QA | Ops | Supply | Support | Exec |
|---|---|---|---|---|---|---|---|---|---|
| Secure-by-default configuration | R | A | I | C | C | I | I | I | I |
| Authentication & access control | R | A | I | C | C | I | I | I | I |
| Encryption (at rest / in transit) | R | A | I | C | C | I | I | I | I |
| Secure update mechanism | R | A | I | C | C | R | I | I | I |
| Vulnerability remediation | R | A | I | C | C | R | I | I | I |
| Logging & security events | R | A | I | C | C | C | I | I | I |
| Known vulnerability protection | R | A | I | C | C | C | I | I | I |
| Hardening guidance | R | C | I | A | C | I | I | C | I |
| SBOM & dependency control | R | A | I | C | C | I | R | I | I |
| End-of-life support policy | C | C | R | A | I | I | I | C | I |
| Secure design reviews | C | R/A | I | C | C | I | I | I | I |
| Penetration testing | C | R/A | I | I | C | I | I | I | I |
| Third-party component assessment | C | R/A | I | C | C | I | R | I | I |
Role Definitions
Engineering
Development teams building and maintaining the product
Security
Product security team, PSIRT, security architects
Legal
Legal counsel, regulatory affairs
Product
Product management, product owners
QA/Quality
Quality assurance, compliance, conformity assessment
Operations
IT operations, deployment, infrastructure
Supply Chain
Procurement, vendor management, component sourcing
Customer Support
Customer-facing support, vulnerability report intake
Executive
C-level, senior leadership with business accountability
Implementation Notes
- • Smaller organizations may combine roles (e.g., Security + QA, Legal + Compliance)
- • For audit readiness, maintain a CRA Security Control Register mapping each control to evidence artifacts
- • The 24h incident notification applies to actively exploited vulnerabilities and requires pre-established ENISA/CSIRT channels
- • Review and update role assignments annually or when organizational structure changes