The latest CRA Monday featured Roger Riera, a technical manager at Applus+ Laboratories and Type A member of the European Commission’s Cyber Resilience Act (CRA) Expert Group. Roger introduced his work on a new methodology called the Simplified Common Criteria for CRA, or sCC4CRA**,** a practical framework designed to help manufacturers perform self-assessments under the CRA.

Roger began by explaining how the CRA allows manufacturers of “default” products to self-assess compliance through Module A of the New Legislative Framework. The goal, he said, was to translate the rigour of Common Criteria (CC) into a more accessible, self-contained model that could support conformity with CRA requirements — without the heavy formality that often makes CC certification intimidating.

“Common Criteria isn’t the problem,” Roger noted. “It’s a mature, logical methodology — we just need to adapt its language and process to make it usable under the CRA.”

The sCC4CRA methodology mirrors the familiar structure of Common Criteria but uses plain, CRA-aligned terminology and concepts. It includes both a high-level overview and a detailed step-by-step playbook, hosted publicly on GitHub to allow community feedback and version control. Each chapter aligns with the key elements of CRA compliance — from risk assessment and security objectives to testing, SBOM management, and vulnerability analysis — while remaining adaptable to future standardization updates.

During the discussion, participants raised questions about the balance between simplification and assurance, as well as how the approach connects with open source ecosystems, the upcoming Product Liability Directive, and ENISA guidance under NIS 2. Roger emphasized that sCC4CRA is not a replacement for other standards but rather a bridge — one that aims to make compliance more transparent and achievable.

“My goal,” he explained, “is to make CRA compliance practical for manufacturers who don’t have a team of certification experts. If we can lower the entry barrier, we can raise the baseline of security across the ecosystem.”

In closing, Roger shared that he continues to refine the methodology alongside his colleagues in the standardization community and invited contributions from anyone interested in testing or improving the framework. The full methodology is publicly available on GitHub, and Roger plans to release supporting templates and training materials in the near future.

Watch the Video