A new Cyber Resilience Act (CRA) was recently agreed upon in the European Union (EU). The paper examines and elaborates what new requirements the CRA entails by contrasting it with the older General Data Protection Regulation (GDPR). According to the results, there are overlaps in terms confidentiality, integrity, and availability guarantees, data minimization, traceability, data erasure, and security testing. The CRA's seven new essential requirements originate from obligations to (1) ship products without known exploitable vulnerabilities and (2) with secure defaults, to (3) provide security patches typically for a minimum of five years, to (4) minimize attack surfaces, to (5) develop and enable exploitation mitigation techniques, to (6) establish a software bill of materials (SBOM), and to (7) improve vulnerability coordination, including a mandate to establish a coordinated vulnerability disclosure policy. With these results and an accompanying discussion, the paper contributes to requirements engineering research specialized into legal requirements, demonstrating how new laws may affect existing requirements.

翻译：欧盟近期通过了一项新的《网络弹性法案》。本文通过对比旧有的《通用数据保护条例》，审视并阐述了《网络弹性法案》所包含的新要求。研究结果表明，两者在保密性、完整性与可用性保障、数据最小化、可追溯性、数据删除及安全测试方面存在重叠。《网络弹性法案》的七项新增核心要求源于以下义务：(1) 交付不存在已知可利用漏洞的产品，(2) 提供默认安全配置，(3) 通常需提供至少五年的安全补丁，(4) 最小化攻击面，(5) 开发并启用漏洞利用缓解技术，(6) 建立软件物料清单，(7) 完善漏洞协调机制（包括强制制定协调漏洞披露政策）。基于这些研究结果及相关讨论，本文为专门研究法律要求的需求工程领域作出贡献，展示了新法规如何影响现有要求体系。