This paper addresses the regulatory misalignment between the EU’s Cyber Resilience Act (CRA) and the General Data Protection Regulation (GDPR). Using comparative legal analysis, requirements mapping modeling, and normative semantic parsing, it systematically establishes the first structured mapping of their security requirements. The study identifies six shared security requirements—spanning confidentiality, integrity, and availability—and originality distills seven novel core security obligations introduced by the CRA, clarifying how they extend and reconfigure existing compliance frameworks. By bridging a critical gap in requirements engineering driven by regulatory evolution, the work delivers a traceable, actionable cross-regulatory requirements alignment framework. This framework provides theoretical foundations and practical guidance for legally compliant security design across the full lifecycle of secure products.

A new Cyber Resilience Act (CRA) was recently agreed upon in the European Union (EU). The paper examines and elaborates what new requirements the CRA entails by contrasting it with the older General Data Protection Regulation (GDPR). According to the results, there are overlaps in terms confidentiality, integrity, and availability guarantees, data minimization, traceability, data erasure, and security testing. The CRA's seven new essential requirements originate from obligations to (1) ship products without known exploitable vulnerabilities and (2) with secure defaults, to (3) provide security patches typically for a minimum of five years, to (4) minimize attack surfaces, to (5) develop and enable exploitation mitigation techniques, to (6) establish a software bill of materials (SBOM), and to (7) improve vulnerability coordination, including a mandate to establish a coordinated vulnerability disclosure policy. With these results and an accompanying discussion, the paper contributes to requirements engineering research specialized into legal requirements, demonstrating how new laws may affect existing requirements.