Skip to main content

Descriptions of Solutions if Standards Are Not Applied for Software

Using harmonised standards is a straightforward way to show compliance with the Cyber Resilience Act (CRA), but it is not the only way. The CRA provides flexibility for manufacturers, including developers of apps, games, and other software.

Your Obligation to Describe Solutions

If you choose not to apply harmonised standards or common specifications, or if they don't exist for a particular requirement, you are not off the hook. You still have to meet the essential cybersecurity requirements in Annex I.

To prove you've done this, Annex VII, point 5, requires your Technical Documentation to include "descriptions of the solutions adopted to meet the essential cybersecurity requirements set out in Parts I and II of Annex I".

What This Means for Your Software Documentation

In this section of your Technical Documentation, you must explain your alternative approach. For your software, this could include:

  • Applying Other Technical Specifications: You might have followed other relevant industry best practices or standards (e.g., OWASP ASVS, NIST guidelines). You must list these specifications.
  • Describing Custom Solutions: Detail the specific security controls, architectural decisions, and processes you implemented. For example, if you built a custom authentication system for your game, you would describe its design and security features here.
  • Providing Rationale: Explain why your chosen solution meets the specific essential requirement from Annex I. For instance, "To meet the requirement for protecting data in transit (Annex I, Part I, point 2e), we implemented TLS 1.3 for all client-server communication, using a modern cipher suite..."

This part of the documentation is your chance to make the case that your proprietary or alternative methods provide an equivalent level of security.

Key Takeway

If you don't use official harmonised standards to comply with the CRA, your Technical Documentation must provide a detailed description and justification of the alternative technical solutions you implemented to meet the essential cybersecurity requirements for your software.