Skip to main content

Heads Up! Known and Foreseeable Software Cybersecurity Risks

No software is entirely without risk. The Cyber Resilience Act requires you to inform users about any known or reasonably foreseeable circumstances related to your software's use that could lead to significant cybersecurity risks (Annex II, point 5). This is about transparency and enabling users to make informed decisions.

What Risks to Disclose

Consider risks arising from:

  • Intended Purpose: Even when used as intended, are there inherent risks? For example, a cloud-connected app might have risks associated with data breaches if not properly secured by the user (e.g., weak passwords).
  • Reasonably Foreseeable Misuse: How might users misuse the software in a way that creates security problems, even if it's not what you designed it for? For instance, disabling critical security features in a game to cheat, which might expose them to malware.
  • Interactions: Does your software interact with other systems or data in a way that, under certain conditions, could become a risk? (e.g., an app plugin that, if granted excessive permissions, could access sensitive data).

Be Specific

Avoid vague warnings. If your app allows users to share personal information publicly by default, that's a foreseeable circumstance leading to a privacy risk you should highlight. If your software component relies on an older library with known unpatched vulnerabilities (and you can't update it for some reason), that's a risk to flag.

This applies to games, apps, software libraries, and engines. The goal is to give users a realistic understanding of potential pitfalls.

Key Takeaway

Be upfront about the potential cybersecurity risks associated with using your software, both as intended and under reasonably foreseeable misuse. This proactive communication is mandated by Annex II, point 5.