Skip to main content

Annex I, Part I, Req 2a: No Known Exploitable Vulnerabilities in Software

When you release your software, app, or game to the EU market, it needs to be clean. The EU Cyber Resilience Act (CRA) states that, based on your risk assessment and where applicable, products with digital elements shall "be made available on the market without known exploitable vulnerabilities" (Annex I, Part I, Point 2a).

What This Means for Developers

  1. Pre-Release Checks: Before you hit the "publish" button or ship your product, you need to have processes in place to identify and fix any vulnerabilities that are:
    • Known: This implies vulnerabilities that have been discovered, whether internally through your testing, reported by third parties, or publicly documented.
    • Exploitable: These are flaws that an attacker could realistically use to compromise your software's security.
  2. Risk-Based Approach: The phrase "where applicable" and the overall context of Article 13 link this to your cybersecurity risk assessment. The effort you put into finding and fixing these should be proportionate to the risk. However, for any product, shipping with a vulnerability you know is there and is exploitable is a direct contradiction of this requirement.
  3. Impact on Updates: This also applies when you place the product on the market. If you are providing a physical copy or a version for download, that specific instance being placed on the market must be free of known exploitable vulnerabilities at that point in time. This means applying relevant security patches before distribution.

Practical Implications

  • Conduct thorough security testing before release (e.g., penetration testing, code audits, vulnerability scanning).
  • Have a process to track and remediate identified vulnerabilities.
  • Ensure your final release build incorporates fixes for any known exploitable issues.

Key Takeway

Under Annex I, Part I, Point 2a of the CRA, you are obligated to ensure your software product is free from known exploitable vulnerabilities at the moment it's first made available on the EU market. This necessitates robust pre-release security testing and patching.