Skip to main content

Annex I, Part I, Req 2b: Secure by Default Configuration for Software

The EU Cyber Resilience Act (CRA) wants your software to be secure right out of the box. That's the essence of the requirement: products with digital elements shall, where applicable, "be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state" (Annex I, Part I, Point 2b).

What "Secure by Default" Means

For your app, game, or software component:

  1. Safest Settings Pre-Configured: When a user first installs or runs your software, the default settings should be those that offer the highest level of security without unduly hindering usability for the intended purpose. Users should not have to be security experts to make your product safe.
  2. Minimize Attack Surface by Default: Default configurations should limit exposure. For example, unnecessary features or ports that could increase risk should be off by default.
  3. Avoid Weak Defaults: Don't ship with default admin passwords like "admin" or "password". If credentials are needed, prompt for secure creation.

Tailor-Made Exception

The requirement allows for an exception if you have a specific agreement with a business user for a tailor-made product. This is less likely to apply to mass-market games or apps sold directly to consumers but could be relevant for custom software components developed for a specific business client.

Reset to Original State

Your software should also offer a way for users to reset it to its original (secure by default) configuration. This helps if settings are inadvertently changed to an insecure state.

Practical Steps

  • Review all default settings in your software.
  • Prioritize security in these defaults.
  • Clearly document how users can change settings if they need to, but explain the security implications.

Key Takeway

Annex I, Part I, Point 2b of the CRA mandates that your software ships with secure settings enabled by default. Users shouldn't have to hunt for security options; your product should protect them from the start, with an option to reset to this secure state.