Skip to main content

Annex I, Part I, Req 2e: Confidentiality of Data in Software (Encryption)

Protecting the secrecy of data your software handles is a major requirement of the EU Cyber Resilience Act (CRA). It states that products with digital elements shall, where applicable, "protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means" (Annex I, Part I, Point 2e).

Data Confidentiality Explained

This means ensuring that data is not made available or disclosed to unauthorized individuals, entities, or processes.

  1. Data in Transit: When your app or game sends or receives data over a network (e.g., to your backend server, third-party APIs), this data must be encrypted. HTTPS (TLS) is the standard for this.
  2. Data at Rest: When your software stores data, whether locally on a user's device (e.g., in a local database, configuration files) or on servers you control, "relevant" data should be encrypted. "Relevant" data typically includes sensitive personal data, credentials, financial information, or any other data deemed sensitive by your risk assessment.
  3. State-of-the-Art Mechanisms: This implies using current, strong encryption algorithms and protocols, and secure key management practices. Avoid outdated or known weak cryptographic methods.

"Other Technical Means"

Beyond encryption, other technical means could include:

  • Data masking or pseudonymization where appropriate.
  • Secure data handling practices in your code to prevent accidental leakage.
  • Proper access controls to ensure only authorized parts of your software can access specific data.

Risk-Based Application

The term "where applicable" and "relevant data" means you apply this based on your cybersecurity risk assessment (Article 13, Paragraph 2). Data that, if exposed, would lead to significant harm or breach of privacy requires stronger confidentiality measures.

Key Takeway

Annex I, Part I, Point 2e of the CRA mandates that your software protects data confidentiality. This primarily involves using state-of-the-art encryption for sensitive data both when it's being transmitted over networks and when it's stored, supplemented by other appropriate technical measures, all guided by your risk assessment.