Skip to main content

Annex I, Part I, Req 2g: Data Minimisation in Software Functionality

The EU Cyber Resilience Act (CRA) brings the principle of data minimization into the realm of product security. It requires that products with digital elements shall, where applicable, "process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (data minimisation)" (Annex I, Part I, Point 2g).

Data Minimization for Security

While data minimization is a core tenant of GDPR for personal data protection, the CRA frames it from a product security perspective. The logic is simple:

  • Less Data, Less Risk: If your software collects, stores, or processes less data, there's less data to be compromised in a security breach.
  • Reduced Attack Surface: Handling less data can simplify your software's design and reduce the potential points of attack related to data processing.

Practical Steps for App and Game Developers

  1. Review Data Needs: For every piece of data your software handles (collects, stores, transmits, processes):
    • Ask: Is this data absolutely necessary for the app/game to fulfill its stated intended purpose?
    • If it is personal data, you also have GDPR obligations to consider for lawful basis.
  2. Avoid "Just in Case" Collection: Don't collect data just because you might need it in the future. If the need arises, you can always ask for it then, with proper justification.
  3. Limit Scope: If you only need aggregated or anonymized data for a feature, don't collect identifiable data.
  4. Timely Deletion: Don't keep data longer than necessary for the intended purpose.

The requirement explicitly links data minimization to the "intended purpose of the product". This intended purpose should be clearly defined in your user information (Annex II, Item 4) and technical documentation (Annex VII). If a data processing activity isn't directly supporting that core purpose, scrutinize its necessity.

Key Takeway

Annex I, Part I, Point 2g of the CRA mandates that your software processes only the data that is strictly necessary for its defined intended purpose. This security-focused data minimization reduces risk and potential impact from breaches.