Skip to main content

Annex I, Part I, Req 2h: Availability of Essential Software Functions

Your software needs to be dependable, especially its core features. The EU Cyber Resilience Act (CRA) requires that products with digital elements shall, where applicable, "protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks" (Annex I, Part I, Point 2h).

What is Availability in This Context?

Availability means that the "essential and basic functions" of your software are accessible and usable when needed by an authorized user.

  • Essential Functions: These are the core functionalities that your app or game is designed to provide. For a messaging app, sending/receiving messages is essential. For a game, core gameplay mechanics are essential.
  • Basic Functions: This could refer to fundamental operations necessary for the product to even run or be managed securely.

Protection After an Incident

The requirement stresses that availability should be protected "also after an incident." This implies:

  1. Resilience: Your software should be designed to withstand certain types of failures or attacks without completely losing its essential functions. This might involve graceful degradation of non-essential features while keeping core services online.
  2. Recovery: If an incident does disrupt availability, your software or supporting infrastructure should facilitate recovery to a normal operational state.

Mitigation Against Denial-of-Service (DoS) Attacks

The CRA specifically calls out the need for measures against DoS attacks. If your app or game relies on online servers you manage:

  • Implement DoS/DDoS mitigation techniques (e.g., rate limiting, traffic scrubbing services, robust server infrastructure).
  • Design your client software to handle temporary server unavailability gracefully.

Risk-Based Approach

The extent of these measures will depend on your risk assessment (Article 13, Paragraph 2). A critical business application will have higher availability requirements than a simple offline game.

Key Takeway

Under Annex I, Part I, Point 2h of the CRA, your software must be designed to protect the availability of its essential functions, especially in the face of incidents like DoS attacks. This means building in resilience and having recovery capabilities.