Skip to main content

CRA Essential Cybersecurity Requirements: An Annex I Overview for Developers

The CRA lays down 'Essential Cybersecurity Requirements' in its Annex I. This is the rulebook your software, app, or game needs to follow to be considered secure enough for the EU market (Article 6 of the CRA legal text). It’s divided into two main parts:

Part I: Product Properties

This part focuses on the security characteristics of your software itself. Think of it as what your product must be. Key aspects include:

  • Security by Design and Default: Building security in from the start and having secure settings out-of-the-box (Annex I, Part I, point (1), (2b) of the CRA legal text).
  • No Known Exploitable Vulnerabilities: Your product shouldn't have known security holes when it's placed on the market (Annex I, Part I, point (2a) of the CRA legal text).
  • Data Protection: Protecting confidentiality and integrity of data (Annex I, Part I, point (2e), (2f) of the CRA legal text).
  • Access Control: Preventing unauthorized access (Annex I, Part I, point (2d) of the CRA legal text).
  • Limiting Attack Surfaces: Minimizing ways attackers can target your software (Annex I, Part I, point (2j) of the CRA legal text).

Part II: Vulnerability Handling

This part is about your ongoing processes after your product is launched. Think of it as what you must do. Key aspects include:

  • Identifying & Documenting Vulnerabilities: Including components and creating a Software Bill of Materials (SBOM) (Annex I, Part II, point (1) of the CRA legal text).
  • Addressing Vulnerabilities: Fixing them without delay (Annex I, Part II, point (2) of the CRA legal text).
  • Regular Testing: Continuously checking your product's security (Annex I, Part II, point (3) of the CRA legal text).
  • Information Sharing: Disclosing fixed vulnerabilities and having a coordinated disclosure policy (Annex I, Part II, point (4), (5) of the CRA legal text).

These are just the highlights. Annex I is your detailed guide to CRA compliance.

Key Takeaway

Annex I of the CRA is your master checklist, dictating both the security features your software must have at launch and the processes you must maintain for handling vulnerabilities throughout its life.