Skip to main content

Databases and Data Storage for Apps: CRA Security Focus

Apps frequently need to store data, whether it's user preferences locally, or extensive user data in a backend database. The EU Cyber Resilience Act (CRA) emphasizes the security of this data storage as part of your app's overall cybersecurity posture.

Essential Security for Stored Data

Your app, as a "product with digital elements," must adhere to essential cybersecurity requirements related to data. Key among these for databases and data storage are:

  • Confidentiality of Stored Data: You must protect the confidentiality of data your app stores, be it personal or other sensitive information. This includes "encrypting relevant data at rest or in transit by state of the art mechanisms" (Annex I, Part I, Point 2e). If your app stores data in a local database on a device or in a backend database you manage, encryption at rest is a critical consideration.
  • Integrity of Stored Data: Measures must be in place to protect stored data against unauthorized manipulation or modification (Annex I, Part I, Point 2f). This involves secure database access controls and potentially integrity checks.
  • Protection from Unauthorized Access: Implement "appropriate control mechanisms, including but not limited to authentication, identity or access management systems" to protect data stores (Annex I, Part I, Point 2d). This applies to both local app databases and remote databases.
  • Secure Data Removal: Your app should provide users with the possibility to "securely and easily remove on a permanent basis all data and settings" (Annex I, Part I, Point 2m).

Backend Databases You Manage

If your app uses a backend database that you design, develop, or manage as part of a "remote data processing solution" essential to your app's function, these CRA requirements apply directly to that database system's security (Article 3,) Point 2).

Third-Party Cloud Databases

If you use third-party cloud database services (e.g., Firebase, AWS RDS), your due diligence obligation (Article 13, Paragraph 5) comes into play. You need to:

  • Configure the service securely (access controls, encryption settings provided by the platform).
  • Securely manage credentials for accessing the database.
  • Understand the security responsibilities shared between you and the cloud provider.

Key Takeway

Under the CRA, how your app stores data—locally or in a backend database you manage—is critical. You must ensure confidentiality (e.g., through encryption at rest), integrity, and protection against unauthorized access. For third-party database services, secure configuration and credential management are vital parts of your due diligence.