Skip to main content

Desktop Applications and CRA Specifics

Desktop applications, whether for Windows, macOS, or Linux, are prime examples of "products with digital elements" under the EU Cyber Resilience Act (CRA). If you develop and distribute desktop software in the EU, the CRA applies to you.

Desktop Apps as PDEs

The CRA defines a "product with digital elements" (PDE) broadly to include software that has a direct or indirect logical or physical data connection to a device or network (Article 3,) Point 1). Most desktop apps fit this:

  • They run on internet-connected computers.
  • They often check for updates online.
  • They might connect to cloud services, use APIs, or have features requiring network access.
  • Even standalone offline apps, if they are software placed on the market, are covered as they are "software products". The connectivity aspect defines most, but the core definition includes software products broadly.

Key CRA Requirements for Desktop Apps

  1. Secure Design and Development (Annex I, Part I):
    • Ensure your app is "made available on the market without known exploitable vulnerabilities" (Point 2a).
    • Implement secure by default configurations (Point 2b).
    • Protect against unauthorized access, and ensure confidentiality and integrity of data processed or stored by the app (Point 2d, 2e, 2f). This is vital for apps handling sensitive user information.
  2. Vulnerability Handling (Annex I, Part II):
    • Establish processes to identify, document, and remediate vulnerabilities throughout the app's support period (Point 1, 2).
    • Provide secure mechanisms for distributing updates (e.g., a built-in updater that verifies update integrity, or secure downloads from your website) (Point 7).
    • Security updates should be free and timely (Point 8).
  3. Technical Documentation (Annex VII):
    • Maintain detailed technical documentation, including your cybersecurity risk assessment and how your app meets the essential requirements.
  4. User Information (Annex II):
    • Provide users with information on secure installation, operation, updates, your vulnerability disclosure policy, and the support period end date.

Update Mechanisms

For desktop apps, the mechanism for delivering updates is critical. Ensure it's secure to prevent attackers from distributing malicious updates. Consider code signing for your application and its installers/updaters.

Key Takeway

Desktop applications are squarely in the CRA's scope. Developers must ensure secure coding, robust vulnerability management with secure update mechanisms, comprehensive technical documentation, and clear communication of security information to users throughout the defined support period.