Skip to main content

Communicating Security Info to App Users: Annex II for Apps

The EU Cyber Resilience Act (CRA) places a strong emphasis on transparency. As an app developer ("manufacturer"), you're required to provide users with specific security-related information. Annex II of the CRA details what this includes.

Key Information Your App Users Need (Based on Annex II)

This information helps users understand your app's security posture and how to use it safely.

  1. Your Details (Item 1): Name, trade name/trademark, postal address, email/digital contact, and website. Users must know who is behind the app.
  2. Vulnerability Reporting Contact (Item 2): A dedicated point of contact for reporting vulnerabilities. Link to your coordinated vulnerability disclosure policy here.
  3. App Identification (Item 3): App name, version, and any other unique identifiers.
  4. Intended Purpose & Security Features (Item 4): Clearly state what the app does and its main security properties (e.g., "secure messaging app with end-to-end encryption," "photo editing app that processes images locally").
  5. Foreseeable Cybersecurity Risks (Item 5): Any known risks related to the app's use (e.g., "using this app on a jailbroken device may pose security risks").
  6. Declaration of Conformity Access (Item 6): Where applicable, the internet address for your app's EU Declaration of Conformity.
  7. Security Support & Support Period End Date (Item 7): What security support you offer (e.g., security updates) and, critically, the date (at least month and year) when this support period ends (also see Article 13, Paragraph 19).
  8. Secure Use Instructions (Item 8):
    • Safe installation and ongoing use (8a).
    • Impact of app changes on data security (8b).
    • How to install security updates (8c).
    • Securely decommissioning the app/deleting data (8d).
    • How to disable automatic security updates if enabled by default (8e, relating to Annex I, Part I, Point 2c).
  9. Software Bill of Materials (SBOM) Access (Item 9): If you choose to provide users access to your app's SBOM, details on where to find it.

How to Provide This Information

For apps, this information can be provided:

  • Within the app itself (e.g., in an "About" or "Security" section).
  • On the app's store listing page.
  • On your official support website, linked from the app or store page. The information must be clear, easily understood, and accessible (Article 13, Paragraph 18).

Key Takeway

App developers must provide users with essential security information as specified in CRA Annex II. This includes manufacturer contacts, vulnerability reporting channels, the app's security features, known risks, the crucial support period end date, and guidance on secure usage and updates.