📄️ Navigating Annex I of the CRA: Structure and Importance for Software
Annex I of the EU Cyber Resilience Act (CRA) is your primary technical guide. It lays out the "Essential Cybersecurity Requirements" that your software products must meet. Think of it as the rulebook for building and maintaining secure software for the EU market.
📄️ Annex I, Part I, Req 1: Appropriate Level of Cybersecurity for Software
The very first essential requirement in Annex I, Part I of the EU Cyber Resilience Act (CRA) sets a foundational principle: "Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks" (Annex I, Part I, Point 1).
📄️ Annex I, Part I, Req 2a: No Known Exploitable Vulnerabilities in Software
When you release your software, app, or game to the EU market, it needs to be clean. The EU Cyber Resilience Act (CRA) states that, based on your risk assessment and where applicable, products with digital elements shall "be made available on the market without known exploitable vulnerabilities" (Annex I, Part I, Point 2a).
📄️ Annex I, Part I, Req 2b: Secure by Default Configuration for Software
The EU Cyber Resilience Act (CRA) wants your software to be secure right out of the box. That's the essence of the requirement: products with digital elements shall, where applicable, "be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state" (Annex I, Part I, Point 2b).
📄️ Annex I, Part I, Req 2c: Software Security Updates (and Automatic Updates)
Keeping software secure is an ongoing job, and the EU Cyber Resilience Act (CRA) emphasizes how vulnerabilities must be addressed. A key product property is that it must "ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt-out mechanism, through the notification of available updates to users, and the option to temporarily postpone them" (Annex I, Part I, Point 2c).
📄️ Annex I, Part I, Req 2d: Protection From Unauthorised Access in Software
Controlling who gets into your software and what they can do is fundamental to security. The EU Cyber Resilience Act (CRA) mandates that products with digital elements shall, where applicable, "ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access" (Annex I, Part I, Point 2d).
📄️ Annex I, Part I, Req 2e: Confidentiality of Data in Software (Encryption)
Protecting the secrecy of data your software handles is a major requirement of the EU Cyber Resilience Act (CRA). It states that products with digital elements shall, where applicable, "protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means" (Annex I, Part I, Point 2e).
📄️ Annex I, Part I, Req 2f: Integrity of Data and Code in Software
Ensuring that the data and the code within your software are trustworthy and haven't been improperly altered is a core requirement of the EU Cyber Resilience Act (CRA). It specifies that products with digital elements shall, where applicable, "protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions" (Annex I, Part I, Point 2f).
📄️ Annex I, Part I, Req 2g: Data Minimisation in Software Functionality
The EU Cyber Resilience Act (CRA) brings the principle of data minimization into the realm of product security. It requires that products with digital elements shall, where applicable, "process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (data minimisation)" (Annex I, Part I, Point 2g).
📄️ Annex I, Part I, Req 2h: Availability of Essential Software Functions
Your software needs to be dependable, especially its core features. The EU Cyber Resilience Act (CRA) requires that products with digital elements shall, where applicable, "protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks" (Annex I, Part I, Point 2h).
📄️ Annex I, Part I, Req 2i: Minimising Negative Impact on Other Devices/Networks
Your software doesn't exist in a vacuum; it runs on devices and interacts with networks shared by other software and hardware. The EU Cyber Resilience Act (CRA) requires that your product with digital elements shall, where applicable, "minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks" (Annex I, Part I, Point 2i).
📄️ Annex I, Part I, Req 2j: Limiting Software Attack Surfaces
The more ways there are to interact with your software, the more opportunities there are for attackers. The EU Cyber Resilience Act (CRA) addresses this by requiring that products with digital elements shall, where applicable, "be designed, developed and produced to limit attack surfaces, including external interfaces" (Annex I, Part I, Point 2j).
📄️ Annex I, Part I, Req 2k: Reducing Impact of Incidents (Exploitation Mitigation)
Even with the best defenses, security incidents can happen. The EU Cyber Resilience Act (CRA) requires your software to be prepared. Products with digital elements shall, where applicable, "be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques" (Annex I, Part I, Point 2k).
📄️ Annex I, Part I, Req 2l: Security-Related Information Logging in Software
Understanding what happened after a security event, or detecting suspicious activity, often relies on good logs. The EU Cyber Resilience Act (CRA) states that products with digital elements shall, where applicable, "provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user" (Annex I, Part I, Point 2l).
📄️ Annex I, Part I, Req 2m: Secure Data Removal From Software
When it's time to get rid of data, or decommission your software, it needs to be done securely. The EU Cyber Resilience Act (CRA) requires that products with digital elements shall, where applicable, "provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner" (Annex I, Part I, Point 2m).
📄️ Annex I, Part II Overview: Vulnerability Handling Requirements for Software Manufacturers
Part II of Annex I in the EU Cyber Resilience Act (CRA) shifts focus from the security properties of your software at release to your ongoing responsibilities as a manufacturer. It details the "Vulnerability Handling Requirements" you must implement throughout your software's support period. This is a significant aspect of the CRA, emphasizing that security is a continuous process.
📄️ Annex I, Part II, Req 1: Identifying & Documenting Software Vulnerabilities & Components (SBOM)
A core part of ongoing security under the EU Cyber Resilience Act (CRA) is knowing what's in your software and tracking its weaknesses. Annex I, Part II, Point 1 requires manufacturers of products with digital elements to "identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products".
📄️ Annex I, Part II, Req 2: Addressing & Remediating Software Vulnerabilities Promptly
Finding vulnerabilities is one thing; fixing them is another. The EU Cyber Resilience Act (CRA) is clear on this: manufacturers must, "in relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates" (Annex I, Part II, Point 2).
📄️ Annex I, Part II, Req 3: Effective and Regular Software Security Testing
You can't fix what you don't know is broken. The EU Cyber Resilience Act (CRA) mandates proactive security validation: manufacturers shall "apply effective and regular tests and reviews of the security of the product with digital elements" (Annex I, Part II, Point 3).
📄️ Annex I, Part II, Req 4: Publicly Disclosing Fixed Software Vulnerabilities
Transparency is a key theme in the EU Cyber Resilience Act (CRA). Once you've fixed a security vulnerability in your software, you need to tell people about it. Annex I, Part II, Point 4 requires manufacturers to, "once a security update has been made available, share and publicly disclose information about fixed vulnerabilities...".
📄️ Annex I, Part II, Req 5: Coordinated Software Vulnerability Disclosure Policy
The EU Cyber Resilience Act (CRA) wants to ensure there's a clear, responsible way for security vulnerabilities in your software to be reported and handled. That's why Annex I, Part II, Point 5 mandates that manufacturers "put in place and enforce a policy on coordinated vulnerability disclosure (CVD)".
📄️ Software Bill of Materials (SBOM) for Your Codebase and Libraries (CRA Annex I, Part II, Req 1)
Knowing the ingredients of your software is fundamental to its security. The EU Cyber Resilience Act (CRA) makes this a formal requirement. Annex I, Part II, Point 1 states that manufacturers must "identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials (SBOM)...".
📄️ Annex I, Part II, Req 6: Facilitating Sharing of Potential Software Vulnerability Info
Security is a shared responsibility, and the EU Cyber Resilience Act (CRA) encourages communication about potential weaknesses. Annex I, Part II, Point 6 requires manufacturers to "take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third-party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements".
📄️ Annex I, Part II, Req 7: Secure Distribution of Software Updates
Delivering security updates to your users is critical, but the delivery mechanism itself must be secure. The EU Cyber Resilience Act (CRA) mandates that manufacturers "provide for mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner" (Annex I, Part II, Point 7).
📄️ Annex I, Part II, Req 8: Free and Timely Software Security Updates with Advisories
Security is not a premium feature under the EU Cyber Resilience Act (CRA). When security updates are needed for your software, they must be accessible. Annex I, Part II, Point 8 requires manufacturers to "ensure that, where security updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailor-made product with digital elements, free of charge, accompanied by advisory messages...".