Skip to main content

The Ripple Effect: How Software Changes Impact Data Security

Software evolves. Updates, new features, or even reconfigurations by the user can change how your software interacts with data, potentially affecting its security. The Cyber Resilience Act requires you to inform users about this (Annex II, point 8b).

Explaining the Impact

For your software products, you need to provide information on:

  • How Changes Can Affect Data Security:
    • If a user installs an update, how might it alter existing data security settings or introduce new ones?
    • If your app allows users to connect new services or enable new features, what are the data security implications? (e.g., enabling cloud sync might mean data is stored off-device; adding a social sharing feature means data could be shared more broadly).
    • How do user-configurable settings, if changed, impact data protection?

Clarity is Crucial

The goal is to help users understand that modifications – whether initiated by you (updates) or by them (configuration changes, plugin installations) – aren't just about new bells and whistles. These changes can have real consequences for the confidentiality, integrity, and availability of their data.

For example, if a game update introduces a new online feature that shares gameplay data, users should be informed. If a productivity app update changes how local files are encrypted, that's vital information.

Key Takeaway

Educate your users on how modifications to your software – whether updates from you or changes they make – can influence the security of their data. This transparency is required by Annex II, point 8b.