Skip to main content

Annex I, Part I, Req 1: Appropriate Level of Cybersecurity for Software

The very first essential requirement in Annex I, Part I of the EU Cyber Resilience Act (CRA) sets a foundational principle: "Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks" (Annex I, Part I, Point 1).

What "Appropriate Level" Means

This isn't a one-size-fits-all. The "appropriate level" of cybersecurity for your software (game, app, component) depends on several factors:

  • The Risks Identified: Your cybersecurity risk assessment, mandated by Article 13, Paragraph 2, is key here. You must analyze the specific cybersecurity risks associated with your software's intended purpose, foreseeable use, and operational environment.
  • Intended Purpose & Functionality: An app handling sensitive financial data will inherently require a higher level of security than a simple offline utility game.
  • Potential Impact: Consider the potential harm if a vulnerability in your software is exploited.

Design, Development, and Production

This requirement covers the entire pre-market lifecycle:

  • Secure Design: Integrating security considerations from the very beginning of the development process (security by design).
  • Secure Development: Using secure coding practices, conducting code reviews, and managing dependencies securely.
  • Secure Production: Ensuring that the processes used to build and package your software do not introduce new vulnerabilities.

The CRA expects you to make deliberate choices to minimize cybersecurity risks based on a documented assessment, rather than leaving security to chance.

Key Takeway

Your software must achieve a level of cybersecurity that is appropriate to the risks it faces and could pose. This is determined by your own risk assessment and must be integrated into your design, development, and production processes as per Annex I, Part I, Point 1.