Skip to main content

Annex I, Part I, Req 2d: Protection From Unauthorised Access in Software

Controlling who gets into your software and what they can do is fundamental to security. The EU Cyber Resilience Act (CRA) mandates that products with digital elements shall, where applicable, "ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access" (Annex I, Part I, Point 2d).

What This Means for Your Software

For your app, game, or software component, you need to implement:

  1. Authentication: Verifying the identity of users or systems trying to access your software or its features. This could involve:
    • Username and strong password combinations.
    • Multi-factor authentication (MFA).
    • Biometric authentication.
    • API key authentication for system-to-system communication.
  2. Identity Management: Managing user identities and their attributes securely throughout their lifecycle.
  3. Access Management (Authorization): Once authenticated, determining what a user or system is allowed to do. This involves:
    • Implementing the principle of least privilege (granting only necessary permissions).
    • Role-based access control (RBAC) or similar mechanisms.
    • Regularly reviewing access rights.

"Appropriate Control Mechanisms"

The term "appropriate" links back to your risk assessment (Article 13, Paragraph 2). The robustness of your access controls should be proportionate to the sensitivity of the data or functions being protected. An app controlling smart home security devices would need stronger access controls than a simple offline game.

Reporting Unauthorized Access

The requirement also mentions the capability to "report on possible unauthorised access." This implies some form of logging or monitoring of access attempts, particularly failed or suspicious ones, which could then be reported to the user or system administrator as appropriate.

Key Takeway

Under Annex I, Part I, Point 2d of the CRA, your software must have effective mechanisms (like authentication and authorization systems) to prevent unauthorized access. The strength of these controls should match the risk, and your software should be able to report suspicious access attempts.