Skip to main content

Annex I, Part I, Req 2i: Minimising Negative Impact on Other Devices/Networks

Your software doesn't exist in a vacuum; it runs on devices and interacts with networks shared by other software and hardware. The EU Cyber Resilience Act (CRA) requires that your product with digital elements shall, where applicable, "minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks" (Annex I, Part I, Point 2i).

Being a Good Digital Citizen

Essentially, your software should not inadvertently or maliciously disrupt other systems. This means:

  1. Resource Consumption:
    • Avoid excessive consumption of network bandwidth, processing power, or memory on the user's device that could degrade the performance of other applications or the device itself.
    • This is particularly relevant for background processes or services your software might run.
  2. Network Behavior:
    • Ensure your software doesn't flood local or wider networks with unnecessary traffic.
    • Avoid behavior that could contribute to network congestion or instability for others.
  3. Preventing Propagation of Harm:
    • If your software becomes compromised, it should be designed, as much as feasible, to limit its ability to be used as a launchpad for attacks against other devices or networks (e.g., participating in a botnet). This ties into limiting attack surfaces and exploit mitigation.

"Connected Devices"

The mention of "connected devices" implies that if your software interacts with or controls other connected hardware (common in IoT companion apps or software managing networked peripherals), those interactions should also not cause undue negative impacts on the broader network or other services.

Application Based on Risk

The applicability and extent of measures here will be guided by your software's design and its cybersecurity risk assessment (Article 13, Paragraph 2). Software with extensive network interactions or control over other devices warrants more attention to this requirement.

Key Takeway

Annex I, Part I, Point 2i of the CRA mandates that your software is designed to be a "good neighbor" in the digital ecosystem. It should not excessively consume resources or behave in a way that negatively impacts the availability of services on the user's device or other connected networks.