Skip to main content

Annex I, Part I, Req 2m: Secure Data Removal From Software

When it's time to get rid of data, or decommission your software, it needs to be done securely. The EU Cyber Resilience Act (CRA) requires that products with digital elements shall, where applicable, "provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner" (Annex I, Part I, Point 2m).

Secure and Easy Permanent Removal

  1. User Initiated: The user should be able to trigger the removal of their data and settings.
  2. Securely: This means the data should be unrecoverable through normal means. For software, this might involve:
    • Overwriting data before deletion (for local storage).
    • Using cryptographic erasure (deleting the encryption keys).
    • Ensuring any backend data associated with the user is also properly deleted according to defined retention policies.
  3. Easily: The option should be discoverable and straightforward for the user to operate.
  4. Permanent Basis: The removal should be intended to be permanent, not just hidden or marked for deletion.
  5. All Data and Settings: This is comprehensive, covering user-generated content, personal information, configurations, and any other user-specific data stored by your software.

Secure Data Transfer

If your software allows users to export or transfer their data to another product or system (e.g., exporting user data, migrating to a new service):

  • Secure Manner: The transfer process itself must be secure, likely involving encryption during transit and ensuring the data is delivered to the correct, authorized destination.

You need to inform users how to perform these secure data removal and transfer actions in your user instructions (Annex II, Item 8d).

GDPR Alignment

This requirement strongly aligns with the GDPR's "right to erasure" (Article 17) and "right to data portability" (Article 20), but the CRA frames it as a technical capability the product must offer for security and user control.

Key Takeway

Annex I, Part I, Point 2m of the CRA mandates that your software provides users with an easy and secure way to permanently delete their data and settings. If data transfer is supported, it must also be secure. This is a crucial feature for user control and data lifecycle management.