Skip to main content

Annex I, Part II Overview: Vulnerability Handling Requirements for Software Manufacturers

Part II of Annex I in the EU Cyber Resilience Act (CRA) shifts focus from the security properties of your software at release to your ongoing responsibilities as a manufacturer. It details the "Vulnerability Handling Requirements" you must implement throughout your software's support period. This is a significant aspect of the CRA, emphasizing that security is a continuous process.

Core Principles of Vulnerability Handling

The requirements in Annex I, Part II, are designed to ensure that once your software (game, app, component) is out in the world, you have robust processes to:

  • Discover and Track: Proactively identify and document vulnerabilities in your product and its components.
  • Assess and Prioritize: Understand the risk posed by discovered vulnerabilities.
  • Remediate: Develop and distribute fixes (security updates) effectively.
  • Communicate: Inform users and other stakeholders about vulnerabilities and their remedies.
  • Collaborate: Work with others in the ecosystem to address security issues.

What This Means for You

You'll need to establish and maintain documented procedures for all aspects of vulnerability management. This isn't just about reacting to bugs; it's about a systematic approach to software security lifecycle management. Key elements covered in the subsequent detailed points of Part II include:

  • Software Bill of Materials (SBOM).
  • Prompt remediation and security updates.
  • Security testing.
  • Public disclosure of fixed vulnerabilities.
  • Coordinated Vulnerability Disclosure policies.
  • Secure distribution of updates.
  • Providing updates free of charge.

Meeting these requirements is mandatory and will be part of conformity assessments.

Key Takeway

Annex I, Part II of the CRA outlines the essential, ongoing vulnerability handling processes software manufacturers must establish and maintain. This includes identifying, fixing, and communicating about vulnerabilities in your software products throughout their defined support period.