Skip to main content

Progressive Web Apps (PWAs) and the EU CRA

Progressive Web Apps (PWAs) blur the lines between web pages and installed applications, offering app-like experiences directly through a browser. So, how does the EU Cyber Resilience Act (CRA) view them?

PWAs as Software Products

A PWA is fundamentally software. The CRA defines a "product with digital elements" as "a software or hardware product and its remote data processing solutions...the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network" (Article 3,) Point 1).

Since PWAs are software and inherently interact with networks (even if just to be served or to use service workers for offline capabilities that were initially network-delivered), they fall squarely within this definition. The entity developing and making the PWA available is the "manufacturer".

Key CRA Considerations for PWAs

  1. Secure by Design and Default:
    • PWAs must be designed, developed, and produced to ensure an appropriate level of cybersecurity (Annex I, Part I, Point 1).
    • This includes secure handling of data, protection against unauthorized access, and ensuring the integrity of information processed or displayed.
    • Service workers, manifests, and caching mechanisms must be implemented securely to avoid introducing vulnerabilities.
  2. Vulnerability Handling:
    • The vulnerability handling requirements of Annex I, Part II apply. If a vulnerability is found in your PWA's code (client-side or server-side components you manage), you need to address it.
    • Updates to PWAs are often seamless (users get the new version on next load/refresh), but you still need to manage the process of identifying and fixing vulnerabilities in your codebase.
  3. Remote Data Processing:
    • If your PWA relies on backend APIs and servers that you design and operate for essential functions, these "remote data processing solutions" are part of your PDE scope (Article 3,) Point 2) and must also be secured.
  4. User Information (Annex II):
    • You need to provide users with the required security information (e.g., manufacturer contact, support period, how to use securely). This can be done on the PWA itself or a linked support page.

Key Takeway

PWAs are considered software products with digital elements under the CRA. Developers must apply the Act's essential cybersecurity requirements to their design, development (client and any managed backend), and ongoing vulnerability management. Transparent communication of security information to users is also required.