CRA Compliance Hub
EN中文日本語한국어DEFRESIT繁中NLPL

Essential cybersecurity requirements

The binding security requirements set out in Annex I of the CRA, divided into two Parts. Part I specifies 11 security properties that products with digital elements must achieve by design and by default. Part II specifies 8 vulnerability handling obligations that manufacturers must implement as processes throughout the product lifecycle.

Source citations

cracra-annex-i

See also

Structure

Annex I of Regulation (EU) 2024/2847 is divided into two Parts:

Part I — Security requirements for products with digital elements

Products must be designed, developed, and produced to:

  1. No known exploitable vulnerabilities — shipped free of known exploitable vulnerabilities
  2. Secure by default — security-relevant defaults; unnecessary capabilities disabled; configuration for secure operation documented
  3. Confidentiality — data at rest and in transit protected against unauthorised access
  4. Integrity — protected against manipulation by unauthorised parties
  5. Restrict attack surface — minimal interfaces and communication channels; surface area justified by functionality
  6. Resilience — designed to minimise the impact of incidents on other products or networks
  7. Limit disruption — designed to limit service disruption, including degradation or unavailability
  8. Secure data handling — collect, process, store only data necessary for intended use; protect data
  9. Access control — protect against unauthorised access
  10. Secure update — possibility to install updates, including automatic security updates
  11. End-user security data — users informed about discovered vulnerabilities; mechanism to securely wipe data before product transfer

Part II — Vulnerability handling requirements (processes)

Manufacturers must have policies and processes to:

  1. Identify and document vulnerabilities, including maintaining an SBOM
  2. Address and remediate vulnerabilities without undue delay
  3. Apply effective and regular testing and reviews of security
  4. Share information about fixed vulnerabilities on a public advisory
  5. Maintain a CVD policy
  6. Facilitate reporting through a single point of contact address
  7. Provide for secure distribution of security updates
  8. Provide free security updates for the duration of the support period

Presumption of conformity

Applying a relevant harmonised standard (Art. 27) creates a presumption of conformity with the corresponding essential cybersecurity requirements. Where no harmonised standard exists, the Commission may adopt common specifications (Art. 27(3)).

Essential cybersecurity requirements — CRA Compliance Hub