CRA Compliance Hub
EN中文日本語한국어DEFRESIT繁中NLPL

Annex I — Essential cybersecurity requirements

The normative annex of the CRA containing the binding technical and process requirements that products with digital elements must satisfy. It is divided into Part I (11 security properties that products must have by design and by default) and Part II (8 vulnerability handling obligations applicable to manufacturers' development and maintenance processes).

Source citations

cracra-annex-i

See also

Overview

Annex I of Regulation (EU) 2024/2847 contains the two sets of essential cybersecurity requirements referenced throughout the regulation.

Part I — Security requirements for products with digital elements

Products must be designed, developed, and produced to:

  1. Be delivered without known exploitable vulnerabilities in publicly accessible databases
  2. Be secure by default — default configurations that are security-relevant; unnecessary functions disabled; secure operation documented
  3. Ensure confidentiality — data stored, transmitted, or processed protected against unauthorised access
  4. Ensure integrity — data and product functions protected against unauthorised manipulation
  5. Process only necessary data for the intended function (data minimisation)
  6. Protect availability of the product's essential functions
  7. Minimise own negative impact on the security or availability of other services
  8. Be designed to limit the attack surface — interfaces exposed only where functionally necessary
  9. Be designed to reduce the impact of an incident through isolation and resilience mechanisms
  10. Record and monitor relevant security events with user-accessible logs
  11. Allow safe transfer — possibility for users to securely move all data before end-of-life or product transfer, and to securely delete data

Part II — Vulnerability handling requirements

Manufacturers must implement, document, and maintain processes to:

  1. Identify and document vulnerabilities, including by drawing up an SBOM
  2. Address and remediate vulnerabilities without undue delay, including by providing security updates
  3. Apply regular security testing and reviews
  4. Once a vulnerability is fixed, publicly disclose information about it in a timely manner on a dedicated security advisory page
  5. Put in place and enforce a CVD policy
  6. Facilitate reporting of vulnerabilities via a single point of contact
  7. Provide for secure distribution of security updates (including automated options)
  8. Distribute security updates free of charge for the duration of the support period and for a minimum of 10 years after market placement

Relationship to conformity assessment

Demonstrating compliance with Annex I is the core purpose of the conformity assessment procedures in Art. 32. Notified bodies assess technical documentation against Annex I requirements when conducting Module B or Module H assessments.

Annex I — Essential cybersecurity requirements — CRA Compliance Hub