SOFTWARE DEVELOPERS

The Cyber Resilience Act’s main focus in on companies developing and commercializing non-embedded software.

On the other hand, free and open-source software, as well as pure SaaS software is not targeted by the CRA, unless, for the latter, it is used to remote process the data generated by a hardware product retailed in the European market.

Further, software already targeted by other EU legislations (such as medical and civil aviation software) do not need to also comply with the act for (and only for) requirements already covered by other legislation.

For software companies targeted by the Act, the legislation aims to strengthen their security feature and address vulnerabilities, ensuring software applications are better equipped to withstand cyber threats.

Follow our comprehensive guide to know more!

Quick links

Prerequisites
documentation
Reporting

Prerequisites

Software developers must ensure cybersecurity compliance by:

  1. Risk-Based Design: Implement state-of-the-art security measures and best practices throughout development to address identified risks.
  2. Secure Configuration: Deliver products with secure default settings, allowing users to reset to a secure state if needed.
  3. Exploitation Mitigation: Eliminate known vulnerabilities and limit attack surfaces to reduce incident impact.
  4. Timely Security Updates: Address vulnerabilities through automatic or user-notified updates, with opt-out options.
  5. Access Control: Prevent unauthorized access via authentication and identity management systems, and report breaches.
  6. Data Minimization and Security: Process only necessary data, safeguarding confidentiality with encryption and secure mechanisms.
  7. Integrity and Monitoring: Protect data integrity, monitor internal activities, and enable user opt-outs for monitoring.
  8. Availability and Resilience: Ensure essential functions remain operational after incidents, mitigating risks like denial-of-service attacks.
  9. Data Removal and Portability: Provide secure options for data deletion and transfer between products or systems.

 

These measures enhance security throughout the product lifecycle and supply chain.

Legal basis

(1) Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks.

(2) On the basis of the cybersecurity risk assessment referred to in Article 13(2) and where applicable, products with digital elements shall:

(a) be made available on the market without known exploitable vulnerabilities;

(b) be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state;

(c) ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use optout mechanism, through the notification of available updates to users, and the option to temporarily postpone them;

(d) ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access;

(e) protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means;

(f) protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions;

(g) process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (data minimisation);

(h) protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks;

(i) minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks;

(j) be designed, developed and produced to limit attack surfaces, including external interfaces;

(k) be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques;

(l) provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user;

(m) provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner.

Documentation

Software developers are required to maintain certain mandatory documentation in compliance with the Cyber Resilience Act. This documentation includes:

  • Software Bill of Materials if can be accessed, it should be provided along with the product
  • The EU Declaration of Conformity should be accessible to users and include relevant information regarding the product’s compliance with the CRA. It should contain details such as the internet address where the declaration can be accessed and the type of technical security support offered by the manufacturer

Legal basis

(1) identify and document vulnerabilities and components contained in products
with digital elements, including by drawing up a software bill of materials in a
commonly used and machine-readable format covering at the very least the
top-level dependencies of the products;

The EU declaration of conformity referred to in Article 28, shall contain all of the following information:

1. Name and type and any additional information enabling the unique identification of the product with digital elements;

2. Name and address of the manufacturer or its authorised representative;

3. A statement that the EU declaration of conformity is issued under the sole responsibility of the provider;

4. Object of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate);

5. A statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation;

6. References to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared;

7. Where applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued;

8. Additional information: Signed for and on behalf of:…………………………………

(place and date of issue):

(name, function)

(signature):

Reporting

Under the Cyber Resilience Act, software developers have certain reporting obligations. These requirements include:

  • Fully cooperate with market surveillance authorities and other competent authorities by providing necessary information, cooperating in investigations, and ensuring compliance with regulatory requirements
  • Provide market surveillance authorities with the name and address of any economic operator to whom they have supplied a product with digital elements upon request
  • Retain the information referred to in the previous point for a period of ten years after being supplied with the product and for ten years after supplying the product with digital elements.

 

Although the CRA has been adopted in October 2024, there will be a transitional period until 2027 before the reporting requirements become mandatory and subject to penalties for non-compliance.

Legal basis

1. Internal control is the conformity assessment procedure whereby the manufacturer fulfils the obligations set out in points 2, 3 and 4 of this Part, and ensures and declares on its sole responsibility that the products with digital elements satisfy all the essential cybersecurity requirements set out in Part I of Annex I and the manufacturer meets the essential cybersecurity requirements set out in Part II of Annex I.

European flag

Cyber Security News and Events

Check out the latest events on cyber security and the Cyber Resilience Act.

Go to Event Calendar