Mission

Where to find the CRA directive
CRA Requirements Standards Mapping

The Cybersecurity Act strengthens the EU Agency for cybersecurity (ENISA) and establishes a cybersecurity certification framework for products and services.

Confirmed by the European Parliament, CRA aims to establish common cybersecurity standards for connected products and associated services, enhancing the resilience of digital products against cyber threats and ensuring better protection for consumers and businesses in the EU.

Empty words

Essential security requirements

The CRA sets out crucial security criteria that PDEs have to comply with, including:

  • Security by design and default – appropriate level of cybersecurity based on the risks must be embedded in a PDE from the beginning. A PDE must be placed on the market with a secure-by-default configuration, including the possibility to reset the product to its original state, including a default setting that security updates be installed automatically, with a clear and easy-to-use opt-out mechanism;
  • Unauthorised access prevention by appropriate control mechanisms, such as authentication, identity or access management systems;
  • Protection of the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state-of-the-art mechanisms;
  • Protection of the integrity of stored, transmitted or otherwise processed data, commands, programs and configuration against any manipulation or modification;
  • Minimization of data – process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of a PDE;
  • Protection of the availability of essential functions, including the resilience against and mitigation of denial-of-service attacks;
  • Resilience against service attacks and attack surface limitation to minimise the potential entry points for cyberattacks;
  • Vulnerability management – a PDE must be placed on the market without any known exploitable vulnerabilities. Post market-launched vulnerabilities can be addressed through security updates;
  • Data portability – users must be provided with the option to securely and easily remove all data and settings and, where such data can be transferred to other products or systems in a secure manner.