← Back to Blogcompliance

Breaking Down CRA Annex I: All 21 Essential Requirements

Annex I of the CRA contains 21 essential cybersecurity requirements split across two parts — product design (Part I) and vulnerability handling (Part II). This post breaks down each requirement with practical implementation guidance.

CRAReady Team·

Understanding Annex I

Annex I is the technical heart of the Cyber Resilience Act. It defines the essential cybersecurity requirements that all products with digital elements must satisfy. Non-compliance with Annex I is the most serious category of CRA violation — the one that attracts the maximum fine of €15 million or 2.5% of global turnover.

Annex I is divided into two parts:

  • Part I — security requirements for the product itself (design and development)
  • Part II — vulnerability handling obligations (post-market support)

Part I: Product Security Requirements

1. No Known Exploitable Vulnerabilities

Products must be placed on the market without any known exploitable vulnerabilities. This is a significant obligation — it means manufacturers must conduct thorough security testing before release, not just functional testing. Penetration testing, static analysis (SAST), dynamic analysis (DAST), and dependency scanning against vulnerability databases are all appropriate measures.

2. Secure by Default Configuration

Products must ship in the most secure configuration possible. Unnecessary services, ports, and interfaces must be disabled by default. Users may relax security settings, but the out-of-box state must be secure.

3. Access Controls

Products must protect against unauthorised access using appropriate mechanisms — authentication, authorisation, and least-privilege access. Default credentials must be unique per device or require mandatory change on first use.

4. Confidentiality of Data

Data at rest and in transit must be protected. Current standards (AES-256 for storage, TLS 1.2+ for transport) are expected. Sensitive data should not be stored unless necessary.

5. Integrity of Data

Products must protect the integrity of stored, transmitted, and processed data — using MACs, digital signatures, or equivalent mechanisms.

6. Data Minimisation

Only data necessary for the product's intended purpose should be collected and processed. This aligns with GDPR principles and requires manufacturers to consider data flows at design time.

7. Availability of Essential Functions

Critical functions must be resilient to attack. Denial-of-service resilience, graceful degradation, and failover mechanisms are relevant considerations.

8. Minimal Attack Surface

Manufacturers must minimise the attack surface — disable unused ports and services, remove debug interfaces before release, and apply least-privilege principles internally.

9. Resilience and Impact Limitation

Products should limit the impact of successful exploitation through compartmentalisation, privilege separation, memory protections (ASLR, DEP), and sandboxing.

10. Security Logging

Products must support logging of security-relevant events (authentication, configuration changes, errors). Documentation on enabling and retaining logs must be provided.

11. No Unsupported Third-Party Components

Manufacturers must not include third-party components that are past end-of-life or for which security support has ended.

Part II: Vulnerability Handling Obligations

12. SBOM and Component Documentation

Manufacturers must document all components in a machine-readable SBOM (SPDX or CycloneDX format) covering at minimum all top-level dependencies.

13. Vulnerability Remediation

Vulnerabilities must be addressed without undue delay. Critical or actively-exploited vulnerabilities require faster response than routine findings.

14–16. CVD Policy and Disclosure Channel

Manufacturers must operate a coordinated vulnerability disclosure (CVD) policy, provide a public reporting channel, and avoid preventing third parties from disclosing vulnerabilities.

17. Five-Year Security Update Support

Manufacturers must provide security updates for at least five years after market placement, or the product's expected lifetime if shorter.

18. Timely and Automatic Updates

Security updates must be distributed promptly. Where feasible, automatic update mechanisms should be provided.

19. Article 14 Reporting

Actively exploited vulnerabilities must be reported to ENISA: 24h early warning, 72h detailed report, final report on resolution.

20. User Notification

Users must be informed about security issues and available mitigations without undue delay.

21. Secure Third-Party Component Management

Manufacturers must ensure that third-party components in their products remain maintained and do not introduce new vulnerabilities over the product's support lifetime.

Priority Implementation Order

Given the September 2026 Article 14 deadline, the recommended priority order is:

  1. Generate SBOMs and set up automated vulnerability monitoring
  2. Establish CVD policy and reporting channel
  3. Build Article 14 incident response process
  4. Conduct gap analysis against Part I requirements
  5. Determine conformity route and begin technical file preparation

Ready to assess your CRA compliance obligations?

Try the Free Applicability Checker