Annex I Essential Requirements

Annex I of the EU Cyber Resilience Act contains the essential cybersecurity requirements that manufacturers must meet to place a product with digital elements on the EU market. It is divided into two parts. Part I specifies security properties that the product itself must have — it is hardware and software design requirements. Part II specifies the processes and obligations manufacturers must maintain throughout the product lifecycle — it is operational and procedural requirements. Collectively, these requirements form the substantive compliance test that determines whether a product may bear a CE mark. Market surveillance authorities assess compliance against Annex I during market surveillance activities.

Part I requirements address the security of the product itself:

• No known exploitable vulnerabilities at the time of market placement.
• Secure by default — secure configuration out of the box, minimal attack surface enabled by default.
• Confidentiality and integrity — protection of data at rest and in transit using appropriate cryptography.
• Access control — mechanisms to control access to the product's functions and data.
• Resilience — ability to detect and recover from attacks or failures.
• Minimal data collection — collection only of data necessary for product function.
• Auditability — logging and monitoring capabilities.
• Secure update mechanism — authenticated, integrity-protected software update delivery.

These requirements apply to the product as designed and shipped.

Part II requirements address the manufacturer's post-market processes:

1. Vulnerability identification and documentation — identify and document vulnerabilities in the product, including in third-party components (requiring an SBOM).
2. Timely patching — address vulnerabilities without undue delay; provide free security updates.
3. CVD policy — establish and maintain a publicly accessible coordinated vulnerability disclosure policy.
4. Security advisory publication — disclose vulnerability information and remediation instructions to affected users.
5. Vulnerability disclosure to ENISA — notify ENISA and national CSIRTs of actively exploited vulnerabilities (detailed in Article 14).
6. Data minimisation — cease collecting personal data not required for functionality.
7. End-of-life communication — inform users when vulnerability support ends.

Demonstrating compliance with Annex I requirements depends on the product's classification:

• Default class products — manufacturers can self-declare conformity by applying harmonised standards (e.g. ETSI EN 303 645 for consumer IoT) or Common Specifications.
• Important Class I products — self-assessment is permitted if harmonised standards are applied; otherwise a third-party module assessment is required.
• Important Class II and Critical products — third-party conformity assessment by a notified body is required for all Annex I requirements.

For Part II vulnerability handling requirements, documentation evidence is the primary means of demonstrating compliance: CVD policy, SBOM, advisory archive, and patch release records.