← CRA Glossary
Technical Security

Attack Surface

The attack surface of a product is the totality of different points — interfaces, APIs, protocols, hardware ports, and user inputs — through which an attacker could attempt to enter or extract data from a system. Reducing attack surface is a core principle of the CRA's essential cybersecurity requirements.

The attack surface of a product is the totality of different points — interfaces, APIs, protocols, hardware ports, and user inputs — through which an attacker could attempt to enter or extract data from a system. Reducing attack surface is a core principle of the CRA's essential cybersecurity requirements.

Technical Security
Free CVD portal →

What Is Attack Surface?

Attack surface refers to every reachable entry or exit point in a product that a threat actor could potentially exploit: network-facing ports and services, wireless interfaces (Wi-Fi, Bluetooth, Zigbee, LoRa), hardware debug ports (JTAG, UART, USB), web and REST APIs, user input fields, third-party libraries, bootloaders, and operating system services. A product's attack surface is not static — it grows when new features are added, new network interfaces are exposed, or new third-party dependencies are introduced. Attack surface analysis is a prerequisite for effective threat modelling, penetration testing, and vulnerability management.

CRA reference:Annex I Part I(2)(3)

Why Attack Surface Reduction Matters Under the CRA

Annex I Part I of the CRA requires manufacturers to ensure their products are designed and developed to reduce the attack surface to a minimum by disabling by default all interfaces, functions, and services that are not necessary for the product's intended purpose. This is the regulatory basis for the 'secure by default' principle. A product with a large, unnecessary attack surface — for example, a consumer router with SSH enabled by default on the WAN interface — is presumptively non-compliant regardless of how well individual services are hardened. Market surveillance authorities assess attack surface as part of conformity evaluations.

CRA reference:Annex I Part I(2)(3), Article 13

How Manufacturers Minimise Attack Surface

Attack surface reduction is a design discipline, not just a configuration task. Manufacturers should apply the following practices throughout the product lifecycle: (1) define the minimum necessary interfaces required for the product's intended function during design; (2) disable all other services, ports, and protocols by default — do not rely on documentation telling users to disable them; (3) conduct a formal attack surface enumeration as part of every threat modelling exercise and penetration test; (4) use a Software Bill of Materials (SBOM) to track third-party components that add to the software attack surface; (5) review and re-enumerate attack surface whenever a significant software update is released.

CRA reference:Annex I Part I(2)(3), Article 13(1)

Common Mistakes

The most common attack surface error is enabling services and interfaces during development for convenience — debug ports, telnet access, test APIs — and shipping the product without disabling them. Manufacturers also frequently overlook the cloud back-end and mobile application as part of the product's attack surface, treating only the device itself. A third error is neglecting the update mechanism: the software update channel is itself a high-value attack surface that must be authenticated and integrity-verified to prevent supply chain attacks. Attack surface reviews that only cover the primary use case and ignore maintenance, recovery, and administrative functions are incomplete.

CRA reference:Annex I Part I

CVD Portal makes Attack Surface compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

Does the CRA require manufacturers to document their attack surface?+

The CRA requires manufacturers to document the cybersecurity risk assessment and the security properties of their product. Attack surface analysis is a core component of any credible risk assessment. Conformity assessment bodies evaluating Important Class products will expect to see documented attack surface enumeration as part of the technical file. For all products, market surveillance authorities may request this evidence during post-market surveillance.

What is the difference between attack surface and attack vector?+

Attack surface is the aggregate of all potential entry points into a system. An attack vector is a specific pathway or method that an attacker uses to exploit one of those entry points — for example, a buffer overflow via a network-facing service (attack vector: network) or physical access to a debug port (attack vector: physical). Reducing attack surface limits the number of viable attack vectors available to an attacker.

Does third-party software increase a product's attack surface under the CRA?+

Yes. Every open-source library, commercial component, or subcontracted firmware module that a product includes adds to its software attack surface. The CRA holds manufacturers responsible for the security of their entire product, including third-party components. This is why Software Composition Analysis (SCA) and maintaining an accurate SBOM are essential: manufacturers must know what components they ship in order to assess and manage the associated attack surface and vulnerability exposure.

Related terms

Secure by DefaultSecure by default means that a product ships with security settings pre-configured to the most protective state — disabled features, closed ports, strong authentication — without requiring users to take action to enable security. It is an explicit essential requirement under Annex I of the EU Cyber Resilience Act.Threat ModelingThreat modeling is a structured technique for identifying, prioritising, and mitigating security threats to a system during its design phase by systematically analysing what could go wrong, who might cause it, and what the impact would be. It is the foundational practice that enables manufacturers to meet the CRA's requirement for risk-informed, secure-by-design product development.Penetration TestingPenetration testing is a structured, authorised security assessment in which testers simulate real-world attack techniques to identify exploitable vulnerabilities in a product, system, or network before malicious actors discover them. The EU Cyber Resilience Act implicitly requires manufacturers to test their products' security prior to market placement.Firmware Update & OTA SecurityA firmware update delivers new software to a device's embedded systems — microcontrollers, bootloaders, and operating environments — to fix vulnerabilities, add features, or address hardware behaviour. Over-the-air (OTA) updates deliver firmware remotely. The CRA requires manufacturers to implement and maintain a secure update mechanism throughout a product's support period.

CRA articles using this term

Annex IEssential Cybersecurity Requirements for Products with Digital ElementsArticle 13Coordinated Vulnerability Disclosure Obligations for ManufacturersArticle 10Obligations of Manufacturers — Product Security by Design

Browse the full CRA Compliance Checklist

See how Attack Surface fits into your complete CRA compliance programme.

View checklists →