← CRA Glossary
CRA Legal Terms

Essential Cybersecurity Requirements

The essential cybersecurity requirements are the mandatory security properties and vulnerability handling obligations set out in Annex I of the CRA that all products with digital elements must satisfy before being placed on the EU market. They are the substantive compliance test at the heart of the CRA.

The essential cybersecurity requirements are the mandatory security properties and vulnerability handling obligations set out in Annex I of the CRA that all products with digital elements must satisfy before being placed on the EU market. They are the substantive compliance test at the heart of the CRA.

CRA Legal Terms
Free CVD portal →

What Are the Essential Cybersecurity Requirements?

The essential cybersecurity requirements are the binding technical and process requirements that every product with digital elements must satisfy under the CRA. They are set out in Annex I and divide into two groups: Part I covers product security properties (what the product must do); Part II covers manufacturer vulnerability handling processes (what the manufacturer must do). These requirements are 'essential' in the EU regulatory sense — they are mandatory minimum standards whose fulfilment is a precondition for CE marking and EU market access. They are not guidelines or best practices; non-compliance prevents lawful sale of the product in the EU.

CRA reference:Annex I, Article 13

Part I: Product Security Properties

The essential product security requirements in Annex I Part I require that products:

  • Are free of known exploitable vulnerabilities at market placement.
  • Are delivered with a secure default configuration.
  • Have a minimal attack surface — only necessary interfaces and services are enabled.
  • Protect the confidentiality and integrity of data using state-of-the-art cryptography.
  • Implement access control mechanisms appropriate to the risk.
  • Provide resilience against denial-of-service attacks.
  • Limit data collection to what is strictly necessary for product function.
  • Provide logging and monitoring capabilities proportionate to the risk.
  • Include an authenticated, integrity-verified update mechanism.
CRA reference:Annex I Part I

Part II: Vulnerability Handling Obligations

The essential vulnerability handling requirements in Annex I Part II require manufacturers to:

  • Identify and document all components in the product (SBOM).
  • Monitor for vulnerabilities throughout the product support period.
  • Apply and disclose vulnerabilities without undue delay, including providing free security patches.
  • Publish a coordinated vulnerability disclosure (CVD) policy.
  • Share vulnerability information with ENISA and CSIRTs as required by Article 14.
  • Provide security advisories to affected users when patches are released.
  • Inform users when the support period ends and stop collecting unnecessary data at end-of-life.

These obligations persist throughout the product's support period, not just at market placement.

CRA reference:Annex I Part II, Article 13

Demonstrating Compliance with Essential Requirements

Manufacturers demonstrate compliance through:

  1. Harmonised standards — applying a European harmonised standard (once designated) creates a presumption of conformity with the requirements that standard covers.
  2. Common Specifications — implementing European Commission-adopted technical specifications provides presumption of conformity.
  3. Self-assessment (Default and Class I) — manufacturers document their technical evidence and sign an EU Declaration of Conformity.
  4. Third-party assessment (Class II and Critical) — a notified body assesses technical documentation and may perform product testing.

Key evidence artefacts: product security test results, SBOM, CVD policy, advisory archive, penetration test reports, and threat model documentation.

CVD Portal makes Essential Cybersecurity Requirements compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

What does 'no known exploitable vulnerabilities' mean in practice?+

At the time of market placement, the manufacturer must have conducted sufficient security testing (vulnerability scanning, penetration testing, code review) to identify known vulnerabilities and remediated them before launch. This does not require a guarantee of zero vulnerabilities — the standard is 'known exploitable' vulnerabilities. The manufacturer must document the testing performed. A newly discovered CVE in a shipping product does not constitute a launch-day compliance failure, provided the manufacturer responds appropriately.

What is a 'secure default configuration' under the CRA?+

A secure default configuration means the product, when shipped and first activated without user configuration, is in a secure state. This includes: strong or unique default credentials (not generic 'admin/admin'), only necessary services and interfaces enabled, automatic updates turned on by default where feasible, and no unnecessary listening ports open. Users may subsequently change settings, but the factory default must not expose the product to obvious attack.

Do the essential requirements apply retroactively to products already on the market?+

The essential requirements apply to products placed on the EU market from 11 December 2027 onwards. Products lawfully on the market before that date may continue to be sold without full CRA compliance during a transitional period. However, if a manufacturer continues manufacturing and shipping the same product after the application date, that product must comply. Manufacturers should plan for compliance in their product roadmaps, particularly for products with long development cycles.

Related terms

Annex I Essential RequirementsAnnex I of the EU Cyber Resilience Act sets out the mandatory cybersecurity requirements that all products with digital elements must meet. It is divided into two parts: Part I covers secure product properties, and Part II covers manufacturer vulnerability handling obligations.Conformity AssessmentConformity assessment is the process by which a manufacturer demonstrates that its product meets the CRA's essential cybersecurity requirements. The process required depends on the product's classification: Default and Class I products can self-assess; Class II and Critical products require third-party assessment by a notified body.EU Cyber Resilience Act (CRA)The EU Cyber Resilience Act (Regulation (EU) 2024/2847) is a horizontal EU regulation that establishes mandatory cybersecurity requirements for products with digital elements placed on the EU market. It entered into force on 10 December 2024, with most obligations applying from 11 December 2027.Secure by DesignSecure by design means that security is built into a product's architecture and development process from the earliest design stage, rather than added as an afterthought after development is complete. The EU Cyber Resilience Act's essential requirements in Annex I mandate a secure-by-design approach for all products with digital elements.

CRA articles using this term

Annex IEssential Cybersecurity Requirements for Products with Digital ElementsArticle 13Coordinated Vulnerability Disclosure Obligations for ManufacturersArticle 10Obligations of Manufacturers — Product Security by DesignArticle 11Reporting Obligations for Manufacturers — Notifying Authorities

Browse the full CRA Compliance Checklist

See how Essential Cybersecurity Requirements fits into your complete CRA compliance programme.

View checklists →