Secure by Default
Secure by default means that a product ships with security settings pre-configured to the most protective state — disabled features, closed ports, strong authentication — without requiring users to take action to enable security. It is an explicit essential requirement under Annex I of the EU Cyber Resilience Act.
Secure by default means that a product ships with security settings pre-configured to the most protective state — disabled features, closed ports, strong authentication — without requiring users to take action to enable security. It is an explicit essential requirement under Annex I of the EU Cyber Resilience Act.
CRA Legal TermsWhat Does Secure by Default Mean?
A product is secure by default when it arrives in the hands of the user in a security-positive state that does not depend on the user making configuration changes. Practical examples include: unique per-device passwords rather than shared factory defaults; all non-essential network services disabled at first boot; automatic security update installation enabled unless explicitly opted out; closed firewall rules with explicit allow-listing rather than open-by-default policies; and no debug interfaces accessible without explicit authentication. The principle recognises that most users — particularly consumers — will not consult a manual or harden a device after purchase.
Secure by Default as a CRA Legal Requirement
Annex I Part I(2)(e) of the EU Cyber Resilience Act explicitly requires manufacturers to ensure that products with digital elements are placed on the market with a secure by default configuration. This requirement means that the default out-of-box state must satisfy the security baseline — it is not sufficient to provide a hardening guide. The requirement also prohibits shared default passwords: every device must use unique credentials or require the user to set a password before the device becomes functional. Non-compliance with Annex I essential requirements constitutes a basis for market surveillance authority enforcement action.
How Manufacturers Implement Secure by Default
Implementing secure by default requires design decisions embedded early in product development. Key practices include: generating unique, device-specific credentials at the factory or on first boot rather than using shared defaults; disabling all network services not required for the product's primary function; configuring automatic updates to be on by default with a clear opt-out mechanism (not opt-in); pre-configuring TLS with strong cipher suites rather than supporting deprecated protocols for backwards compatibility; and performing a pre-ship configuration audit against the intended secure baseline before each production run. The secure default configuration should be documented in technical documentation with justification for any enabled services.
Common Mistakes
The most common violation of secure by default is shipping a product with a shared factory password (e.g. 'admin'/'admin') that is documented in a manual or printed on the device. Even if users are prompted to change it, this does not satisfy the CRA's requirement for a secure default. Manufacturers also frequently enable services such as Telnet, FTP, or UPnP for ease of setup and rely on documentation to tell users to disable them. The CRA's requirement is explicit: if it is not necessary for the core function, it must be off by default — user documentation is not an acceptable substitute for proper configuration.
CVD Portal makes Secure by Default compliance straightforward.
Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.
Start your free portalFrequently asked
Does 'secure by default' mean manufacturers cannot ship any open network ports?+
No. Secure by default means that only the ports, services, and interfaces required for the product's intended function are open by default. A product that requires network connectivity to function will legitimately have some network services active. The requirement is that any service not necessary for the primary intended use must be disabled by default, and that any enabled service must use strong, unique credentials and current protocols.
Are shared default passwords prohibited by the CRA?+
Yes. The requirement for unique per-device credentials is a direct implication of the secure by default obligation in Annex I Part I(2)(e). Shared passwords — those that are the same across all devices of a product line, whether factory-set or printed in documentation — do not satisfy this requirement. Each device must either ship with a unique factory-generated credential or require the user to set a password before any network functionality is accessible.
Is enabling automatic updates required for secure by default compliance?+
The CRA requires manufacturers to make security updates available and to make it easy for users to apply them. Enabling automatic updates by default is the most straightforward way to satisfy this obligation for consumer products. For industrial and enterprise products where updates require change control processes, manufacturers may implement notification mechanisms rather than silent auto-update, but the default should facilitate, not obstruct, the timely application of security patches.
Related terms
Browse the full CRA Compliance Checklist
See how Secure by Default fits into your complete CRA compliance programme.