← CRA Glossary
CRA Legal Terms

Secure by Design

Secure by design means that security is built into a product's architecture and development process from the earliest design stage, rather than added as an afterthought after development is complete. The EU Cyber Resilience Act's essential requirements in Annex I mandate a secure-by-design approach for all products with digital elements.

Secure by design means that security is built into a product's architecture and development process from the earliest design stage, rather than added as an afterthought after development is complete. The EU Cyber Resilience Act's essential requirements in Annex I mandate a secure-by-design approach for all products with digital elements.

CRA Legal Terms
Free CVD portal →

What Is Secure by Design?

Secure by design is an engineering philosophy in which security properties — confidentiality, integrity, availability, and resilience — are treated as first-class functional requirements from the earliest stages of product conception. Rather than treating security as a layer applied at the end of development (or, worse, only after a breach), secure-by-design organisations define security requirements alongside feature requirements, conduct threat modelling during architecture design, apply secure coding standards throughout development, and integrate security testing at every stage of the build pipeline. The approach recognises that the cost of fixing a security flaw increases exponentially the later in the lifecycle it is discovered.

CRA reference:Annex I Part I, Article 13(1)

Secure by Design as a CRA Requirement

The CRA's Annex I Part I requires manufacturers to ensure their products are designed, developed, and produced to achieve an appropriate level of cybersecurity based on the risks involved. The use of 'designed' as the first verb in this formulation is deliberate: the regulation requires security to be addressed at the design stage, not retrofitted. Article 13(1) reinforces this by requiring the cybersecurity risk assessment to be incorporated into the product during planning and design. The essential requirements in Annex I — including least privilege, attack surface reduction, and data minimisation — are architectural properties that can only be achieved through design-stage decisions.

CRA reference:Annex I Part I, Article 13(1)

How Manufacturers Implement Secure by Design

Implementing secure by design requires embedding security into the Software Development Lifecycle (SDLC). Key practices include: defining security requirements and acceptance criteria before development begins; conducting formal threat modelling (e.g. using STRIDE or attack trees) during architecture design; applying secure coding standards such as OWASP Top 10 for web components or MISRA C for embedded firmware; conducting peer code review with security focus; integrating Static Application Security Testing (SAST) and dependency scanning into CI/CD pipelines; and requiring sign-off on security test results before any release reaches production. Security champions embedded in engineering teams help sustain this culture at scale.

CRA reference:Annex I Part I, Article 13(1)(2)

Common Mistakes

The most common failure of secure-by-design intent is treating threat modelling as a compliance checkbox — producing a document at the start of a project and then never revisiting it as the architecture evolves. A second error is siloing security reviews to a specialist team that only engages at the end of development sprints, removing engineers from security decision-making. Manufacturers also frequently focus secure-by-design efforts on the application layer while neglecting the hardware abstraction layer, bootloader, and update mechanism — components that often have greater security impact. Secure-by-design must extend to every tier of the product.

CRA reference:Annex I Part I

CVD Portal makes Secure by Design compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

What is the difference between secure by design and secure by default?+

Secure by design refers to the development process — security is built into the architecture from the start. Secure by default refers to the shipped product configuration — the device arrives in the user's hands with security settings pre-configured to a protective state. Both are required by the CRA. A product can be designed with security in mind but still ship with insecure defaults; conversely, secure defaults cannot compensate for fundamental architectural security flaws.

Is threat modelling part of the secure-by-design obligation under the CRA?+

Threat modelling is not mentioned by name in the CRA, but it is the primary mechanism by which manufacturers can demonstrate that security was considered during design — a requirement of Annex I Part I and Article 13(1). Conformity assessment bodies and market surveillance authorities will look for evidence that the manufacturer systematically identified and addressed threats during product design. A documented threat model is the most widely accepted evidence of this.

Can a manufacturer achieve CRA compliance by hardening a product after development?+

No. The CRA requires security to be addressed during design and development, not retrofitted. Post-development hardening can reduce risk and is valuable, but it cannot compensate for architectural decisions that baked in insecurity — for example, a protocol choice that does not support encryption, or a data model that stores user credentials in plaintext. Manufacturers must address security requirements during the design phase, not as an afterthought before launch.

Related terms

Secure by DefaultSecure by default means that a product ships with security settings pre-configured to the most protective state — disabled features, closed ports, strong authentication — without requiring users to take action to enable security. It is an explicit essential requirement under Annex I of the EU Cyber Resilience Act.Threat ModelingThreat modeling is a structured technique for identifying, prioritising, and mitigating security threats to a system during its design phase by systematically analysing what could go wrong, who might cause it, and what the impact would be. It is the foundational practice that enables manufacturers to meet the CRA's requirement for risk-informed, secure-by-design product development.Essential Cybersecurity RequirementsThe essential cybersecurity requirements are the mandatory security properties and vulnerability handling obligations set out in Annex I of the CRA that all products with digital elements must satisfy before being placed on the EU market. They are the substantive compliance test at the heart of the CRA.Cybersecurity Risk AssessmentA cybersecurity risk assessment is a systematic process of identifying, analysing, and evaluating security threats and vulnerabilities that could affect a product or system, then determining appropriate mitigations. The EU Cyber Resilience Act requires manufacturers to conduct and document a cybersecurity risk assessment as a precondition for market placement.

CRA articles using this term

Annex IEssential Cybersecurity Requirements for Products with Digital ElementsArticle 13Coordinated Vulnerability Disclosure Obligations for ManufacturersArticle 10Obligations of Manufacturers — Product Security by Design

Browse the full CRA Compliance Checklist

See how Secure by Design fits into your complete CRA compliance programme.

View checklists →