[{"data":1,"prerenderedAt":1591},["ShallowReactive",2],{"blog-cra-annex-i-essential-requirements-checklist":3},{"id":4,"title":5,"body":6,"date":1574,"description":1575,"extension":1576,"image":1577,"keywords":1578,"meta":1585,"navigation":97,"path":1586,"readTime":1587,"seo":1588,"stem":1589,"__hash__":1590},"blog/blog/cra-annex-i-essential-requirements-checklist.md","CRA Annex I Checklist for Firmware Engineers",{"type":7,"value":8,"toc":1534},"minimark",[9,13,16,19,24,27,34,40,43,48,55,62,65,69,73,79,84,124,127,131,136,140,178,184,188,193,197,240,244,249,253,286,290,295,299,326,329,333,338,342,396,400,405,409,442,452,456,461,465,498,502,507,511,544,548,553,557,594,610,614,619,623,662,666,671,675,702,706,711,715,736,740,743,747,771,775,806,810,837,841,862,866,913,917,938,942,969,973,1000,1004,1008,1011,1088,1092,1095,1173,1181,1185,1199,1202,1206,1211,1369,1374,1468,1476,1479,1485,1489],[10,11,12],"p",{},"Annex I of the Cyber Resilience Act is the core of the regulation. It defines the essential cybersecurity requirements that every product with digital elements must meet before it can carry a CE mark and be placed on the EU market.",[10,14,15],{},"The problem for firmware engineers: Annex I is written in regulatory language, not engineering language. It says things like \"appropriate level of cybersecurity\" and \"designed and manufactured to ensure an appropriate level of protection\" — which doesn't tell you what to implement.",[10,17,18],{},"This post translates every Annex I requirement into concrete firmware engineering tasks. Use it as a checklist to assess your current posture and track remediation work. Each requirement links to deeper coverage in our other posts where applicable.",[20,21,23],"h2",{"id":22},"how-annex-i-is-structured","How Annex I Is Structured",[10,25,26],{},"Annex I has two parts:",[10,28,29,33],{},[30,31,32],"strong",{},"Part I — Security requirements (13 items):"," These cover the product's design, development, and delivery. They address what the product itself must do.",[10,35,36,39],{},[30,37,38],{},"Part II — Vulnerability handling requirements (8 items):"," These cover the manufacturer's processes for managing vulnerabilities after the product is shipped. They address what your organisation must do.",[10,41,42],{},"Both parts must be satisfied. A product with excellent security engineering but no vulnerability management process is non-compliant, and vice versa.",[44,45,47],"h3",{"id":46},"harmonised-standards-en-18031","Harmonised Standards: EN 18031",[10,49,50,51,54],{},"CEN/CENELEC has developed harmonised standards relevant to cybersecurity for connected products. The EN 18031 series (EN 18031-1, EN 18031-2, EN 18031-3) was originally developed for the ",[30,52,53],{},"Radio Equipment Directive (RED)"," under Delegated Regulation 2022/30/EU. The series was finalised in August 2024 and harmonised references were published in the Official Journal of the EU in January 2025.",[10,56,57,58,61],{},"While EN 18031 was not developed specifically for the CRA, it serves as a foundation upon which CRA-specific harmonised standards are being built. Implementing EN 18031 provides a strong starting baseline for CRA compliance, particularly for connected products that also fall under the RED. CEN/CENELEC is developing additional CRA-specific standards that will provide a ",[30,59,60],{},"presumption of conformity"," with Annex I requirements once published.",[10,63,64],{},"In practice: if you implement EN 18031 and can demonstrate alignment with its requirements, you establish a solid technical baseline for CRA conformity, though the CRA-specific harmonised standards may add additional requirements. The requirements below reflect both the Annex I text and the EN 18031 standards where they provide useful clarification.",[20,66,68],{"id":67},"part-i-security-requirements","Part I: Security Requirements",[44,70,72],{"id":71},"requirement-1-designed-with-an-appropriate-level-of-cybersecurity","Requirement 1 — Designed with an appropriate level of cybersecurity",[10,74,75,78],{},[30,76,77],{},"Regulation text (paraphrased):"," Products must be designed, developed, and produced to ensure an appropriate level of cybersecurity based on the risks.",[10,80,81],{},[30,82,83],{},"What this means for firmware:",[85,86,89,106,112,118],"ul",{"className":87},[88],"contains-task-list",[90,91,94,99,100,105],"li",{"className":92},[93],"task-list-item",[95,96],"input",{"disabled":97,"type":98},true,"checkbox"," Conduct a risk assessment / ",[101,102,104],"a",{"href":103},"/blog/cra-threat-modeling-embedded/","threat model"," for your product before and during development",[90,107,109,111],{"className":108},[93],[95,110],{"disabled":97,"type":98}," Document security design decisions and their rationale",[90,113,115,117],{"className":114},[93],[95,116],{"disabled":97,"type":98}," Security requirements derived from the threat model are traceable to implementation",[90,119,121,123],{"className":120},[93],[95,122],{"disabled":97,"type":98}," Security is part of the development process, not bolted on after functional development",[10,125,126],{},"This is the overarching requirement. All subsequent requirements are specific instances of it.",[44,128,130],{"id":129},"requirement-2-no-known-exploitable-vulnerabilities","Requirement 2 — No known exploitable vulnerabilities",[10,132,133,135],{},[30,134,77],{}," Products must be delivered without known exploitable vulnerabilities.",[10,137,138],{},[30,139,83],{},[85,141,143,154,160,166,172],{"className":142},[88],[90,144,146,148,149,153],{"className":145},[93],[95,147],{"disabled":97,"type":98}," Run vulnerability scanning against all third-party components before each release (use your ",[101,150,152],{"href":151},"/blog/cra-sbom-firmware/","SBOM"," as input)",[90,155,157,159],{"className":156},[93],[95,158],{"disabled":97,"type":98}," Triage all CVEs affecting components in your firmware (VEX process)",[90,161,163,165],{"className":162},[93],[95,164],{"disabled":97,"type":98}," Patch or mitigate all exploitable vulnerabilities before shipping",[90,167,169,171],{"className":168},[93],[95,170],{"disabled":97,"type":98}," Document triage decisions for CVEs you've assessed as not exploitable (retain VEX records)",[90,173,175,177],{"className":174},[93],[95,176],{"disabled":97,"type":98}," Include vulnerability scan results in your release documentation",[10,179,180,183],{},[30,181,182],{},"Note:"," \"Known\" means vulnerabilities published in CVE databases for components you ship. You're expected to be monitoring.",[44,185,187],{"id":186},"requirement-3-integrity-protection","Requirement 3 — Integrity protection",[10,189,190,192],{},[30,191,77],{}," Protect the integrity of stored, transmitted, and processed data and software, including firmware.",[10,194,195],{},[30,196,83],{},[85,198,200,211,222,228,234],{"className":199},[88],[90,201,203,205,206,210],{"className":202},[93],[95,204],{"disabled":97,"type":98}," Implement ",[101,207,209],{"href":208},"/blog/cra-secure-boot-firmware-signing/","secure boot"," to verify firmware integrity at every boot",[90,212,214,216,217,221],{"className":213},[93],[95,215],{"disabled":97,"type":98}," Sign all ",[101,218,220],{"href":219},"/blog/cra-ota-firmware-updates/","firmware updates"," and verify signatures before installation",[90,223,225,227],{"className":224},[93],[95,226],{"disabled":97,"type":98}," Use authenticated encryption or HMAC for data stored in external flash/EEPROM",[90,229,231,233],{"className":230},[93],[95,232],{"disabled":97,"type":98}," Validate all data received from external interfaces before processing (input validation)",[90,235,237,239],{"className":236},[93],[95,238],{"disabled":97,"type":98}," Protect configuration data against unauthorised modification",[44,241,243],{"id":242},"requirement-4-confidentiality-protection","Requirement 4 — Confidentiality protection",[10,245,246,248],{},[30,247,77],{}," Protect the confidentiality of stored, transmitted, and processed data, including personal data and secrets.",[10,250,251],{},[30,252,83],{},[85,254,256,262,268,274,280],{"className":255},[88],[90,257,259,261],{"className":258},[93],[95,260],{"disabled":97,"type":98}," Encrypt sensitive data at rest (credentials, keys, user data) — use AES-256 or ChaCha20",[90,263,265,267],{"className":264},[93],[95,266],{"disabled":97,"type":98}," Encrypt data in transit — TLS 1.2+ for TCP, DTLS 1.2+ for UDP/CoAP on constrained devices",[90,269,271,273],{"className":270},[93],[95,272],{"disabled":97,"type":98}," Protect cryptographic keys in secure storage (hardware keystore, TrustZone, secure element) — never in plaintext flash",[90,275,277,279],{"className":276},[93],[95,278],{"disabled":97,"type":98}," Implement secure key derivation for session keys (HKDF or similar)",[90,281,283,285],{"className":282},[93],[95,284],{"disabled":97,"type":98}," Don't log or transmit sensitive data in debug output",[44,287,289],{"id":288},"requirement-5-minimise-data-collection-and-processing","Requirement 5 — Minimise data collection and processing",[10,291,292,294],{},[30,293,77],{}," Minimise the processing of data, including personal data, to what is necessary for the intended purpose.",[10,296,297],{},[30,298,83],{},[85,300,302,308,314,320],{"className":301},[88],[90,303,305,307],{"className":304},[93],[95,306],{"disabled":97,"type":98}," Only collect data necessary for the product's function (no telemetry beyond what's needed)",[90,309,311,313],{"className":310},[93],[95,312],{"disabled":97,"type":98}," Provide users with control over optional data collection",[90,315,317,319],{"className":316},[93],[95,318],{"disabled":97,"type":98}," Implement data retention limits — don't store data indefinitely",[90,321,323,325],{"className":322},[93],[95,324],{"disabled":97,"type":98}," Document what data your device collects and why",[10,327,328],{},"This requirement aligns with GDPR principles. For firmware teams, it typically means auditing your telemetry and logging to ensure you're not overcollecting.",[44,330,332],{"id":331},"requirement-6-minimise-attack-surface","Requirement 6 — Minimise attack surface",[10,334,335,337],{},[30,336,77],{}," Minimise the attack surface, including external interfaces.",[10,339,340],{},[30,341,83],{},[85,343,345,351,357,363,369,384,390],{"className":344},[88],[90,346,348,350],{"className":347},[93],[95,349],{"disabled":97,"type":98}," Disable all unused network services and protocols in production builds",[90,352,354,356],{"className":353},[93],[95,355],{"disabled":97,"type":98}," Disable debug interfaces (JTAG/SWD) in production firmware via OTP fuses or firmware configuration",[90,358,360,362],{"className":359},[93],[95,361],{"disabled":97,"type":98}," Close or disable unused UART, SPI, I2C, and other peripheral interfaces in software",[90,364,366,368],{"className":365},[93],[95,367],{"disabled":97,"type":98}," Remove debug logging, test endpoints, and development backdoors from production builds",[90,370,372,374,375,379,380,383],{"className":371},[93],[95,373],{"disabled":97,"type":98}," Compile with hardening flags (",[376,377,378],"code",{},"-fstack-protector-strong",", ",[376,381,382],{},"-D_FORTIFY_SOURCE=2",", ASLR where supported)",[90,385,387,389],{"className":386},[93],[95,388],{"disabled":97,"type":98}," Use MPU (Memory Protection Unit) to isolate privileged and unprivileged code where the MCU supports it",[90,391,393,395],{"className":392},[93],[95,394],{"disabled":97,"type":98}," Minimise the firmware binary — strip unused features, libraries, and drivers",[44,397,399],{"id":398},"requirement-7-secure-default-configuration","Requirement 7 — Secure default configuration",[10,401,402,404],{},[30,403,77],{}," Products must be delivered with a secure default configuration, including the possibility to reset to the original secure state.",[10,406,407],{},[30,408,83],{},[85,410,412,418,424,430,436],{"className":411},[88],[90,413,415,417],{"className":414},[93],[95,416],{"disabled":97,"type":98}," No default passwords — either unique-per-device credentials or force user setup on first boot",[90,419,421,423],{"className":420},[93],[95,422],{"disabled":97,"type":98}," All security features enabled by default (encryption, authentication, secure boot)",[90,425,427,429],{"className":426},[93],[95,428],{"disabled":97,"type":98}," Unnecessary services disabled by default (don't ship with telnet or HTTP debug server enabled)",[90,431,433,435],{"className":432},[93],[95,434],{"disabled":97,"type":98}," Factory reset restores the device to a secure state (not to a state with known-default credentials)",[90,437,439,441],{"className":438},[93],[95,440],{"disabled":97,"type":98}," Configuration changes that weaken security require explicit user action and generate a warning",[10,443,444,447,448,451],{},[30,445,446],{},"The \"no default passwords\" requirement is explicit and non-negotiable."," If your product ships with ",[376,449,450],{},"admin/admin"," or a common default across all units, you're in violation.",[44,453,455],{"id":454},"requirement-8-protection-against-unauthorised-access","Requirement 8 — Protection against unauthorised access",[10,457,458,460],{},[30,459,77],{}," Products must be designed to protect against unauthorised access through appropriate control mechanisms, including authentication.",[10,462,463],{},[30,464,83],{},[85,466,468,474,480,486,492],{"className":467},[88],[90,469,471,473],{"className":470},[93],[95,472],{"disabled":97,"type":98}," All remote access interfaces require authentication",[90,475,477,479],{"className":476},[93],[95,478],{"disabled":97,"type":98}," Authentication mechanisms are resistant to brute force (rate limiting, account lockout, exponential backoff)",[90,481,483,485],{"className":482},[93],[95,484],{"disabled":97,"type":98}," Credentials stored on device are hashed/salted (not plaintext)",[90,487,489,491],{"className":488},[93],[95,490],{"disabled":97,"type":98}," Session tokens have appropriate expiry",[90,493,495,497],{"className":494},[93],[95,496],{"disabled":97,"type":98}," Privilege separation — different access levels for user vs. admin vs. maintenance operations",[44,499,501],{"id":500},"requirement-9-availability-and-resilience","Requirement 9 — Availability and resilience",[10,503,504,506],{},[30,505,77],{}," Products must be designed to ensure availability, including resilience against denial-of-service attacks.",[10,508,509],{},[30,510,83],{},[85,512,514,520,526,532,538],{"className":513},[88],[90,515,517,519],{"className":516},[93],[95,518],{"disabled":97,"type":98}," Network stack handles malformed packets gracefully (doesn't crash or hang)",[90,521,523,525],{"className":522},[93],[95,524],{"disabled":97,"type":98}," Resource limits enforced — connection limits, message rate limits, buffer size limits",[90,527,529,531],{"className":528},[93],[95,530],{"disabled":97,"type":98}," Watchdog timer configured to recover from hangs",[90,533,535,537],{"className":534},[93],[95,536],{"disabled":97,"type":98}," Critical functions remain operational under network stress",[90,539,541,543],{"className":540},[93],[95,542],{"disabled":97,"type":98}," Stack and heap overflow protection enabled",[44,545,547],{"id":546},"requirement-10-secure-communications","Requirement 10 — Secure communications",[10,549,550,552],{},[30,551,77],{}," Products must ensure secure communication, including encryption of data in transit.",[10,554,555],{},[30,556,83],{},[85,558,560,566,576,582,588],{"className":559},[88],[90,561,563,565],{"className":562},[93],[95,564],{"disabled":97,"type":98}," TLS 1.2+ (or DTLS 1.2+) for all network communications carrying sensitive data",[90,567,569,571,572,575],{"className":568},[93],[95,570],{"disabled":97,"type":98}," Server certificate verification enabled (no ",[376,573,574],{},"verify=false"," in production)",[90,577,579,581],{"className":578},[93],[95,580],{"disabled":97,"type":98}," Strong cipher suites only — disable CBC mode ciphers, prefer AEAD (AES-GCM, ChaCha20-Poly1305)",[90,583,585,587],{"className":584},[93],[95,586],{"disabled":97,"type":98}," For constrained devices: DTLS 1.2 with PSK or certificate authentication over CoAP",[90,589,591,593],{"className":590},[93],[95,592],{"disabled":97,"type":98}," Certificate or PSK provisioning during manufacturing (not hardcoded shared secrets)",[10,595,596,599,600,604,605,609],{},[30,597,598],{},"Libraries:"," Mbed TLS (part of TrustedFirmware), wolfSSL, and BearSSL are common choices for MCU-based TLS. For Zephyr projects, Mbed TLS is the default. For ESP-IDF, mbedtls is bundled. (See our ",[101,601,603],{"href":602},"/blog/cra-compliance-zephyr-rtos/","Zephyr RTOS"," and ",[101,606,608],{"href":607},"/blog/cra-compliance-freertos/","FreeRTOS"," guides for RTOS-specific implementation details.)",[44,611,613],{"id":612},"requirement-11-logging-of-security-relevant-events","Requirement 11 — Logging of security-relevant events",[10,615,616,618],{},[30,617,77],{}," Products must log security-relevant events, where technically feasible.",[10,620,621],{},[30,622,83],{},[85,624,626,632,638,644,650,656],{"className":625},[88],[90,627,629,631],{"className":628},[93],[95,630],{"disabled":97,"type":98}," Log authentication attempts (success and failure)",[90,633,635,637],{"className":634},[93],[95,636],{"disabled":97,"type":98}," Log firmware update events (download, verification, installation, rollback)",[90,639,641,643],{"className":640},[93],[95,642],{"disabled":97,"type":98}," Log security configuration changes",[90,645,647,649],{"className":646},[93],[95,648],{"disabled":97,"type":98}," Log detected attacks or anomalies (malformed packets, repeated auth failures)",[90,651,653,655],{"className":652},[93],[95,654],{"disabled":97,"type":98}," Logs are tamper-protected (integrity-checked or stored in a protected region)",[90,657,659,661],{"className":658},[93],[95,660],{"disabled":97,"type":98}," For constrained devices where persistent logging isn't feasible: document why and what alternatives you provide (e.g., event counters, syslog forwarding)",[44,663,665],{"id":664},"requirement-12-secure-deletion-of-data","Requirement 12 — Secure deletion of data",[10,667,668,670],{},[30,669,77],{}," Provide the possibility for users to securely remove personal and configuration data from the device.",[10,672,673],{},[30,674,83],{},[85,676,678,684,690,696],{"className":677},[88],[90,679,681,683],{"className":680},[93],[95,682],{"disabled":97,"type":98}," Factory reset function that overwrites (not just marks as deleted) user data, credentials, and configuration",[90,685,687,689],{"className":686},[93],[95,688],{"disabled":97,"type":98}," Secure erase of cryptographic keys during factory reset",[90,691,693,695],{"className":692},[93],[95,694],{"disabled":97,"type":98}," Factory reset accessible without requiring authentication (for when credentials are lost)",[90,697,699,701],{"className":698},[93],[95,700],{"disabled":97,"type":98}," Document the factory reset procedure in user documentation",[44,703,705],{"id":704},"requirement-13-user-notification-of-security-issues","Requirement 13 — User notification of security issues",[10,707,708,710],{},[30,709,77],{}," Products must be capable of notifying users about security issues and available updates.",[10,712,713],{},[30,714,83],{},[85,716,718,724,730],{"className":717},[88],[90,719,721,723],{"className":720},[93],[95,722],{"disabled":97,"type":98}," Mechanism to inform users when a security update is available (LED indicator, companion app notification, web dashboard alert)",[90,725,727,729],{"className":726},[93],[95,728],{"disabled":97,"type":98}," Users can check the current firmware version easily",[90,731,733,735],{"className":732},[93],[95,734],{"disabled":97,"type":98}," Security advisories are published in an accessible location (product support page, security bulletin feed)",[20,737,739],{"id":738},"part-ii-vulnerability-handling-requirements","Part II: Vulnerability Handling Requirements",[10,741,742],{},"Part II requirements apply to your organisation's processes, not to the product itself. These must be in place and documented.",[44,744,746],{"id":745},"vh-requirement-1-identify-and-document-vulnerabilities-and-components","VH Requirement 1 — Identify and document vulnerabilities and components",[85,748,750,759,765],{"className":749},[88],[90,751,753,755,756,758],{"className":752},[93],[95,754],{"disabled":97,"type":98}," Maintain a machine-readable ",[101,757,152],{"href":151}," covering all product components",[90,760,762,764],{"className":761},[93],[95,763],{"disabled":97,"type":98}," SBOM updated with each firmware release",[90,766,768,770],{"className":767},[93],[95,769],{"disabled":97,"type":98}," SBOM in SPDX or CycloneDX format with NTIA minimum elements",[44,772,774],{"id":773},"vh-requirement-2-address-vulnerabilities-with-security-updates","VH Requirement 2 — Address vulnerabilities with security updates",[85,776,778,788,794,800],{"className":777},[88],[90,779,781,783,784,787],{"className":780},[93],[95,782],{"disabled":97,"type":98}," ",[101,785,786],{"href":219},"OTA update mechanism"," operational and tested",[90,789,791,793],{"className":790},[93],[95,792],{"disabled":97,"type":98}," Security updates delivered free of charge",[90,795,797,799],{"className":796},[93],[95,798],{"disabled":97,"type":98}," Patch timeline: critical/exploited vulnerabilities addressed within days/weeks, not months",[90,801,803,805],{"className":802},[93],[95,804],{"disabled":97,"type":98}," Update process documented and tested for failure scenarios",[44,807,809],{"id":808},"vh-requirement-3-regular-testing-and-review","VH Requirement 3 — Regular testing and review",[85,811,813,819,825,831],{"className":812},[88],[90,814,816,818],{"className":815},[93],[95,817],{"disabled":97,"type":98}," Regular vulnerability scanning of firmware components (at minimum, per release)",[90,820,822,824],{"className":821},[93],[95,823],{"disabled":97,"type":98}," Periodic penetration testing (annual for default category; more frequent for Class I/II)",[90,826,828,830],{"className":827},[93],[95,829],{"disabled":97,"type":98}," Code review process for security-sensitive changes",[90,832,834,836],{"className":833},[93],[95,835],{"disabled":97,"type":98}," Test results documented and retained",[44,838,840],{"id":839},"vh-requirement-4-public-disclosure-of-fixed-vulnerabilities","VH Requirement 4 — Public disclosure of fixed vulnerabilities",[85,842,844,850,856],{"className":843},[88],[90,845,847,849],{"className":846},[93],[95,848],{"disabled":97,"type":98}," Security advisories published for fixed vulnerabilities",[90,851,853,855],{"className":852},[93],[95,854],{"disabled":97,"type":98}," Advisories include CVE IDs, affected versions, fixed versions, and mitigation guidance",[90,857,859,861],{"className":858},[93],[95,860],{"disabled":97,"type":98}," Advisories published at the same time as the security update (not delayed)",[44,863,865],{"id":864},"vh-requirement-5-coordinated-vulnerability-disclosure-policy","VH Requirement 5 — Coordinated vulnerability disclosure policy",[85,867,869,879,890,896,902],{"className":868},[88],[90,870,872,874,875,878],{"className":871},[93],[95,873],{"disabled":97,"type":98}," CVD policy published and accessible (security.txt at ",[376,876,877],{},"/.well-known/security.txt",")",[90,880,882,884,885,889],{"className":881},[93],[95,883],{"disabled":97,"type":98}," Monitored security contact (",[101,886,888],{"href":887},"mailto:security@yourcompany.com","security@yourcompany.com"," or equivalent)",[90,891,893,895],{"className":892},[93],[95,894],{"disabled":97,"type":98}," Researcher acknowledgement policy defined",[90,897,899,901],{"className":898},[93],[95,900],{"disabled":97,"type":98}," Response timeline commitments documented (e.g., acknowledge within 5 business days)",[90,903,905,907,908,912],{"className":904},[93],[95,906],{"disabled":97,"type":98}," See our ",[101,909,911],{"href":910},"/blog/cra-article-14-vulnerability-reporting/","Article 14"," post for the full PSIRT setup",[44,914,916],{"id":915},"vh-requirement-6-sharing-vulnerability-information","VH Requirement 6 — Sharing vulnerability information",[85,918,920,926,932],{"className":919},[88],[90,921,923,925],{"className":922},[93],[95,924],{"disabled":97,"type":98}," Vulnerability information shared with affected parties when necessary",[90,927,929,931],{"className":928},[93],[95,930],{"disabled":97,"type":98}," ENISA notification process established for actively exploited vulnerabilities (Article 14)",[90,933,935,937],{"className":934},[93],[95,936],{"disabled":97,"type":98}," Process for notifying downstream customers when a vulnerability affects their deployment",[44,939,941],{"id":940},"vh-requirement-7-secure-distribution-of-updates","VH Requirement 7 — Secure distribution of updates",[85,943,945,951,957,963],{"className":944},[88],[90,946,948,950],{"className":947},[93],[95,949],{"disabled":97,"type":98}," Updates cryptographically signed",[90,952,954,956],{"className":953},[93],[95,955],{"disabled":97,"type":98}," Update distribution infrastructure secured (TLS, access controls)",[90,958,960,962],{"className":959},[93],[95,961],{"disabled":97,"type":98}," Update integrity verified before installation on device",[90,964,966,968],{"className":965},[93],[95,967],{"disabled":97,"type":98}," Update distribution documented in technical documentation",[44,970,972],{"id":971},"vh-requirement-8-no-undue-delay-in-distributing-security-patches","VH Requirement 8 — No undue delay in distributing security patches",[85,974,976,982,988,994],{"className":975},[88],[90,977,979,981],{"className":978},[93],[95,980],{"disabled":97,"type":98}," Patch development and release process with defined SLAs",[90,983,985,987],{"className":984},[93],[95,986],{"disabled":97,"type":98}," No gating of security patches behind feature releases or subscription payments",[90,989,991,993],{"className":990},[93],[95,992],{"disabled":97,"type":98}," Emergency patch process for critical/exploited vulnerabilities",[90,995,997,999],{"className":996},[93],[95,998],{"disabled":97,"type":98}," Patch deployment tracking (what percentage of devices have been updated)",[20,1001,1003],{"id":1002},"using-this-checklist","Using This Checklist",[44,1005,1007],{"id":1006},"priority-order-for-firmware-teams","Priority Order for Firmware Teams",[10,1009,1010],{},"If you're starting from zero, this is the recommended implementation order:",[1012,1013,1014,1022,1031,1040,1046,1055,1064,1070,1076,1082],"ol",{},[90,1015,1016,1018,1019,878],{},[30,1017,152],{}," (VH1) — You need to know what's in your firmware before you can secure it. (",[101,1020,1021],{"href":151},"SBOM guide",[90,1023,1024,1027,1028,878],{},[30,1025,1026],{},"Secure boot"," (Req 3) — Foundation for firmware integrity. (",[101,1029,1030],{"href":208},"Secure boot guide",[90,1032,1033,1036,1037,878],{},[30,1034,1035],{},"OTA updates"," (VH2, VH7, VH8) — Ability to deliver fixes. (",[101,1038,1039],{"href":219},"OTA guide",[90,1041,1042,1045],{},[30,1043,1044],{},"Vulnerability monitoring"," (VH1, VH3) — Know when your components have CVEs",[90,1047,1048,1051,1052,878],{},[30,1049,1050],{},"CVD policy and PSIRT"," (VH5, VH6) — Handle external vulnerability reports. (",[101,1053,1054],{"href":910},"Article 14 guide",[90,1056,1057,1060,1061,878],{},[30,1058,1059],{},"Threat model"," (Req 1) — Document your security design rationale. (",[101,1062,1063],{"href":103},"Threat modeling guide",[90,1065,1066,1069],{},[30,1067,1068],{},"Secure defaults"," (Req 7) — No default passwords, services disabled by default",[90,1071,1072,1075],{},[30,1073,1074],{},"Encryption"," (Req 4, Req 10) — Data at rest and in transit",[90,1077,1078,1081],{},[30,1079,1080],{},"Access control"," (Req 8) — Authentication and authorisation",[90,1083,1084,1087],{},[30,1085,1086],{},"Everything else"," (Req 5, 6, 9, 11, 12, 13) — Important but lower priority for initial compliance",[44,1089,1091],{"id":1090},"mapping-to-product-classification","Mapping to Product Classification",[10,1093,1094],{},"The checklist applies to all CRA-classified products, but the evidence requirements differ:",[1096,1097,1098,1117],"table",{},[1099,1100,1101],"thead",{},[1102,1103,1104,1108,1111,1114],"tr",{},[1105,1106,1107],"th",{},"Requirement area",[1105,1109,1110],{},"Default (self-declare)",[1105,1112,1113],{},"Class I (CAB audit)",[1105,1115,1116],{},"Class II (notified body)",[1118,1119,1120,1134,1148,1159],"tbody",{},[1102,1121,1122,1125,1128,1131],{},[1123,1124,1059],"td",{},[1123,1126,1127],{},"Documented, internal review",[1123,1129,1130],{},"Reviewed by CAB",[1123,1132,1133],{},"Reviewed by notified body",[1102,1135,1136,1139,1142,1145],{},[1123,1137,1138],{},"Security testing",[1123,1140,1141],{},"Self-assessed test results",[1123,1143,1144],{},"Third-party test results may be required",[1123,1146,1147],{},"Formal penetration testing required",[1102,1149,1150,1152,1155,1157],{},[1123,1151,152],{},[1123,1153,1154],{},"Generated, on file",[1123,1156,1130],{},[1123,1158,1133],{},[1102,1160,1161,1164,1167,1170],{},[1123,1162,1163],{},"Process documentation",[1123,1165,1166],{},"Written, internal",[1123,1168,1169],{},"Audited by CAB",[1123,1171,1172],{},"Audited by notified body",[10,1174,1175,1176,1180],{},"See our ",[101,1177,1179],{"href":1178},"/blog/cra-product-classification/","product classification guide"," for which tier applies to your product.",[44,1182,1184],{"id":1183},"timeline","Timeline",[85,1186,1187,1193],{},[90,1188,1189,1192],{},[30,1190,1191],{},"11 September 2026:"," Vulnerability handling requirements (Part II) must be in place — specifically Article 14 reporting",[90,1194,1195,1198],{},[30,1196,1197],{},"11 December 2027:"," All Annex I requirements (Part I and Part II) must be met for products placed on the market",[10,1200,1201],{},"Start with Part II (vulnerability handling) since that deadline comes first.",[20,1203,1205],{"id":1204},"printable-summary","Printable Summary",[10,1207,1208],{},[30,1209,1210],{},"Part I — Security Requirements:",[1096,1212,1213,1226],{},[1099,1214,1215],{},[1102,1216,1217,1220,1223],{},[1105,1218,1219],{},"#",[1105,1221,1222],{},"Requirement",[1105,1224,1225],{},"Key firmware task",[1118,1227,1228,1239,1250,1261,1272,1283,1294,1304,1314,1325,1336,1347,1358],{},[1102,1229,1230,1233,1236],{},[1123,1231,1232],{},"1",[1123,1234,1235],{},"Appropriate cybersecurity level",[1123,1237,1238],{},"Threat model, security design",[1102,1240,1241,1244,1247],{},[1123,1242,1243],{},"2",[1123,1245,1246],{},"No known exploitable vulnerabilities",[1123,1248,1249],{},"CVE scanning, VEX triage",[1102,1251,1252,1255,1258],{},[1123,1253,1254],{},"3",[1123,1256,1257],{},"Integrity protection",[1123,1259,1260],{},"Secure boot, signed updates",[1102,1262,1263,1266,1269],{},[1123,1264,1265],{},"4",[1123,1267,1268],{},"Confidentiality",[1123,1270,1271],{},"Encryption at rest and in transit",[1102,1273,1274,1277,1280],{},[1123,1275,1276],{},"5",[1123,1278,1279],{},"Data minimisation",[1123,1281,1282],{},"Audit telemetry, retention limits",[1102,1284,1285,1288,1291],{},[1123,1286,1287],{},"6",[1123,1289,1290],{},"Minimise attack surface",[1123,1292,1293],{},"Disable debug ports, unused services",[1102,1295,1296,1299,1301],{},[1123,1297,1298],{},"7",[1123,1300,1068],{},[1123,1302,1303],{},"No default passwords, secure out of box",[1102,1305,1306,1309,1311],{},[1123,1307,1308],{},"8",[1123,1310,1080],{},[1123,1312,1313],{},"Authentication, privilege separation",[1102,1315,1316,1319,1322],{},[1123,1317,1318],{},"9",[1123,1320,1321],{},"Availability / resilience",[1123,1323,1324],{},"DoS protection, watchdog, resource limits",[1102,1326,1327,1330,1333],{},[1123,1328,1329],{},"10",[1123,1331,1332],{},"Secure communications",[1123,1334,1335],{},"TLS/DTLS, certificate verification",[1102,1337,1338,1341,1344],{},[1123,1339,1340],{},"11",[1123,1342,1343],{},"Security event logging",[1123,1345,1346],{},"Auth logs, update logs, anomaly detection",[1102,1348,1349,1352,1355],{},[1123,1350,1351],{},"12",[1123,1353,1354],{},"Secure data deletion",[1123,1356,1357],{},"Factory reset with secure erase",[1102,1359,1360,1363,1366],{},[1123,1361,1362],{},"13",[1123,1364,1365],{},"User notification",[1123,1367,1368],{},"Update availability notifications",[10,1370,1371],{},[30,1372,1373],{},"Part II — Vulnerability Handling:",[1096,1375,1376,1387],{},[1099,1377,1378],{},[1102,1379,1380,1382,1384],{},[1105,1381,1219],{},[1105,1383,1222],{},[1105,1385,1386],{},"Key organisational task",[1118,1388,1389,1399,1408,1418,1428,1438,1448,1458],{},[1102,1390,1391,1393,1396],{},[1123,1392,1232],{},[1123,1394,1395],{},"Component identification (SBOM)",[1123,1397,1398],{},"Automated SBOM generation in build pipeline",[1102,1400,1401,1403,1406],{},[1123,1402,1243],{},[1123,1404,1405],{},"Security update delivery",[1123,1407,786],{},[1102,1409,1410,1412,1415],{},[1123,1411,1254],{},[1123,1413,1414],{},"Regular testing",[1123,1416,1417],{},"Vulnerability scanning, penetration testing",[1102,1419,1420,1422,1425],{},[1123,1421,1265],{},[1123,1423,1424],{},"Public disclosure",[1123,1426,1427],{},"Security advisories with CVE IDs",[1102,1429,1430,1432,1435],{},[1123,1431,1276],{},[1123,1433,1434],{},"CVD policy",[1123,1436,1437],{},"security.txt, monitored inbox, response SLAs",[1102,1439,1440,1442,1445],{},[1123,1441,1287],{},[1123,1443,1444],{},"Information sharing",[1123,1446,1447],{},"ENISA reporting, downstream notification",[1102,1449,1450,1452,1455],{},[1123,1451,1298],{},[1123,1453,1454],{},"Secure update distribution",[1123,1456,1457],{},"Signed updates, TLS delivery",[1102,1459,1460,1462,1465],{},[1123,1461,1308],{},[1123,1463,1464],{},"Timely patch delivery",[1123,1466,1467],{},"Defined SLAs, no paywall on security patches",[10,1469,1470,1471,1475],{},"Use the ",[101,1472,1474],{"href":1473},"/","Stack Canary assessment tool"," to get a personalised assessment of which requirements you've already met and where to focus your remediation effort.",[1477,1478],"hr",{},[10,1480,1481],{},[1482,1483,1484],"em",{},"Based on Regulation EU 2024/2847 Annex I Parts I and II, EN 18031 series (finalised 2024, harmonised 2025), ENISA CRA implementation guidance (2025). This does not constitute legal advice.",[20,1486,1488],{"id":1487},"sources","Sources",[85,1490,1491,1499,1506,1513,1520,1527],{},[90,1492,1493],{},[101,1494,1498],{"href":1495,"rel":1496},"https://eur-lex.europa.eu/eli/reg/2024/2847/oj/eng",[1497],"nofollow","Regulation (EU) 2024/2847 — Cyber Resilience Act (full text)",[90,1500,1501],{},[101,1502,1505],{"href":1503,"rel":1504},"https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847",[1497],"CRA full text (HTML) — navigate to Annex I",[90,1507,1508],{},[101,1509,1512],{"href":1510,"rel":1511},"https://www.sgs.com/en/news/2025/02/safeguards-02625-eu-harmonizes-en-18031-standards",[1497],"EN 18031 harmonisation — EU Official Journal (January 2025)",[90,1514,1515],{},[101,1516,1519],{"href":1517,"rel":1518},"https://www.enisa.europa.eu/publications/cyber-resilience-act-requirements-standards-mapping",[1497],"ENISA — Cyber Resilience Act Requirements Standards Mapping",[90,1521,1522],{},[101,1523,1526],{"href":1524,"rel":1525},"https://digital-strategy.ec.europa.eu/en/factpages/cyber-resilience-act-implementation",[1497],"European Commission — Cyber Resilience Act implementation",[90,1528,1529],{},[101,1530,1533],{"href":1531,"rel":1532},"https://www.cencenelec.eu/news-events/news/2025/newsletter/ots-59-cybersecurity-standards/",[1497],"CEN-CENELEC — Cybersecurity standards development",{"title":1535,"searchDepth":1536,"depth":1536,"links":1537},"",2,[1538,1542,1557,1567,1572,1573],{"id":22,"depth":1536,"text":23,"children":1539},[1540],{"id":46,"depth":1541,"text":47},3,{"id":67,"depth":1536,"text":68,"children":1543},[1544,1545,1546,1547,1548,1549,1550,1551,1552,1553,1554,1555,1556],{"id":71,"depth":1541,"text":72},{"id":129,"depth":1541,"text":130},{"id":186,"depth":1541,"text":187},{"id":242,"depth":1541,"text":243},{"id":288,"depth":1541,"text":289},{"id":331,"depth":1541,"text":332},{"id":398,"depth":1541,"text":399},{"id":454,"depth":1541,"text":455},{"id":500,"depth":1541,"text":501},{"id":546,"depth":1541,"text":547},{"id":612,"depth":1541,"text":613},{"id":664,"depth":1541,"text":665},{"id":704,"depth":1541,"text":705},{"id":738,"depth":1536,"text":739,"children":1558},[1559,1560,1561,1562,1563,1564,1565,1566],{"id":745,"depth":1541,"text":746},{"id":773,"depth":1541,"text":774},{"id":808,"depth":1541,"text":809},{"id":839,"depth":1541,"text":840},{"id":864,"depth":1541,"text":865},{"id":915,"depth":1541,"text":916},{"id":940,"depth":1541,"text":941},{"id":971,"depth":1541,"text":972},{"id":1002,"depth":1536,"text":1003,"children":1568},[1569,1570,1571],{"id":1006,"depth":1541,"text":1007},{"id":1090,"depth":1541,"text":1091},{"id":1183,"depth":1541,"text":1184},{"id":1204,"depth":1536,"text":1205},{"id":1487,"depth":1536,"text":1488},"2026-04-02","Map all 13 CRA Annex I security requirements and 8 vulnerability handling obligations to concrete firmware engineering tasks. Embedded checklist.","md","/images/blog/previews/annex-i-checklist.svg",[1579,1580,1581,1582,1583,1584],"CRA Annex I checklist","CRA essential requirements","CRA compliance checklist firmware","CRA security requirements embedded","EN 18031 CRA","Annex I Part I",{},"/blog/cra-annex-i-essential-requirements-checklist","14 min",{"title":5,"description":1575},"blog/cra-annex-i-essential-requirements-checklist","ZzUXIYd7w3xIoXDLUbro8xdWYaGRZ0tRaTWmPSEcEBU",1775939691377]