This technical guideline focuses on the essential cybersecurity requirements of Annex I, Part I of the CRA. It translates the obligations of Annex I, Part I – points 1 and 2 into non-exhaustive and tentative practical suggestions to support compliance with the CRA, based on recognised best practices, common approaches, and existing standards in the cyber domain. It is therefore suitable for mSMEs with some level of expertise on cybersecurity and the CRA, or after consultation of the CRA101: Understanding CRA Obligations beginner-friendly guideline.
The guideline focuses on four components: (1) a risk-based cybersecurity approach, which sets out possible approaches to the risk assessment, tailored security measures, and a reflection on threat models, attack surfaces and impacts; (2) the secure-by-design/default principle; (3) security management duties throughout a product’s lifecycle; (4) supply chain considerations and controls. For further guidance beyond Annex I, the CRA Methodological Compliance Assessment Framework can be consulted. It is crucial to disclaim the suggestive nature of any recommendations made pending further guidance from the European Commission.