CRA Annex I Requirements
The EU Cyber Resilience Act (Regulation EU 2024/2847) sets thirteen essential cybersecurity requirements in Annex I, point 1, plus the umbrella requirement in Article 13 that the product offer a cybersecurity level appropriate to its intended use. The matrix below maps each requirement to the primary and secondary defensive measures available for CAN-based products on this site. Wording in the second column is a short paraphrase for matrix use; the binding text is the regulation itself.
Requirement-to-Measure Matrix
Each row names a CRA requirement, a short description, and the controls that address it. Primary is the most direct control on CAN; secondary is the most common complement. The individual Solutions entries list further mappings that do not fit a single row.
| CRA Req. | Requirement (short) | Measures |
|---|---|---|
| I-1 | Appropriate cybersecurity level | Primary: Risk
Assessment (IEC 62443-3-2) Secondary: Defense in Depth |
| I-2a | No known exploitable vulnerabilities | Primary: CVSS
tracking Secondary: Secure Bootloader (to deploy fixes) |
| I-2b | Secure-by-default configuration | Primary: SOFA
(configuration locking) Secondary: Secure Bootloader |
| I-2c | Vulnerabilities addressed via updates | Primary: Secure Bootloader |
| I-2d | Protect data integrity, report issues | Primary: Frame
Security Secondary: Anomaly Event Monitoring |
| I-2e | Protect confidentiality of data | Primary: Frame
Security Secondary: SOFA |
| I-2f | Data minimization only necessary data | Out of scope (for CAN) |
| I-2g | Protect availability essential functions | Requires in-depth (pen) testing |
| I-2h | Protect availability of other services | Primary: Bus
Load Monitoring Secondary: Anomaly Event Monitoring |
| I-2i | Limit attack surfaces / interfaces | Primary: Access
Limitation Secondary: Secure Gateways |
| I-2j | Reduce incident impact mitigation | Primary: Anomaly
Event Monitoring (with appropriate reaction) Secondary: Zoning / Segmentation |
| I-2k | Record and monitor internal activity | Primary: Anomaly
Event Monitoring (security event log) Secondary: Bus Load Monitoring |
| I-2l | Allow deletion and factory reset | Primary: Secure Bootloader |
| I-2m | Protect data from unauthorized access | Primary: SOFA Secondary: Frame Security |
The official CRA text is available on EUR-Lex: Regulation (EU) 2024/2847. Annex I, point 1 carries the I-2a to I-2m enumeration in the order shown above.
Frequently Asked Questions
Where do the requirement numbers I-1 and I-2a to I-2m come from?
They follow the structure of Annex I of the EU Cyber Resilience Act (Regulation EU 2024/2847). I-1 is the umbrella requirement that the product must offer a cybersecurity level appropriate to its intended use and risk. I-2a through I-2m enumerate the thirteen essential security properties from Annex I, point 1. The shortened phrasings on this page paraphrase the official wording for matrix use; the binding text is the regulation itself.
Why does each requirement list only a primary and a secondary measure?
Defense in depth typically combines several controls per requirement. The matrix is a quick-reference shortlist: the primary measure is the control most directly addressing the requirement on CAN, the secondary measure is the most common complement. The individual Solutions entries list additional mappings and constraints that do not fit a single-row summary.
Are these mappings legally binding?
No. The mappings are guidance derived from the EmSA reference architecture and the IEC 62443 alignment work. Conformity assessment under the CRA is the responsibility of the manufacturer (and the notified body where applicable). Use this matrix to scope the design discussion, not as a substitute for a documented Risk Assessment.