Annex I Requirements
CRA Annex I defines the essential cybersecurity requirements that every product with digital elements must meet. These are organized into two sections.
Section 1: Security Properties
Section titled “Section 1: Security Properties”These requirements apply to the product itself.
I.2 — Baseline Security
Section titled “I.2 — Baseline Security”| Ref | Requirement | Fleet Coverage |
|---|---|---|
| I.2(a) | No known exploitable vulnerabilities | SBOM + vuln enrichment, 11 detectors |
| I.2(b) | Secure by default configuration | CONFIG-* detectors |
I.3 — Security Functions
Section titled “I.3 — Security Functions”| Ref | Requirement | Fleet Coverage |
|---|---|---|
| I.3(a) | Protect confidentiality (encryption in transit/at rest) | CRYPTO-, NET-, STOR-* detectors + CBOM |
| I.3(b) | Protect from unauthorized access | AUTH-, NET-SVC- detectors |
| I.3(c) | Protect availability | NET-SVC-02 (rate limiting), RDPS-AVAIL-* |
| I.3(d) | Protect stored data | STOR-*, CRYPTO-02 (key management) |
| I.3(e) | Minimize negative impact of exploitation | INPUT-, UPLOAD- detectors |
| I.3(f) | Minimize attack surfaces | INPUT-*, NET-SVC-04 (unnecessary endpoints) |
| I.3(g) | Secure updates | UPD-* detectors (integrity, versioning, rollback) |
| I.3(h) | Record/monitor relevant activity | LOG-* detectors (events, protection, format) |
Section 2: Vulnerability Handling
Section titled “Section 2: Vulnerability Handling”These requirements apply to the manufacturer’s processes.
| Ref | Requirement | Fleet Coverage |
|---|---|---|
| II.1 | Identify and document vulnerabilities | VH-ID-* (security.txt, intake channels) |
| II.2 | Address vulnerabilities through security updates | VH-REM-* (SLAs, fix verification) |
| II.3 | Apply effective remediation | Remediation tracking API |
| II.4 | Inform users of vulnerabilities | VH-DIST-* (advisories, notifications) |
| II.5 | Coordinated vulnerability disclosure | VH-DISC-* (policy, CVE, timeline) |
| II.6 | Notify ENISA | VH-REG-* (24h early warning, 72h full notification) |
| II.8 | Regular testing and review | SUPPLY-02 (CI scanning) |
Fleet’s Catalog Structure
Section titled “Fleet’s Catalog Structure”Fleet maps these Annex I requirements into a structured catalog:
Feature Category (13 categories) └── Feature (54 features) ├── Risk (163 risks, each linking to Annex I) └── Requirement (401 requirements) ├── Assessment Method └── Evidence Type: Auto | Semi | Doc | TestThe 13 Assessment Categories
Section titled “The 13 Assessment Categories”- Network Communications — DB connections, API calls, exposed services
- Authentication & Identity — User auth, API tokens, sessions
- Data Storage — Local storage, cloud storage, encryption at rest
- Cryptography — Algorithms, key management, PRNG
- Input Handling — Injection, XSS, path traversal, uploads
- Secure Update Mechanism — Delivery, integrity, versioning, firmware
- Security Logging & Monitoring — Events, protection, format, retention
- Third-Party Components — SBOM, OSS due diligence, commercial, SaaS
- Configuration & Deployment — Secure defaults
- Vulnerability Handling — Identification, triage, remediation, disclosure
- AI Components — Model integrity, prompt injection, data exposure
- Remote Data Processing — RDPS classification, data protection
- Hardware & Physical Security — Component inventory, interfaces, secure boot