Annex I is the heart of the CRA. It’s where the EU spells out what it means for a product with digital elements to be “secure.” And it’s not just a checkbox exercise — the requirements impact how we design, build, update, and support our products.
Part I lays out what needs to happen during development: secure-by-default settings, protection against known vulnerabilities, minimising attack surfaces, etc.
Part II shifts the focus to how we handle vulnerabilities: coordinated disclosure, timely patches, and tracking known issues for as long as the product is supported (there’s a minimum support period too).
So the big question is — how are you approaching this?
Have you already matched your current practices against Annex I?
Are there gaps you’re unsure how to handle (e.g. legacy components, SBOMs, or user notifications)?
This thread is for sharing how we’re translating these legal words into day-to-day engineering and product practices. Drop your questions, examples, or frameworks to help the community.