Let’s get this straight: the CRA does not explicitly require full disk encryption. But that doesn’t mean you can ignore data protection entirely.
What the CRA Actually Says
The CRA, in Annex I, Part I, point (1), requires that products with digital elements be designed, developed, and produced to ensure protection of data (including personal data) against unauthorised access or modification—both at rest and in transit.
Encryption is not mandated by name, but it’s the obvious solution to meet this requirement in many cases.
So, Is Full Disk Encryption Required?
Not directly, but if your product stores sensitive data (e.g. credentials, personal info, logs) locally, you must ensure that data is secure at rest. Full disk encryption is a strong, widely accepted way to meet that expectation, especially on embedded devices, mobile apps, or edge gateways.
Other valid approaches could include:
- File-level or database encryption
- Hardware-based Trusted Platform Modules (TPMs)
- Secure enclaves for specific operations
Ultimately, it’s up to you to show that your technical solution meets the data protection requirements under Annex I.
When Should You Encrypt?
The CRA doesn’t say “encrypt at this stage”, but:
- The design and development phase must already factor in how to secure data at rest.
- If you handle personal data, especially under GDPR, encryption becomes more than just good practice.
So, plan encryption early, not as a patch-on.
How to Encrypt? Any Standards?
The CRA doesn’t dictate how to encrypt, but if you follow harmonised standards (once they are published), your product will be presumed compliant under Article 27(1).
In the meantime, follow:
- ISO/IEC 27001 or 15408 (Common Criteria)
- ETSI EN 303 645 for IoT devices
- NIST SP 800-111 (for full disk encryption practices)
Example Scenarios
- IoT device storing user settings or logs → consider encrypting the whole storage or at least key config files.
- SaaS client app with cached credentials → encryption or secure keychain storage is a must.
- Embedded device with firmware updates → secure boot and encryption of update packages, possibly full disk encryption if data is stored long-term.
Encryption might not be spelled out in the CRA, but if you’re storing sensitive data, you’ll likely need it to prove you’re secure “by design and default.”