Milan Stute

Do resilience. Build simply.

Leveraging the upcoming CRA standards to build successful products and a resilient European society.

  10 min read

The upcoming standards for the EU Cyber Resilience Act (CRA) not only help shape the resilience of the European society but also offer manufacturers an opportunity to build genuinely better products. The standards promote simplicity as a core design principle, which successful products have already adopted. However, those real-world examples also remind us that building resilient products is hard, requiring focus and engineering excellence.

Contributing to a resilient European society

It is easy to approach the CRA as a compliance burden and focus only on deadlines, cost, and liability. And while that is understandable, it misses the CRA’s main point, stated directly in Recital (1):

Cyberattacks represent a matter of public interest as they have a critical impact not only on the Union’s economy, but also on democracy as well as consumer safety and health.

The rise in product security defects1 and product security-related incidents over the past decades is not a natural “law” or “phenomenon.” It is the result of an exploding number of connected products and technology that have outpaced security practices, a trend that is accelerated in the face of AI. Recognising that these factors are human-made gives us the option to challenge and change them.

Recital (1) reminds us that manufacturers2 help shape the resilience of the societies their products operate in. And I believe that they should embrace that responsibility, while seizing its opportunities.

Building simple, secure, and successful products

In this article, I’m going to make the case that by reducing complexity and instead striving for simplicity, organisations build better products that are likely to be more competitive.

Complexity is the worst enemy of security.—Bruce Schneier (1999)

The “Eierlegende Wollmilchsau,” a German term used to describe something that seems to satisfy all possible needs all at once, is not a recipe for success. Bloat leads to vast configuration options which may produce invalid, insecure, or unsafe states; and obscure features which might not be maintained rigorously and, therefore, have a higher risk of containing defects. Every feature and every line of code added creates new liability. Even high-profile open-source projects such as OpenSSL have defects that have gone unnoticed for decades. One can only conjecture how many defects are lurking in less visible and proprietary systems, something that recent AI-supported cybersecurity tools might soon reveal at scale.

So, what is the alternative? Simplicity and focus, which facilitate reasoning and reduce the risk of security defects. Apart from improving security, there is at least anecdotal evidence that products embracing focus and simplicity are genuinely superior. For example, the success of Apple and its products has at least partially been attributed to Steve Jobs’ mantra of focus and simplicity (note this was before Apple became a trillion-dollar company).

Simplicity and the 41 CRA standards

The European Commission has requested a total of 41 (!) standards to be developed by CEN, CENELEC, and ETSI: 15 horizontal standards that apply to all products in scope of the CRA, and 26 vertical standards that apply to specific product categories only. The vertical standards are expected to be harmonised, enabling manufacturers to leverage the presumption of conformity rule when demonstrating compliance, which is especially relevant for important Class I products.

While I can see the motivation of the European Commission to split requirements into multiple standards, i.e., the mere breadth of products the CRA applies to, having to deal with 41 standards sounds neither focused nor simple. However, when looking closely at the 15 horizontal standards, they are mapped directly to the 15 essential requirements set out in Annex I of the CRA, which encode well-known security best practices.

In the following, I will look at a selection of them, explain their intent, and discuss relevant real-world product examples.

Secure-by-default configuration

Most users neither want nor know how to configure security controls. Secure-by-default configurations (Annex I, Part 1, (2b) of CRA) therefore mean reducing risky choices through user-centric onboarding, no default credentials, adopting deny-by-default access policies, and automatic security updates.

A good example is Caddy. It can deploy a production-ready HTTPS reverse proxy with a single command:

$ caddy reverse-proxy --from example.com --to :9000

Behind the scenes, Caddy requests and renews the necessary TLS certificates via ACME automatically, which reduces the chance of insecure deployment due to accidental misconfigurations.

Another interesting example is Apple’s robust configuration options for AirDrop. By default, users can receive content from contacts only. They can temporarily allow content from anyone nearby, but the setting resets after 10 minutes automatically. The automatic reset demonstrates balancing usability with a secure default, which reduces users’ indefinite exposure from insecure settings, just because they decided to share that selfie with an acquaintance during their last vacation.

Data minimisation

The principle of data minimisation (Annex I, Part 1, (2g) of CRA) is simple: what is not there, cannot be leaked. In other words, products should only collect, store, or process the data they need to fulfil their purpose. Creating an inventory of what data is processed and why is the first step for improving data minimisation.

For example, the Signal and Threema messengers aim to minimise the data processed on their servers. In Signal’s case, cleartext messages remain exclusively on end-user devices, while the service stores only the users’ phone numbers and the time of their last online activity.

Failures of data minimisation are common in consumer products, from vacuum robots storing and uploading intimate pictures from homes, voice assistants recording private conversations, and, more recently, misconfigured AI tools leaking user data and private conversations.

Service availability

Service availability (Annex I, Part 1, (2h) of CRA) depends on careful architectural and technological choices.

One positive example is Cloudflare’s use of anycast to deliver services globally under shared IP addresses. This provides automatic failover in case of local outages and typically improves latency at the same time.

Negative examples include IoT devices that depend on Internet connectivity or a vendor-operated cloud service to provide their core functionality. That core functionality becomes unavailable if the local Wi-Fi network fails, the cloud service is unavailable, or the operator shuts the service down permanently. As a mitigation, products should offer (potentially degraded) core functionality through local interfaces such as physical controls, Wi-Fi, or Bluetooth.

Attack surface reduction

Attack surface reduction (Annex I, Part 1, (2j) of CRA) means disabling or removing components that are not needed for the product to function. This includes physical interfaces such as debug ports, logical interfaces such as APIs, and unnecessary software dependencies or cloud integrations. This topic often triggers hard but important discussions.

One such discussion was triggered when researchers discovered undocumented commands in the widely used ESP32 microchip. In response, the manufacturer removed them via firmware updates.

Products such as Talos and IncusOS show how to reduce attack surface in practice: Both hypervisor operating systems feature immutable system images, which protect against persistent malware. Also, they disable local shells in favor of a web-based management API, which narrows the attack surface and allows development teams to focus on hardening a single API.

Simple ≠ easy

Resilient products do not happen by accident. They require careful analysis of intended use and context. They require pairing domain knowledge with deep technical expertise. They require understanding design and technology intricacies, cutting through noise, and making informed decisions. This is true for all projects, on all levels and at all scales, from reusable software libraries and hardware components to fully integrated products and large-scale ecosystems.

Creating resilient products is hard. But they are necessary for a successful society. So, let’s build simply.

  1. Former CISA director Jen Easterly prefers the term product defect over vulnerability to attribute responsibilities clearly.

  2. The CRA also has importers and distributors in scope. However, I’ll try to keep this article generally simple with respect to details, as there are other great resources and articles dissecting the intricacies of the CRA.