What counts as "secure by default" under the CRA?

Annex I, Part I, point (2)(b) of Regulation (EU) 2024/2847 does not enumerate specific settings. It requires the product to "be made available on the market with a secure by default configuration." Reading this alongside the other sub-points of Part I(2), secure defaults include: no known exploitable vulnerabilities (a), automatic security updates enabled with opt-out (c), appropriate authentication (d), encryption of data at rest and in transit (e), data minimisation (g), and reduced attack surfaces (j).

Can I agree with a business buyer to ship without secure defaults?

Yes, but only for tailor-made products. Annex I, Part I, point (2)(b) includes the phrase "unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements." Consumer products and off-the-shelf business products must ship with secure defaults.

Must the factory reset return to the secure default state?

Yes. Annex I, Part I, point (2)(b) explicitly requires "the possibility to reset the product to its original state." That original state must be the documented secure-by-default configuration. If your reset restores a pre-hardening state, it contradicts the requirement.

Is this a subscription?

No. One-time payment. The licence includes a 30-day editing window and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Article 16(m) of Directive (EU) 2011/83 applies. Upon licence activation, you give express consent for immediate generation of the digital content, waiving the 14-day withdrawal right. Refunds are accepted only for a reproducible technical defect.

What if the regulation changes?

If the regulation is amended during your licence validity period, you can regenerate the documentation using the updated version of the generator at no additional cost.

Annex I, Part I, point (2)(b) of Regulation (EU) 2024/2847 requires your product to be made available on the market with a secure by default configuration, including the possibility to reset the product to its original state. If your router ships with a default password of "admin," your camera streams over HTTP, or your sensor accepts unsigned firmware, you have a compliance problem. CRACheck documents how your defaults meet the requirement.

Q: Do auto-updates have to be on by default?

Yes. Annex I, Part I, point (2)(c) of Regulation (EU) 2024/2847 requires automatic security updates "enabled as a default setting, with a clear and easy-to-use opt-out mechanism." The user can disable them, but the default must be enabled.

"Secure by default" is not a marketing phrase under the CRA. Annex I, Part I, point (2)(b) makes it a legal requirement with enforceable consequences under Art. 64(2). The product must ship with secure defaults unless manufacturer and business user have explicitly agreed otherwise for a tailor-made product. The user must have an opt-out mechanism for automatic security updates, not an opt-in. Art. 13(1) makes you responsible for ensuring the product was "designed, developed and produced in accordance with the essential cybersecurity requirements." CRACheck structures your Annex I compliance documentation in 15–25 minutes. €149.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Secure-by-default requirements at a glance

Part I(2)(b)

Legal basis for secure-by-default

Reset

Factory reset to secure state required

Opt-out

Auto-updates enabled by default, user can opt out

How to implement and document secure defaults

Audit current defaults

Review every factory setting: credentials, protocols, ports, encryption, logging, update mechanisms. Map each against Annex I, Part I, point (2).

Identify non-secure defaults

Flag open ports, default credentials, unencrypted channels, disabled auto-updates, verbose error messages, unnecessary services.

Implement secure defaults

Replace non-secure settings with hardened configurations. Enable automatic security updates with an opt-out mechanism per Annex I, Part I, point (2)(c).

Implement factory reset

Annex I, Part I, point (2)(b) requires the possibility to reset to original (secure) state. Ensure reset returns the product to the documented secure configuration, not to a weaker factory state.

Document in the technical file

Annex VII, point 2(a) requires a description of design and development including how security requirements are implemented.

Run CRACheck

Input your product data and default configuration details. CRACheck generates the Risk Assessment, Technical Documentation, and User Information covering your secure-by-default implementation.

Three mistakes manufacturers make with secure defaults

❌

DEFAULT CREDENTIALS

Shipping a product with shared default passwords or no authentication

Annex I, Part I, point (2)(d) requires protection from unauthorised access through "appropriate control mechanisms, including authentication." A shared default password across all units is not appropriate. Unique-per-device credentials or forced setup is the compliant approach.

❌

OPT-IN UPDATES

Shipping with automatic security updates disabled by default

Annex I, Part I, point (2)(c) requires automatic security updates "enabled as a default setting, with a clear and easy-to-use opt-out mechanism." The default must be ON. The user may turn it off. Shipping with auto-update off and asking the user to enable it inverts the regulatory requirement.

❌

INSECURE RESET

Factory reset returns the product to a state weaker than the documented secure default

Annex I, Part I, point (2)(b) ties the reset function to the secure default configuration. If your reset restores a pre-hardening firmware or re-enables disabled services, it violates the requirement. The reset target must be the documented secure state.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Category per Annex III/IV. Smart home products with security functionalities (Class I, item 17) and IoT toys (item 18) face particular scrutiny on default configurations.

Technical Documentation

Annex VII, point 2(a): design and development description covering how the secure-by-default configuration was implemented. Point 3: risk assessment showing how defaults mitigate identified risks.

Risk Assessment

Per Art. 13(2)–(3). Maps each Annex I, Part I, point (2) sub-requirement to your product defaults: authentication (d), encryption (e), data minimisation (g), auto-updates (c), reset (b).

User Information

Annex II, point 8(a): instructions on "the necessary measures during initial commissioning and throughout the lifetime of the product to ensure its secure use." Point 8(e): how to turn off auto-updates.

Declaration of Conformity

Per Art. 28 and Annex V.

CVD Policy

Per Annex I, Part II, point (5). Security defaults may be challenged by vulnerability reporters — the CVD policy handles that channel.

Notification Template

Per Art. 14. Vulnerability in default configurations triggers the 24h/72h/14-day reporting pipeline.

Obligations Calendar

Key dates through the support period.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 THE ALTERNATIVE

Hiring a penetration testing firm to audit your default configurations and a compliance consultant to document the findings per Annex VII.

€8,000–€18,000

4–8 weeks. Covers one product revision. New revision, new engagement.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history