Ensure product security throughout its lifecycle (secure by design)
- Van toepassing op
- Manufacturer
- Bronvermeldingen
- Art. 13(1)Art. 13(2)Annex I Part I §1
- Productklassen
- default, important-class-i, important-class-ii, critical
Eenvoudige taal
Your product must be built with security in mind from day one. This means identifying security risks before you ship, making security decisions during design (not as an afterthought), and continuing to address security throughout the product's supported life. Think of it as "security by design" — you need a documented process, not just good intentions.
Legal text
Article 13(1) of Regulation (EU) 2024/2847 requires that manufacturers of products with digital elements shall ensure that the products are designed, developed, and produced in accordance with the essential cybersecurity requirements set out in Annex I Part I.
Article 13(2) further requires that manufacturers shall carry out an assessment of the cybersecurity risks associated with the product with digital elements, taking into account the risks to security and safety of users.
Key requirements
- Risk assessment at the design stage — identify and document security risks
- Secure development process — apply Annex I Part I requirements throughout
- Default secure configuration — no default insecure states
- Attack surface minimisation — disable unnecessary functions and ports
- Lifecycle security — security addressed at design, development, and production
Evidence you may need
- Product cybersecurity risk assessment (documented)
- Secure development lifecycle policy
- Architecture and design documents showing security decisions
- Test records demonstrating Annex I compliance