CRA topic guide

Secure by default under the CRA

Last updated · 8 Jun 2026

Secure by default is the CRA requirement that a product is safe the moment it is switched on - without the user having to be a security expert. No weak default passwords, unnecessary features switched off, and the ability to reset to a secure state. It is part of the Annex I essential requirements that apply from 11 December 2027.

TL;DR

  • Secure by default means the out-of-the-box configuration is the safe configuration.
  • It bans weak or hard-coded default passwords and unnecessary exposed services.
  • Users must be able to reset the product to its original (secure) state.
  • It is an Annex I, Part I essential requirement - mandatory, not advisory.
Get the CRA ChecklistCheck if you are in scope

Overview

What it is

Secure by default shifts the burden of security away from the user. Historically, devices shipped with admin/admin credentials, open management ports and every feature enabled - leaving non-expert users exposed unless they hardened the device themselves. The CRA flips this: the default state must already be the secure state. Where a product cannot ship fully locked down (e.g. an enterprise device that must be configured), it must still be delivered with a secure baseline and clear guidance.

The regulation

What the CRA requires

  • Annex I, Part I requires products to be made available "with a secure by default configuration, unless otherwise agreed between manufacturer and business user", including the possibility to reset the product to its original state.
  • Products must protect against unauthorised access, which in practice rules out weak or unchangeable default passwords.
  • The attack surface, including external interfaces, must be minimised by default.
  • Where automatic security updates are appropriate, they should be enabled by default with the ability to opt out.

How to comply

How to comply

  1. Eliminate shared/default passwords: require a unique credential at setup or generate a per-device secret.
  2. Disable non-essential services, ports and accounts in the shipped configuration.
  3. Turn automatic security updates on by default where appropriate, with a clear opt-out.
  4. Provide a reliable "reset to secure factory state" function.
  5. Document the secure baseline and any configuration the user must complete to stay secure.

Watch out

Common mistakes

  • Shipping a single hard-coded admin password across an entire product line.
  • Enabling every feature and interface by default "for convenience".
  • Offering a factory reset that restores an insecure original state.
  • Relying on the user to read the manual and harden the device themselves.

FAQ

Common questions

Does secure by default ban all default passwords?
It effectively bans weak, shared or unchangeable default passwords. Acceptable approaches include forcing a unique password at first setup or shipping a unique per-device credential.
Can a product ship not fully locked down?
For business users, the manufacturer and user may agree a different configuration. Even then, the product must offer a secure-by-default baseline and the ability to reset to a secure state.
Is secure by default mandatory?
Yes - it is part of the Annex I essential requirements that apply in full from 11 December 2027, and sits in the highest penalty tier if breached.

Related guides

More CRA topic guides

SBOM

SBOM (Software Bill of Materials) under the CRA

An SBOM is an "ingredients label" for your software: a machine-readable inventory of components and dependencies.

Security by design

Security by design under the CRA

Security by design means building in security from the first design decision, proportionate to the product's risk.

Secure software development

Secure software development under the CRA

A secure software development lifecycle (SDLC) is implied throughout the CRA's essential requirements.

Back to the CRA overview or see all guides.

This is guidance, not legal advice

This guide explains how the Cyber Resilience Act approaches secure by default, but it is not legal advice. For decisions specific to your business or product, confirm with the official sources we link or a qualified adviser.

Sources

  1. [1]European Commission - CRA legislative summaryretrieved 8 Jun 2026
  2. [2]Regulation (EU) 2024/2847 - full text (EUR-Lex)retrieved 8 Jun 2026

The CRA Brief

Stay current on CRA guidance

We watch Brussels so you don't. Plain-English CRA updates, free.

No spam. Unsubscribe anytime.