Secure default configurations in accordance with CRA requirements
CRA Cyber Resilience Act - Security by Default
Security by default is a core CRA requirement. Digital products must be securely configured out of the box without users needing additional security measures.
- ✓Full CRA conformity for default configurations
- ✓Minimisation of security risks through secure factory settings
- ✓Reduction of user misconfiguration through secure defaults
- ✓Strengthening trust in your digital products
Your strategic success starts here
Our clients trust our expertise in digital transformation, compliance, and risk management
30 Minutes • Non-binding • Immediately available
For optimal preparation of your strategy session:
- Your strategic goals and objectives
- Desired business outcomes and ROI
- Steps already taken
Or contact us directly:
Certifications, Partners and more...
CRA Secure by Default: Safe Factory Settings for Digital Products
Why ADVISORI for Secure by Default
- Hands-on experience with CRA Annex I requirements and BSI guidance
- Specialisation in secure product configurations and default hardening
- End-to-end approach: technical implementation, documentation and conformity assessment
- Experience with CE marking and EU declarations of conformity for software products
⚠
CRA Obligation from 2026
The mandatory reporting of actively exploited vulnerabilities applies from September 2026. Full secure by default requirements take effect from December 2027. Manufacturers must begin implementation now.
ADVISORI in Numbers
11+
Years of Experience
120+
Employees
520+
Projects
We work with you to develop a systematic Security by Default strategy that ensures both technical excellence and CRA compliance.
Our Approach:
Assessment of current product configurations and security settings
Identification of CRA-relevant Security by Default requirements
Design and development of secure default configurations
Implementation and testing of Security by Default measures
Validation of CRA conformity and final documentation
"ADVISORI helped us make our product configurations fully CRA-compliant. Through the professional Security by Default implementation, we were able to significantly improve both the security and the usability of our products."
Sarah Richter
Head of Information Security, Cyber Security
Expertise & Experience:
10+ years of experience, CISA, CISM, Lead Auditor, DORA, NIS2, BCM, Cyber and Information Security
Our Services
We offer you tailored solutions for your digital transformation
Security by Default Gap Analysis
Comprehensive assessment of your current product configurations against CRA Security by Default requirements.
- Detailed analysis of current default configurations
- Identification of CRA compliance gaps
- Risk assessment of insecure factory settings
- Roadmap for Security by Default implementation
Implementation of Secure Defaults
Technical implementation and integration of Security by Default principles into your product development.
- Design of secure default configurations
- Integration into development and deployment processes
- Automated security configuration management
- Continuous monitoring and validation
Our Competencies in CRA Cyber Resilience Act Product Security Requirements
Choose the area that fits your requirements
CRA Cyber Resilience Act - Vulnerability Management
The Cyber Resilience Act requires structured vulnerability management for digital products throughout their entire lifecycle. We support you in implementing CRA-compliant vulnerability management processes and fulfilling all reporting and documentation obligations.
CRA Cyber Resilience Act Security-by-Design
Security by design is the most important CRA requirement. Cybersecurity must be integrated into product development from the first design phase.
CRA Cyber Resilience Act Update Management
The Cyber Resilience Act requires manufacturers under Art. 10 and Annex I Part II to provide security updates throughout the entire product lifecycle, with a minimum of 5 years. Updates must be free, timely, and separated from feature updates. Every actively exploited vulnerability must be reported to ENISA within 24 hours.
Frequently Asked Questions about CRA Cyber Resilience Act - Security by Default
What does secure by default mean under the Cyber Resilience Act?
Secure by default under the CRA means digital products must ship with the most secure available configurations out of the box. Specifically, the CRA mandates: no weak default passwords, encrypted communication as the default setting, automatic installation of security updates (with opt-out option) and disabling of unnecessary services. The BSI describes this as the configuration principle where default settings must actively contribute to enhancing product security.
When do CRA secure by default requirements take effect?
CRA requirements are phased in: from September 2026, manufacturers must report actively exploited vulnerabilities to ENISA and the relevant CSIRT within
24 hours. Full secure by default requirements under Annex I apply from December
2027 for all new products with digital elements placed on the EU single market.
What is the difference between secure by default and secure by design?
Secure by design refers to integrating security throughout the entire product development process from the start. Secure by default concerns the delivery configuration: the product must be securely configured for the end user without requiring additional steps. The CRA requires both: security must be built into the architecture (by design) and default settings must provide maximum security (by default).
What specific secure by default measures does the CRA require?
The CRA requires among others: prohibition of generic or weak default passwords, automatic security updates with opt-out option for users, separation of security and feature updates where feasible, encrypted communication as default, minimal attack surface through disabling unnecessary interfaces and services, secure authentication mechanisms and access controls out of the box.
What are the penalties for CRA secure by default non-compliance?
Non-compliance with essential cybersecurity requirements including secure by default can result in fines of up to EUR
15 million or 2.5 percent of global annual turnover. Additionally, market surveillance authorities can order the recall of non-compliant products or prohibit their placement on the EU market.
Does secure by default apply to all CRA product categories?
Yes, secure by default applies to all three CRA product categories: standard products, important products (Class I and II) and critical products. The difference lies in the conformity assessment procedure: standard products may use self-assessment under Module A, while important and critical products require third-party assessment. The secure by default requirements themselves are identical across categories.
How does ADVISORI support CRA secure by default implementation?
ADVISORI guides manufacturers from gap analysis through to CRA-compliant implementation: we assess existing default configurations against CRA Annex I, develop secure default profiles, support implementation of automatic update mechanisms, conduct penetration testing of factory settings and prepare technical documentation for the EU declaration of conformity.
Success Stories
Discover how we support companies in their digital transformation
Digitalization in Steel Trading
Klöckner & Co
Digital Transformation in Steel Trading
Case Study
Results
Over 2 billion euros in annual revenue through digital channels
Goal to achieve 60% of revenue online by 2022
Improved customer satisfaction through automated processes
AI-Powered Manufacturing Optimization
Siemens
Smart Manufacturing Solutions for Maximum Value Creation
Case Study
Results
Significant increase in production performance
Reduction of downtime and production costs
Improved sustainability through more efficient resource utilization
AI Automation in Production
Festo
Intelligent Networking for Future-Proof Production Systems
Case Study
Results
Improved production speed and flexibility
Reduced manufacturing costs through more efficient resource utilization
Increased customer satisfaction through personalized products
Generative AI in Manufacturing
Bosch
AI Process Optimization for Improved Production Efficiency
Case Study
Results
Reduction of AI application implementation time to just a few weeks
Improvement in product quality through early defect detection
Increased manufacturing efficiency through reduced downtime
Let's
Work Together!
Is your organization ready for the next step into the digital future? Contact us for a personal consultation.
Your strategic success starts here
Our clients trust our expertise in digital transformation, compliance, and risk management
Ready for the next step?
Schedule a strategic consultation with our experts now
30 Minutes • Non-binding • Immediately available
For optimal preparation of your strategy session:
Your strategic goals and challenges
Desired business outcomes and ROI expectations
Current compliance and risk situation
Stakeholders and decision-makers in the project
Prefer direct contact?
Direct hotline for decision-makers
Strategic inquiries via email
Detailed Project Inquiry
For complex inquiries or if you want to provide specific information in advance