How does the secure-by-default requirement work?

On the basis of the cybersecurity risk assessment referred to in Article 13(2) and where applicable, products with digital elements shall: […] be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state (Annex I, Part I, point 2(b)).

Manufacturers are required to place products with digital elements on the market with a secure by default configuration, in light of that product’s intended purpose and reasonably foreseeable use, and on the basis of the manufacturer’s cybersecurity risk assessment.

Where manufacturers place on the market a component for integration into another product with digital elements, they do not retain control on how the integrating manufacturer adjusts the component’s configuration. The obligation to ensure a secure-by-default configuration, therefore, only applies to the component when it is placed on the market separately, and not to how it is later configured or deployed by integrating manufacturers.

For example, the manufacturer of a cryptographic library may be required, on the basis of its risk assessment, to place that library on the market with insecure or deprecated algorithms disabled by default, or certificate validation enabled by default. The integrating manufacturer may decide to change some of those settings when developing its own product with digital elements. The manufacturer of the cryptographic library is only responsible for the configuration that the library is delivered with, and not for subsequent modifications that its integrator makes.

Similarly, the manufacturer of a microcontroller with a built-in network stack may be required, on the basis of its risk assessment, to place the microcontroller on the market with the network interfaces disabled by default. The integrating manufacturer may then decide to enable them to meet its own product’s intended purpose. The manufacturer of the microcontroller is only responsible for the configuration that the microcontroller is delivered with, and not for subsequent modifications that its integrator makes.

For further information on exceptions to the secure-by-default configuration, see entry 4.2.5 When is a product “tailor-made”? What documentation is required in these cases?

Finally, it is possible that this essential requirement is not applicable to some products with digital elements. Entry 4.1.3 Does a manufacturer need to implement all the essential requirements? provides further guidance on this.