The Cyber Resilience Act requires that products with digital elements are delivered with a secure by default configuration and are designed to limit attack surfaces, in line with the security by design and security by default principles embedded throughout Annex I, Part I. Architecture is where these principles are either built in or permanently missed; retrofitting security into a fundamentally insecure design is costly, often incomplete, and unlikely to satisfy the essential cybersecurity requirements.
Define and maintain an agreed upon set of security design principles that guide architectural and design decisions across the product. These should include, at a minimum, secure the weakest link, least privilege, defense in depth, fail secure defaults, economy of mechanism, no secret sauce, zero trust, and accountability. Relevant stakeholders involved in design and development must understand these principles and apply them consistently when making decisions about the product's structure, interfaces, and component interactions.
Document the principles in an accessible location so they can be referenced during design reviews and audits. Ensure the product's high level architecture is recorded and kept current, providing a clear view of components, trust boundaries, and data flows. This documentation serves both as a design governance tool and as input to the technical documentation required under Annex VII.