The Cyber Resilience Act (Annex I, Part I, Section 2) explicitly requires that products with digital elements are made available on the market with a secure by default configuration, including the ability to reset the product to its original secure state. It further requires that products are delivered without known exploitable vulnerabilities, with protection against unauthorized access, and with attack surfaces limited to what is necessary for the product's intended function. Configuration hardening is how these obligations are operationalized at the component level; a well designed product can still be undermined if it ships with unnecessary services exposed, default credentials enabled, or insecure communication protocols active.
Identify the key components in each technology stack used within the product and define secure configuration baselines for each one. These baselines should minimize the attack surface and reduce the risk of unauthorized access by disabling unnecessary services, interfaces, and ports, prohibiting default or hardcoded passwords, and enforcing secure communication protocols. Baselines must reflect the principle that the product should be secure out of the box, without requiring the user to take additional hardening steps.
Monitor deployed configurations against the defined baselines and ensure that deviations are identified and corrected. Configuration hardening is not a one time activity; baselines must be reviewed and updated as components evolve, new vulnerabilities are disclosed, or the product's operating context changes. Maintain hardening baselines as documented, version controlled artifacts so they can be audited and referenced as part of the product's technical documentation (Annex VII).