Browsers and Password Managers: Class I Products
Browsers (EN 304 617) and password managers (EN 304 618) are classified as Important Products Class I. These are among the most widely used software products globally.
Browser Requirements (EN 304 617)
Browsers handle everything from banking to healthcare. Key CRA requirements:
- Secure default configuration โ HTTPS-first mode, safe browsing enabled
- Extension sandboxing โ isolate extensions from core browser data
- Certificate validation โ robust TLS certificate chain verification
- Auto-update mechanism โ silent security updates without user intervention
- SBOM โ document all libraries (rendering engine, crypto, media codecs)
- Content Security Policy โ enforce security headers by default
Password Manager Requirements (EN 304 618)
Password managers store the most sensitive user credentials. CRA demands:
- Zero-knowledge architecture โ manufacturer cannot access user vaults
- Strong encryption โ AES-256 or equivalent at rest, TLS 1.3 in transit
- Master password requirements โ enforce minimum complexity
- Breach monitoring โ alert users when stored credentials appear in breaches
- Secure sharing โ encrypted credential sharing between users
- Export capability โ users must be able to export their data
Conformity Assessment
Both are Class I โ self-assessment is possible IF harmonized standards (EN 304 617/618) are applied. Otherwise, third-party assessment options apply.
Key Timeline
- Follow ETSI drafts for EN 304 617 and 618
- Implement requirements before December 2027
- Begin vulnerability reporting by September 2026
Building browsers or password managers for the EU market? I help organizations prepare for CRA conformity. Get in touch.