Cybersecurity Requirements for Password Manager Applications
Vertical standards for security requirements
What does the work you will carry out for the CYBERSTAND SSP consist of?
My work under the CYBERSTAND Specific Support Procedure (SSP) focuses on contributing to the development of the harmonised standard for password managers identified under Line 18 of the CRA Standardisation Request.
I am actively involved in the ETSI CYBER-EUSR technical committee and plan to support the drafting of normative clauses that translate the essential cybersecurity requirements of the CRA (Annex I) into specific, testable requirements for password manager applications. My contribution is both technical and regulatory in nature: I aim to ensure that the future standard is implementable by industry while being fully aligned with the CRA’s legal framework.
Specifically, I am working on:
- Defining secure-by-design technical measures for vault encryption, authentication, key management, and lifecycle operations;
- Proposing requirements for secure backup and recovery processes, post-quantum readiness, and cryptographic agility;
- Supporting the mapping of these requirements to the CRA’s conformity assessment procedures (notably Modules B+C and H);
- Promoting interoperability with eIDAS2 trust services and the European Digital Identity Wallet (EUDIW);
Actively participating in working group discussions, submitting written contributions, and helping build consensus around key technical and legal choices.
What is the expected result and impact of this activity?
The expected result of my work is a European harmonised standard for password managers that enables manufacturers to demonstrate compliance with the CRA and benefit from the presumption of conformity foreseen in Article 27.
This standard will provide clarity for manufacturers, auditors, and market surveillance authorities by:
- Offering a concrete reference model for secure password manager implementation;
- Supporting consistent CRA conformity assessments and technical documentation;
- Encouraging adoption of quantum-resilient cryptographic practices;
- Enabling integration with EU identity systems and trust services (e.g. for delegated access, 2FA, or strong identity binding).
The broader impact will be the enhancement of Europe’s digital sovereignty, through reduced reliance on non-European specifications, and better protection of users' most sensitive digital assets. The standard will also support SMEs and open-source developers by clearly defining what “CRA-compliant” means in this product category and reducing uncertainty in implementation choices.
Which aspects of the Cyber Resilience Act (CRA) standardisation are you focusing on?
I am specifically focusing on the vertical standardisation aspect under Line 18 of the CRA Request: “Cybersecurity requirements for password managers.” My work addresses:
- CRA Article 13 (cybersecurity risk assessment),
- CRA Article 31 (technical documentation),
- CRA Article 32 (conformity assessment),
and both Parts I and II of Annex I (essential cybersecurity and vulnerability handling requirements).
In addition, I aim to help ensure that the standard developed aligns with other key EU frameworks, such as Regulation (EU) 2019/881 (Cybersecurity Act) and Regulation (EU) No 910/2014 (eIDAS2), especially in contexts where password managers play a role in identity, authentication, or access delegation.
This contribution aims to ensure password managers become natively compliant with the CRA—not only by design, but also by default, thereby making them a foundational element of a resilient European digital ecosystem.
