Secure by design is a requirement in the Cyber Resilience Act. For products placed on the market 36 month after the act comes into force, the product has to be design with security in mind from design to decomission.

There are a lot of requirements in the act, that will be further explained in the EU implementation act and a large set of horizontal standards developed by various organisations.

CISA and a large group of worldwide organisations (including EU) has published a white paper describing Secure by design principles.