ENISA released a draft of its Security by Design and Default Playbook (version 0.4) in March 2026, advancing built-in security throughout the digital product lifecycle. The playbook sets out 22 engineering principles-14 under "Secure by Design" and 8 under "Secure by Default"-and provides product teams with one-page checklists, minimum evidence standards, and release-gate criteria. Covering all phases from requirements to decommissioning, the draft is open for public consultation. ENISA released version 0.4 of its Security by Design and Default Playbook in March 2026 according to CRA Evidence. The document introduces Machine-Readable Security Manifests (MRSM), enabling verifiable compliance evidence, and directly maps all principles to CRA Annex I essential requirements. It introduces Machine-Readable Security Manifests and links principles to CRA Annex I
Background
The playbook reflects the European Union's growing focus on cybersecurity regulation, particularly through the Cyber Resilience Act (CRA) and the updated Cybersecurity Act. ENISA's expanded mandate includes providing guidance for secure certification, vulnerability management, and incident reporting in ICT supply chains. ENISA has been tasked under the revised Cybersecurity Act to support certification and secure ICT supply chains according to the European Commission. The agency plans to issue ongoing technical advisories, with early guidance on secure package manager usage published in early 2026. ENISA will publish regular technical advisories from 2026 onwards, with the first covering package manager security. ENISA's 2024 cybersecurity report identified increased supply-chain threats that exploit IT and OT interdependencies, notably via software and firmware vulnerabilities. ENISA's 2024 State of Cybersecurity report highlighted rising supply-chain threats targeting interdependent IT/OT systems.
Details
The playbook details security integration into standard development workflows, including Agile and DevOps. For the requirements phase, it prescribes a one-page "Security Context & Assumptions" document and a Security Requirements Checklist. During design, it calls for architecture diagrams with trust boundaries, lightweight threat models for key abuse cases, and corresponding mitigation mapping. Automated CI/CD security gates are emphasized, while manual reviews are reserved for high-risk changes. Playbook prescribes one-page artifacts, threat modelling, trust-boundary diagrams, automated CI/CD security gates, and manual review only for high-risk changes.
Machine-Readable Security Manifests (MRSM) encode compliance evidence in automated, auditable formats to support subsequent validation in MES, SCADA, or digital twin platforms. MRSM enables verifiable, machine-readable compliance evidence. Mapping the 22 principles to CRA Annex I ensures traceability between engineering activities and regulatory requirements. Mapping provides traceability between engineering practices and CRA Annex I regulatory obligations.
Outlook
ENISA plans to finalize the playbook following review of stakeholder input from the public consultation. Its implementation may influence security processes across MES suppliers, SCADA integrators, and digital manufacturing platforms by embedding continuous monitoring and governance from pilot phase to full-scale deployment.
