The CRA affects all products containing a digital element
Depending on the criticality of the product, rules will vary for device makers. You can read our article on the three different categories of products here.
This regulation is not specific to any particular industry but seeks to establish horizontal rules across sectors. However, industry-specific rules may emerge in the future to address sector nuances.
Are there any ineligible products?
Some products are already regulated by specific cybersecurity laws within the European Union, such as medical devices and accessories with the Regulation 2017/745 and in vitro diagnostic medical devices and accessories with Regulation 2017/746.
Additionally, civil aviation products certified under Regulation 2018/1139 and motor vehicles following Regulation 2019/2144 are exempted.
For those, the CRA does not apply.
What about products from outside the European Union?
The Cyber Resilience Act applies exclusively to products commercialized within the European Union. Nonetheless, bilateral agreements like the Mutual Recognition Agreements (MRAs) exist to assess the cybersecurity conformity of products from overseas.
What if we outsource product development?
Device makers are accountable for the development and maintenance activities performed by their external providers. Thus, they’ll still need to comply with the CRA.
Are open-source products covered by the CRA?
As with all other aspects of their products, equipment manufacturers bear the responsibility of ensuring that the open-source software and packages they integrate are devoid of security vulnerabilities throughout the entire lifecycle of their product. Should they come across any vulnerabilities during their maintenance routines, swift notification to the appropriate entity is imperative.
Moreover, those maintaining the open-source components also carry obligations to monitor and report on vulnerabilities within their systems (article 24).
CRA updates delivered straight to your mailbox monthly
What about products incorporating artificial intelligence (AI)?
Such products fall under the scope of the CRA and must comply with its provisions. They’ll also need to comply with the AI Act of the European Union which aims to make sure that “AI systems used in the EU are safe, transparent, traceable, non-discriminatory and environmentally friendly.”
What about Proofs of Concepts (POC) and beta versions?
To foster innovation, POCs and beta versions are exempt from Cyber Resilience Act compliance until the launch of the product final version, provided they are solely for testing and iteration with end-users in a limited period of time. However, these prototypes should only be disseminated after a risk assessment.
What if an equipment manufacturer ceases its operations?
If a device maker discontinues its operations, it can no longer ensure the security of its products on the market. That’s why it must notify market surveillance authorities and customers about the situation.
