Â
Can your product be connected to a device or a network, does your product include both hardware products with networked functions and pure software products? Then it is a “product with digital elements” according to the Cyber Resilience Act (CRA). If you sell your product in the EU, you must fulfil the CRA. Exceptions are non-commercial open source software products and products for which relevant EU cyber security regulations already exist. In the EU, medical devices are primarily regulated by the MDR or IVDR and further by standards such as IEC 81001-5, and are therefore excluded from the scope of the CRA per se. At the same time, however, the introductory point 10 of the CRA Regulation states that medical devices worn on the body, so-called wearables, must fulfil the CRA requirements .
Product categories according to CRA
The products are divided into different categories in the CRA:
- Important products with digital elements can be divided into Class I and II and must fulfil at least one of the functions:
- Function that is critical to the cybersecurity of other products, networks or services, including securing authentication and access, intrusion prevention and detection, end-point security or network protection;
- Function that poses a significant risk of adverse effects in terms of its intensity and ability to disrupt, control or damage a large number of other products or the health, safety or security of its users through direct manipulation, such as a central system function, including network management, configuration control, virtualisation or processing of personal data.
- Critical products with digital elements must fulfil at least one of the criteria:
- a critical dependency of essential entities as defined in Article 3 of Directive (EU) 2022/2555 on the category of products with digital elements;
- serious disruptions to critical supply chains across the internal market in the event of security incidents and exploited vulnerabilities relating to the category of products with digital elements
- Other products that are neither important nor critical.
Conformity assessment procedure according to CRA
Chapter 32 of the CRA sets out the various conformity assessment procedures for products with digital elements. The path to conformity depends on the type and category of the product.
 
Â
All products that fall within the scope of the CRA must fulfil the essential cybersecurity requirements set out in Annex I.
Part I of Annex I sets out the cybersecurity requirements relating to the properties of products with digital elements:
- Ensuring an appropriate level of cybersecurity
- Assessment of cybersecurity risks in accordance with Article 13(2)
- Further cybersecurity requirements in accordance with paragraph 2, e.g:
- Making available without known exploitable vulnerabilities
- Ensuring that vulnerabilities can be fixed through security updates
- Confidentiality, integrity and processing of (personal) data
Part II describes the requirements for the handling of vulnerabilities:
- Determine and document (e.g. software parts list)
- Handle and fix (e.g. by making security updates available) with information about eliminated vulnerabilities
- Test and check security regularly
- Strategy for disclosure of vulnerabilities and associated measures
- Mechanisms for the secure, immediate and free distribution of updates
Technical documentation in accordance with Annex VII must also be prepared for all products and made available on request.
All declarations of conformity must be kept together with the associated technical documentation for 10 years.
High-risk AI systems in the CRA
Some high-risk AI systems (defined in accordance with Article 6 of Regulation (EU) 2024/1689, the so-called AI Regulation or AI Act) also fall within the scope of the CRA Regulation, so manufacturers must consider both regulations.
The conformity assessment procedure provided in Article 43 of the AI Act applies to these products, so the products are primarily subject to the AI Act. However, during the assessment, manufacturers and the respective notified bodies must also ensure and check the conformity of the high-risk AI systems with the requirements of Annex I of the CRA check.
The notified bodies that assess the conformity of such products, must themselves meet the requirements for notified bodies set out in both regulations, i.e. both the AI Act and Chapter 39 of the CRA. Manufacturers should pay attention to this when choosing their notified body.
Timeline of the CRA
EU type-examination certificates and approvals subject to other harmonisation legislation remain valid until 11 June 2028, unless they expire earlier or other harmonisation legislation specifies a different validity period.
Products that are placed on the market before 11 December 2027 do not have to comply with the CRA, if no significant changes are made to the product after this date.
However, the notification obligations for manufacturers under Article 14 apply to all products, including products placed on the market before 11 December 2027.
By 11 December 2025, the Commission intends to adopt an implementing act in which the technical description for important class I and II products and for critical products will be defined.
And a few more important points:
It is not prohibited to present or use a product/prototype at trade fairs, exhibitions, etc., provided that it is visibly labelled that the product does not (yet) comply with the CRA Regulation.
It is not prohibited to make unfinished software available for testing for a limited period of time, provided it is clearly labelled as not complying with the CRA Regulation.
For stakeholders (e.g. companies, the open-source software community, consumer associations, universities, etc.), the Commission organises regular consultation and information meetings at least once a year
