EU: Commission draft of implementing regulations under the CRA

The Cyber Resilience Act (CRA) introduces mandatory cybersecurity requirements for products that contain a digital element, obligating manufacturers and retailers to ensure these products meet security standards. The European Commission has just recently published a draft defining which digital products will be subject to the stricter requirements under the CRA.

• Legal background: The CRA requires the Commission to specify the technical description of the categories of important and critical products with digital elements listed in Annex III and IV to the CRA.
• Relevance for companies: Technical descriptions provided by the Commission are intended to help companies assess whether their products fall into the categories of important (Class I and II) or critical products under the legislation.
• Stricter rules: The categories of important products with digital elements are subject to conformity assessment procedures that are stricter than those applicable to other products with digital elements. For the categories of critical products with digital elements manufacturers could be required to obtain a European cybersecurity certificate under a European cybersecurity certification scheme pursuant to Regulation (EU) 2019/881 or that will be subject to strict conformity assessment procedures.
• Core functionality: The Commission clarifies that the core functionality of a product with digital elements is the decisive factor for classification of a product with digital elements as an important or a critical product with digital elements and therefore the applicability of conformity assessment procedures. A product’s core functionality refers to its fundamental features and capabilities that fulfil the primary purpose for which the product with digital elements has been made available on the market and without which the product would not be able to meet its intended purpose or reasonably foreseeable use.
• Examples of technical descriptions: For example, standalone browsers falling within the category of important products with digital elements are described as “standalone applications that fulfil the functions of browsers”. Hardware devices with security boxes falling within the category of critical products with digital elements are described as “hardware products with digital elements that incorporate a hardware physical envelope providing countermeasures against physical attacks, including tamper evidence, resistance or response, and that are designed to securely store, process, and manage sensitive data and cryptographic operations.“
• Not exhaustive examples: The Commission’s draft includes examples of products with digital elements whose core functionality fits into the technical description of certain important or critical products with digital elements. Such examples are provided for illustrative purposes only and are not an exhaustive list.
• For more information on the CRA, access our flyer here.

Next steps

The Commission’s draft act is open for feedback for 4 weeks. Feedback period: 13 March 2025 - 15 April 2025 (midnight Brussels time). Feedback will be taken into account for finalising this initiative. Feedback received will be published on this site and therefore must adhere to the feedback rules.  The Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union

Do you have questions about the CRA, its interplay with the NIS2 Directive as well as the impact of these acts on your business? Bird & Bird is ready to help you to carry out an assessment of the impact of the upcoming legislation on your business and assist in preparing your compliance plan.