CRA Article 1. Subject matter

Cybersecurity is one of the key challenges for the Union. The number and variety of connected devices will rise exponentially in the coming years. Cyberattacks represent a matter of public interest as they have a critical impact not only on the Union’s economy, but also on democracy as well as consumer safety and health. It is therefore necessary to strengthen the Union’s approach to cybersecurity, address cyber resilience at Union level and improve the functioning of the internal market by laying down a uniform legal framework for essential cybersecurity requirements for placing products with digital elements on the Union market. Two major problems adding costs for users and society should be addressed: a low level of cybersecurity of products with digital elements, reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them, and an insufficient understanding and access to information by users, preventing them from choosing products with adequate cybersecurity properties or using them in a secure manner.

This Regulation aims to set the boundary conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufacturers take security seriously throughout a product’s lifecycle. It also aims to create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements, for example by improving transparency with regard to the support period for products with digital elements made available on the market.

Relevant Union law in force comprises several sets of horizontal rules that address certain aspects linked to cybersecurity from different angles, including measures to improve the security of the digital supply chain. However, existing Union law related to cybersecurity, including Regulation (EU) 2019/881 of the European Parliament and of the Council and Directive (EU) 2022/2555 of the European Parliament and of the Council , does not directly cover mandatory requirements for the security of products with digital elements.

While existing Union law applies to certain products with digital elements, there is no horizontal Union regulatory framework establishing comprehensive cybersecurity requirements for all products with digital elements. The various acts and initiatives taken thus far at Union and national levels only partially address the identified cybersecurity-related problems and risks, creating a legislative patchwork within the internal market, increasing legal uncertainty for both manufacturers and users of those products and adding an unnecessary burden on businesses and organisations to comply with a number of requirements and obligations for similar types of products. The cybersecurity of those products has a particularly strong cross-border dimension, as products with digital elements manufactured in one Member State or third country are often used by organisations and consumers across the entire internal market. This makes it necessary to regulate the field at Union level to ensure a harmonised regulatory framework and legal certainty for users, organisations and businesses, including microenterprises and small and medium-sized enterprises as defined in the Annex to Commission Recommendation 2003/361/EC . The Union regulatory landscape should be harmonised by introducing horizontal cybersecurity requirements for products with digital elements. In addition, legal certainty for economic operators and users, as well as a better harmonisation of the internal market and proportionality for microenterprises and small and medium-sized enterprises, creating more viable conditions for economic operators aiming to enter that market, should be ensured across the Union.

At Union level, various programmatic and political documents, such as the Joint communication of the Commission and the High Representative of the Union for Foreign Affairs and Security Policy of 16 December 2020, entitled ‘The EU’s Cybersecurity Strategy for the Digital Decade’, the Council Conclusions of 2 December 2020 on the cybersecurity of connected devices and of 23 May 2022 on the development of the European Union’s cyber posture and the European Parliament resolution of 10 June 2021 on the EU’s Cybersecurity Strategy for the Digital Decade , have called for specific Union cybersecurity requirements for digital or connected products, with several third countries introducing measures to address this issue on their own initiative. In the final report of the Conference on the Future of Europe, citizens called for ‘a stronger role for the EU in countering cybersecurity threats’. In order for the Union to play a leading international role in the field of cybersecurity, it is important to establish an ambitious regulatory framework.

To increase the overall level of cybersecurity of all products with digital elements placed on the internal market, it is necessary to introduce objective-oriented and technology-neutral essential cybersecurity requirements for those products that apply horizontally.

By laying down cybersecurity requirements for placing on the market products with digital elements, it is intended that the cybersecurity of those products for consumers and businesses alike be enhanced. Those requirements will also ensure that cybersecurity is taken into account throughout supply chains, making final products with digital elements and their components more secure. This also includes requirements for placing on the market consumer products with digital elements intended for vulnerable consumers, such as toys and baby monitoring systems. Consumer products with digital elements categorised in this Regulation as important products with digital elements present a higher cybersecurity risk by performing a function which carries a significant risk of adverse effects in terms of its intensity and ability to damage the health, security or safety of users of such products, and should undergo a stricter conformity assessment procedure. This applies to such products as smart home products with security functionalities, including smart door locks, baby monitoring systems and alarm systems, connected toys and personal wearable health technology. Furthermore, the stricter conformity assessment procedures that other products with digital elements categorised in this Regulation as important or critical products with digital elements are required to undergo, will contribute to preventing potential negative impacts on consumers of the exploitation of vulnerabilities.

The purpose of this Regulation is to ensure a high level of cybersecurity of products with digital elements and their integrated remote data processing solutions. Such remote data processing solutions should be defined as data processing at a distance for which the software is designed and developed by or on behalf of the manufacturer of the product with digital elements concerned, the absence of which would prevent the product with digital elements from performing one of its functions. That approach ensures that such products are adequately secured in their entirety by their manufacturers, irrespective of whether data is processed or stored locally on the user’s device or remotely by the manufacturer. At the same time, processing or storage at a distance falls within the scope of this Regulation only in so far as it is necessary for a product with digital elements to perform its functions. Such processing or storage at a distance includes the situation where a mobile application requires access to an application programming interface or to a database provided by means of a service developed by the manufacturer. In such a case, the service falls within the scope of this Regulation as a remote data processing solution. The requirements concerning the remote data processing solutions falling within the scope of this Regulation do therefore not entail technical, operational or organisational measures aiming to manage the risks posed to the security of a manufacturer’s network and information systems as a whole.