CRA Article 8. Critical products with digital elements

The categories of critical products with digital elements set out in this Regulation have a cybersecurity-related functionality and perform a function which carries a significant risk of adverse effects in terms of its intensity and ability to disrupt, control or cause damage to a large number of other products with digital elements through direct manipulation. Furthermore, those categories of products with digital elements are considered to be critical dependencies for essential entities as referred to in Article 3(1) of Directive (EU) 2022/2555. The categories of critical products with digital elements set out in an annex to this Regulation, due to their criticality, already widely use various forms of certification, and are also covered by the European Common Criteria-based cybersecurity certification scheme (EUCC) set out in Commission Implementing Regulation (EU) 2024/482 . Therefore, in order to ensure a common adequate cybersecurity protection of critical products with digital elements in the Union, it could be adequate and proportionate to subject such categories of product, by means of a delegated act, to mandatory European cybersecurity certification where a relevant European cybersecurity certification scheme covering those products is already in place and an assessment of the potential market impact of the envisaged mandatory certification has been carried out by the Commission. That assessment should consider both the supply and demand side, including whether there is sufficient demand for the products with digital elements concerned from both Member States and users for European cybersecurity certification to be required, as well as the purposes for which the products with digital elements are intended to be used, including the critical dependency on them by essential entities as referred to in Article 3(1) of Directive (EU) 2022/2555. The assessment should also analyse the potential effects of the mandatory certification on the availability of those products on the internal market and the capabilities and the readiness of the Member States for the implementation of the relevant European cybersecurity certification schemes.

Delegated acts requiring mandatory European cybersecurity certification should determine the products with digital elements that have the core functionality of a category of critical products with digital elements set out in this Regulation that are to be subject to mandatory certification, as well as the required assurance level, which should be at least ‘substantial’. The required assurance level should be proportionate to the level of cybersecurity risk associated with the product with digital elements. For instance, where the product with digital elements has the core functionality of a category of critical products with digital elements set out in this Regulation and is intended for the use in a sensitive or critical environment, such as products intended for the use of essential entities as referred to in Article 3(1) of Directive (EU) 2022/2555, it may require the highest assurance level.

In order to ensure a common adequate cybersecurity protection in the Union of products with digital elements that have the core functionality of a category of critical products with digital elements set out in this Regulation, the Commission should also be empowered to adopt delegated acts to amend this Regulation by adding or withdrawing categories of critical products with digital elements for which manufacturers could be required to obtain a European cybersecurity certificate under a European cybersecurity certification scheme pursuant to Regulation (EU) 2019/881 to demonstrate conformity with this Regulation. A new category of critical products with digital elements can be added to those categories if there is a critical dependency on them by essential entities as referred to in Article 3(1) of Directive (EU) 2022/2555 or, if affected by incidents or when containing exploited vulnerabilities, this could lead to disruptions of critical supply chains. When assessing the need for adding or withdrawing categories of critical products with digital elements by means of a delegated act, the Commission should be able to take into account whether the Member States have identified at national level products with digital elements that have a critical role for the resilience of essential entities as referred to in Article 3(1) of Directive (EU) 2022/2555 and which increasingly face supply chain cyberattacks, with potential serious disruptive effects. Furthermore, the Commission should be able to take into account the outcome of the Union level coordinated security risk assessment of critical supply chains carried out in accordance with Article 22 of Directive (EU) 2022/2555.

In order to ensure that the regulatory framework can be adapted where necessary, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union (TFEU) should be delegated to the Commission in respect of updating an annex to this Regulation listing the important products with digital elements. Power to adopt acts in accordance with that Article should be delegated to the Commission to identify products with digital elements covered by other Union rules which achieve the same level of protection as this Regulation, specifying whether a limitation or exclusion from the scope of this Regulation would be necessary as well as the scope of that limitation, if applicable. Power to adopt acts in accordance with that Article should also be delegated to the Commission in respect of the potential mandating of certification under a European cybersecurity certification scheme of the critical products with digital elements set out in an annex to this Regulation, as well as for updating the list of critical products with digital elements based on criticality criteria set out in this Regulation, and for specifying the European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 that can be used to demonstrate conformity with the essential cybersecurity requirements or parts thereof as set out in an annex to this Regulation. Power to adopt acts should also be delegated to the Commission to specify the minimum support period for specific product categories where the market surveillance data suggests inadequate support periods, as well as to specify the terms and conditions for applying the cybersecurity-related grounds in relation to delaying the dissemination of notifications of actively exploited vulnerabilities. Furthermore, power to adopt acts should be delegated to the Commission to establish voluntary security attestation programmes for assessing the conformity of products with digital elements qualifying as free and open-source software with all or certain essential cybersecurity requirements or other obligations laid down in this Regulation, as well as to specify the minimum content of the EU declaration of conformity and to supplement the elements to be included in the technical documentation. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making . In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts. The power to adopt delegated acts pursuant to this Regulation should be conferred on the Commission for a period of five years from 10 December 2024. The Commission should draw up a report in respect of the delegation of power not later than nine months before the end of the five-year period. The delegation of power should be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period.