Scope of the CRA

Products with Digital Elements (PDEs)

The CRA requirements apply to all products with digital elements (PDEs) placed on the EU market. PDEs are defined broadly and encompass hardware and software with a direct or indirect connection to a device or a network. Examples of such products are smart home systems, fitness trackers, IoT sensors, networked machinery, and embedded firmware.

‘product with digital elements’ means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately (CRA Article 3(1))

PDEs not covered by CRA

The CRA explicitly excludes from its scope the following groups of PDEs:

• National Security & Defense: Products developed for national security or defence purposes and products designed to process classified information.
• Sector-Specific Safety Regulations: Products that fall in scope of Medical Device Regulation, General Safety Regulation and similar product safety legislation.

Additional limitations and exclusions, such as those applicable to spare parts of PDEs, are also included in the CRA.

Classification of Products

The CRA classifies PDEs into four risk-based categories, each with increasing cybersecurity and conformity assessment requirements.

Key Requirements

The CRA establishes obligations to enhance cybersecurity throughout a product’s lifecycle:

• Essential Cybersecurity Requirements (CRA Annex I): Manufacturers must design, develop, and produce products with digital elements that meet the cybersecurity standards outlined in Annex I, ensuring security is integrated throughout the product lifecycle.
• Risk Assessments (CRA Article 13): Manufacturers must assess potential cybersecurity risks, considering the product’s intended use, possible threats, and operating environment to minimize vulnerabilities.
• Due Diligence (CRA Article 13): When using third-party components, manufacturers must ensure they do not compromise product security by verifying their integrity and identifying potential risks.
• Security Updates (CRA Article 13): Manufacturers must provide security updates and support throughout the defined support period, ensuring vulnerabilities are addressed for at least 10 years or the remainder of the support period.
• Documentation (CRA Article 13): Manufacturers must maintain records of cybersecurity risks, vulnerabilities, and security measures, including relevant third-party information, for ongoing risk management.
• Vulnerability and Incident Handling (CRA Article 14): Manufacturers must have processes to detect, manage, and report security vulnerabilities and incidents, including notifying authorities about actively exploited vulnerabilities.
• Conformity Assessments (CRA Article 32): Manufacturers must evaluate their products to ensure they meet cybersecurity standards, with assessments varying based on the product’s risk level, from internal checks to third-party evaluations.

While most of the obligations fall on manufacturers of PDEs, the CRA also imposes additional requirements on other economic operators, such as importers and distributors.

Implementation Timeline

The CRA’s overall applicability will commence after a three-year period on 11 December 2027, thereby giving companies time to implement the CRA requirements. Certain provisions, however, will apply earlier.

Enforcement and Penalties

The CRA is enforced by market surveillance authorities in each EU Member State, which oversee compliance, conduct evaluations, and impose corrective actions, including product recalls, restrictions and withdrawals. Non-compliance can result in fines:

• up to €15 million or 2.5% of global annual turnover for violations of essential cybersecurity requirements
• up to €10 million or 2% of turnover for other breaches, and
• up to €5 million or 1% of turnover for providing misleading information.

Fines consider factors like severity, market impact, and company size, with special considerations for SMEs and startups. Consumers are entitled to enforce their rights through representative actions pursuant to Directive (EU) 2020/1828.

Conclusion

The CRA is part of a rapidly expanding EU digital regulatory framework, closely intertwined with the AI Act, GDPR, and NIS2 Directive. These laws create overlapping compliance obligations, requiring businesses to navigate cybersecurity, AI governance, and data protection as interconnected regulatory challenges. With 19 delegated and implementing acts still to be adopted under CRA alone, companies face ongoing regulatory uncertainty. As the EU continues to refine and expand its digital laws, companies must stay proactive and adaptable, ensuring their compliance strategies address multiple legal frameworks simultaneously. The growing complexity makes it essential to track regulatory updates and understand how different laws impact each other.

Streamlex.eu will serve as a one-stop-shop repository, helping businesses stay informed and manage compliance across the evolving EU digital landscape. Full text of the CRA, with articles conveniently linked to recitals and definitions highlighted throughout the text, is already available on StreamLex.