The planned Cyber Resilience Act (CRA-E) aims to establish uniform EU cybersecurity requirements for products with digital elements in order to handle the growing threat of cyberattacks. For this purpose, the regulation stipulates numerous obligations that primarily affect the manufacturers of such products.

The decisive criterion in this context is the conformity of a product with digital elements with the obligations of the CRA-E. Art. 5 (1) CRA-E stipulates that a product with digital elements may only be made available on the market if it complies with the requirements in Annex I Section 1 and on condition that it is properly installed, maintained and used as intended.

In Annex I Section 1, the CRA-E specifies concrete safety requirements with regard to the characteristics of a product with digital elements. Accordingly, such products must be manufactured in such a way that they always ensure an appropriate level of cybersecurity. Furthermore, placing on the market may only take place if no exploitable vulnerability is known. It already follows from the “appropriate” cybersecurity level that no complete exclusion of risk is necessary and thus no one-hundred percent cybersecurity protection is required. Nevertheless, any security flaws must not exist, as this would constitute an exploitable weakness, vulnerability or malfunction of a product with digital elements and thus a vulnerability within the meaning of Art. 3 No. 36 CRA-E.

Section 1 (3) of Annex I CRA-E also requires further characteristics of a product with digital elements. Due to the unambiguous wording ("where applicable"), the specifications mentioned should be regarded as a kind of minimum requirement. Consequently, only those measures should be implemented that are relevant based on a risk assessment previously carried out by the manufacturer. For example, in contrast to software for managing a bank account, a smart home heating thermostat will not require any special control mechanisms to protect against unauthorized access in the form of special authentication (Annex I Section 1 Paragraph 3 lit. b CRA-E).

In order for the manufacturer to be able to prove in individual cases that his product with digital elements meets the requirements in Annex I Section 1 and thus fulfills the obligation standardized in Art. 5 (1) and Art. 10 (1) CRA-E, he must carry out a conformity assessment procedure. For this purpose, the regulation offers different options, which will be described specifically in Episode 8 of our CRA Update series. Basically, the manufacturer must provide appropriate evidence for conformity. This includes, among other things, the technical documentation referred to in Art. 23 CRA-E, which must contain, for example, a concrete product description and reports on the tests and inspections carried out.

Once conformity has been achieved, it is initially valid for an unlimited period. However, if a product with digital elements undergoes a significant change within the meaning of Art. 3 No. 31 CRA-E, the conformity must be reviewed and, if necessary, a new conformity assessment must be carried out in accordance with Recital 23, Sentence 1 CRA-E. The same applies if doubts about conformity arise due to subsequently discovered safety defects, because the product with digital elements then no longer meets the requirements in Annex I Section 1.

However, according to Art. 5 (2) CRA-E, in addition to the product with digital elements, the procedures defined by the manufacturer to deal with vulnerabilities must also comply with the requirements in Annex I Section 2 and thus also demonstrate conformity. This is because a conformity assessment is only carried out coherently, so that both the product itself and the manufacturer's procedures must each be CRA-compliant in order to be able to demonstrate conformity as a whole. This is already supported by the wording of Art. 10 (7) and Art. 24 (1) CRA-E, which requires a coherent conformity assessment. When a manufacturer's process is considered to be CRA-compliant will be explained in more detail in Episode 7 of our CRA Update series.

The CRA-E establishes a presumption of conformity under the conditions specified in Art. 18 and Art. 19. For example, if products with digital elements comply with harmonized standards of other standardization acts published in the Official Journal of the European Union, then conformity with the requirements in Annex I is presumed insofar as the requirements specified therein are covered by the harmonized standards.

The European Commission may also specify in certain circumstances by means of implementing acts that, for example, cybersecurity certification in accordance with Regulation (EU) 2019/881 may give rise to a presumption of conformity for the CRA-E.

Practical recommendations:

The requirement of conformity of a product with digital elements primarily affects manufacturers. In this respect, we recommend that the specific safety requirements in Section 1 of Annex I be examined in detail and taken into account as early as the design stage of a product with digital elements that falls within the scope of the CRA-E. Furthermore, we suggest that all development steps and test procedures are documented in order to be able to present the corresponding evidence as part of the conformity assessment procedure.

Since the importer must also ensure that the requirements in Annex I Section 1 are met and even a distributor may not make such a product available on the market if there are doubts about conformity, we also recommend that those economic operators familiarize themselves with the requirements in Annex I of the CRA-E in order to be able to carry out an appropriate verification of those products.

In our CRA-Update series, we regularly present information on the proposed Cyber Resilience Act and keep you informed about changes in the ongoing legislative process. In each of our articles, we give you a brief overview of a specific topic, presenting the most important aspects and practical implications.