CRA – Draft Implementing regulation on important and critical products with digital elements

Draft Implementing Regulation and public consultation on the technical descriptions to be adopted for categories of products with digital elements which are considered important or critical under the CRA (see Annexes III and IV CRA).

The Cyber Resilience Act (CRA) lays down rules on the cybersecurity of products with digital elements.

In particular, Article 7(2) of the CRA sets out categories of important products with digital elements that are subject to conformity assessment procedures that are stricter than those applicable to other products with digital elements. Article 8(2) sets out categories of critical products with digital elements for which manufacturers could be required to obtain a European cybersecurity certificate or which would be subject to strict conformity assessment procedures.

Pursuant to Article 7(1) and Article 8(1), the core functionality of a product with digital elements determines whether that product with digital elements fits into the technical description of a category of important or critical products with digital elements and therefore the applicable conformity assessment procedures. A product’s core functionality refers to its fundamental features and capabilities that fulfil the primary purpose for which the product with digital elements has been made available on the market and without which the product would not be able to meet its intended purpose or reasonably foreseeable use.

The Commission has 13 March – 18 April 2025 launched a public consultation for draft Implementing Regulation, which includes (non-exhaustive) examples of products with digital elements whose core functionality fits into the technical description of certain important or critical products with digital elements.

The product categories include i.a. identity management systems, browsers, password managers, VPNs, operating systems, smart home virtual assistants, SIEM, boot managers, public key infrastructure and digital certificate issuance software, physical and virtual network interfaces, operating systems, routers/modems, microprocessors, certain wearable health monitoring products, smart meter gateways, firewalls and more.

The CRA officially entered into force 10 December 2024. The reporting obligations will become enforceable 21 months after this date, around the summer of 2026, and the technical requirements will follow 15 months later, in the fall of 2027.

See more on the below link or contact Julie Bak-Larsen.

https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14449-Technical-description-of-important-and-critical-products-with-digital-elements_en