EU: Public consultation on the Cyber Resilience Act and critical products with digital elements

 

The Cyber Resilience Act requires the Commission to specify the technical description of the categories of important and critical products with digital elements listed in Annex III and IV to the Regulation. Such products may be subject to more stringent conformity assessment procedures.

The EU Commission is conducting a public consultation on the technical details.

Regulation (EU) 2024/2847 establishes rules governing the cybersecurity of products with digital elements. Specifically, Article 7(2) of the Regulation defines categories of important products with digital elements that are subject to more stringent conformity assessment procedures than other digital products. Additionally, Article 8(2) outlines categories of critical products with digital elements, for which manufacturers may be required to obtain a European cybersecurity certificate under a European cybersecurity certification scheme, as per Regulation (EU) 2019/881, or adhere to strict conformity assessment procedures.

According to Articles 7(1) and 8(1) of Regulation (EU) 2024/2847, a product’s core functionality determines whether it falls within a category of important or critical digital products and, consequently, which conformity assessment procedures apply. Core functionality refers to the fundamental features and capabilities that enable a product to fulfill its primary purpose in the market. Without these core functions, the product would not be able to achieve its intended or reasonably foreseeable use.

When designing products with digital elements, manufacturers often incorporate other digital products that may fit the technical descriptions of important or critical product categories. However, under Regulation (EU) 2024/2847, integrating a product that meets the core functionality criteria of a category listed in Annex III or Annex IV does not automatically subject the final product to the same conformity assessment requirements.

A product performing additional or unrelated functions beyond those specified in the Annexes does not necessarily mean it lacks the core functionality of a defined product category. For example, operating systems may include auxiliary software, such as calculators or basic graphic editors, which do not alter their classification as operating systems. Conversely, Security Orchestration, Automation, and Response (SOAR) software may perform functions similar to Security Information and Event Management (SIEM) systems, such as data collection, analysis, and security reporting. However, because SOAR software primarily integrates security tools, automates routine tasks, and orchestrates responses to security incidents, it is generally not classified as a SIEM system.

Under Article 13(2) and (3) of Regulation (EU) 2024/2847, manufacturers must implement essential cybersecurity requirements outlined in Part I of Annex I, proportionate to the risks associated with the product’s intended and foreseeable use, operational conditions, and expected lifespan. Regardless of whether a product is classified as important or critical, manufacturers must conduct a comprehensive cybersecurity risk assessment and document how essential cybersecurity requirements are met, including testing and assurance measures. If a product’s core functionality aligns with a category of important or critical products, manufacturers must comply with the specific conformity assessment procedures set out in Article 32(2), (3), and (4) of the Regulation.

The Regulation also provides examples of products whose core functionality falls under specific important or critical categories. These examples serve as illustrations and are not intended to be an exhaustive list.

To find about more about the implementation of the EU Cyber Resilience Act and digital compliance, please contact us directly.