Is your product in scope for Cyber Resilience Act?

The Cyber Resilience Act: Understanding the scope

The Cyber Resilience Act (CRA) is new landmark legislation that affects manufacturers of products with digital elements.  The main aim of this new law is to improve product security to reduce vulnerabilities and ensure users have enough information to make informed decision about their purchases when it comes to cyber security.  For many businesses the CRA will introduce changes to developing and maintaining their product during the entire lifecycle.

The first steps is to understand if this new legislation applies to your product and the following articles will guide your through the definitions, product in scope and out of scope and exceptions.  The scope of the products is very broad and therefore a lot of products that are in scope may not be listed in the Annex so understanding the definition will be key.

The definition of products with digital elements is
• any software and/or hardware product and its remote data processing solutions
• including software and hardware components
• with a data connection to device or network
• that are made available on the EU single market

The products that are out of scope are:
• Software as a Service – except for remote data processing solutions relating to a product with digital elements. If the SaaS component of the product is necessary for the entire product to function correctly then the SaaS element of the product is in scope.

Other Products – products that are already covered by other specific regulations such as:
• medical devices and in vitro diagnostic medical devices
• civil aviation safety
• motor vehicles and their trailers
• products with digital elements developed national security or defence purposes

Regulatory Requirements for Open-Source Software
The regulatory regime for open-source software will be light touch, which means it cannot bear the CE mark. Manufacturers that use open-source software as part of their product with digital elements must ensure that these open-source software components comply with the Cyber Resilience Act (CRA). Ultimately the manufacturer is responsible for all components of their product.

For free and open-source software, the following requirements will apply:
• Creation and documentation of a cybersecurity policy to promote the development of a secure product with digital elements;
• Implementation of a vulnerability handling process; and
• Cooperation with market surveillance authorities.

In addition to these definitions of in scope and out of scope products with digital elements, you can review the list of products that are detailed in Annex II of the CRA.  This list relates to products that have higher risk profiles and therefore are more critical.  An estimated 90% of products with digital elements will fall into the Default category.

To find out more about Product Categories read our next blog which will have all the details !