Will software, when provided as a service and not as a product, be covered under the CRA?

Software provided as part of a service is not covered by the proposed Cyber Resilience Act, as it covers only products with digital elements that are sold within the European single market, and sets out concrete cybersecurity requirements and obligations for the manufacturers of these products. However, the Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive), and other sectorial legislation, ensure that systems provided as a service or developed in-house meet equivalent technical requirements for cybersecurity. This could be the case, for example, for electronic health record (EHR) systems. They should also provide the same level of protection against cyber threats as products with digital elements covered by the Cyber Resilience Act.

Under the NIS 2 Directive, Member States are requested to ensure that essential and important entities, such as healthcare or cloud providers and public administration entities, take appropriate and proportionate technical, operational and organisational cybersecurity measures. This includes, among other things, a requirement to ensure security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure. 

Technical and methodological requirements for certain types of entities, such as cloud computing service providers, as well as sectoral requirements, if needed, will be defined through implementing decisions.