When is a product with digital elements in scope of the Cyber Resilience Act?
The CRA applies to “products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network” (Article 2(1)), with the exception of products with digital elements that are exempted from its scope, as set out in Article 2(2), 2(3) and 2(4).
Three cumulative elements help to understand if a product with digital elements is subject to the CRA:
- Whether it meets the definition of a product with digital elements (see also entry 1.2 What is a product with digital elements? Are stand-alone software or firmware products with digital elements?);
- Whether it is made available on the market;
- Whether its intended purpose or reasonably foreseeable use include a direct or indirect logical or physical data connection to a device or network (see also 1.3 What is a direct or indirect logical or physical data connection to a device or network? and 4.1.4 What are intended purpose and reasonably foreseeable use, and how do they affect the cybersecurity risk assessment?).
Disclaimer
Disclaimer: This document is prepared by the Commission services and should not be considered as representative of the European Commission’s official position. The replies to the FAQs do not extend in any way the rights and obligations deriving from applicable legislation nor introduce any additional requirement. The expressed views are not authoritative and cannot prejudge any future actions the European Commission may take, including potential positions before the Court of Justice of the European Union, which is competent to authoritatively interpret Union law.