Should a product comply with both the CRA and MR cybersecurity requirements?

A product with digital elements within the meaning of the CRA, may be also machinery or a related product, within the meaning of the MR, at the same time. In such cases, such product will need to comply with the cybersecurity requirements of the CRA as well as those of the MR. The cybersecurity requirements set out in the CRA and the MR are of such a nature that compliance with the cybersecurity requirements of only one of the Regulations cannot be automatically considered to also fully satisfy those of the other Regulation.

However, as the cybersecurity requirements set out in the CRA and the MR may for some aspects address similar risks, compliance with the CRA could facilitate compliance with the requirements set out in the MR. Nevertheless, manufacturers of products falling within scope of both the CRA and the MR would have to demonstrate such potential synergies on the basis of a risk assessment and e.g. by relying, where available, on harmonised standards or other relevant technical specifications.

Disclaimer

Disclaimer: This document is prepared by the Commission services and should not be considered as representative of the European Commission’s official position. The replies to the FAQs do not extend in any way the rights and obligations deriving from applicable legislation nor introduce any additional requirement. The expressed views are not authoritative and cannot prejudge any future actions the European Commission may take, including potential positions before the Court of Justice of the European Union, which is competent to authoritatively interpret Union law.