CRA FAQ

 Open Regulatory Compliance Working Group Orc mascott

Does a product with digital elements need to comply with the requirements of both the CRA and the GPSR?

A product with digital elements may need to comply with both the requirements of the CRA and the GPSR. When a product with digital elements also poses other risks beyond cybersecurity risks that are covered by the CRA, those other risks may be regulated by other EU legislation such as the GPSR. As long as there is no product-specific regulation that regulates those other risks of the product with digital elements in question, the GPSR applies to the safety aspects of those risks (Article 11 CRA).

© 2025 European Union • CC-BY 4.0 • “FAQs on the Cyber Resilience Act” p.18 (PDF) •
Disclaimer

Disclaimer: This document is prepared by the Commission services and should not be considered as representative of the European Commission’s official position. The replies to the FAQs do not extend in any way the rights and obligations deriving from applicable legislation nor introduce any additional requirement. The expressed views are not authoritative and cannot prejudge any future actions the European Commission may take, including potential positions before the Court of Justice of the European Union, which is competent to authoritatively interpret Union law.