CRA FAQ

 Open Regulatory Compliance Working Group Orc mascott

Should a product comply with both the CRA and EHDS Regulation requirements?

A product may be a product with digital elements within the meaning of the CRA and an EHR system within the meaning of the EHDS Regulation at the same time. In such cases, a product will need to comply with the requirements set out in both the CRA and the EHDS Regulation (Recital 112 EHDS Regulation). The cybersecurity requirements set out in the CRA and the EHDS Regulation are of such a nature that compliance with the requirements of either the CRA or the EHDS Regulation alone will not fully satisfy those of the other Regulation.

However, the CRA (Article 13(4) CRA) determines that for products with digital elements that are also EHR systems, the cybersecurity risk assessment required by the CRA may be part of the risk assessment required by the EHDS Regulation.

© 2025 European Union • CC-BY 4.0 • “FAQs on the Cyber Resilience Act” p.20 (PDF) •
Disclaimer

Disclaimer: This document is prepared by the Commission services and should not be considered as representative of the European Commission’s official position. The replies to the FAQs do not extend in any way the rights and obligations deriving from applicable legislation nor introduce any additional requirement. The expressed views are not authoritative and cannot prejudge any future actions the European Commission may take, including potential positions before the Court of Justice of the European Union, which is competent to authoritatively interpret Union law.