Should a manufacturer ensure the assessment of conformity for a product through the procedures set out in both the CRA and EHDS Regulation?
Both the CRA and the EHDS Regulation provide for conformity assessment procedures for relevant products. In the case of the CRA this applies to products with digital elements, whereas under the EHDS Regulation this applies to the harmonised software components of EHR systems (as defined in Article 25(1) EHDS Regulation).
However, this does not mean that manufacturers need to ensure the assessment of conformity of the cybersecurity of a product through the procedures set out in both the CRA and the EHDS Regulation in cases where a product is a product with digital elements within the meaning of the CRA and an EHR system within the meaning of the EHDS Regulation at the same time. The CRA (Article 32(5a), which was introduced by the EHDS Regulation) determines that in such cases the conformity assessment procedure of the EHDS Regulation should apply instead of the procedure of the CRA.
Disclaimer
Disclaimer: This document is prepared by the Commission services and should not be considered as representative of the European Commission’s official position. The replies to the FAQs do not extend in any way the rights and obligations deriving from applicable legislation nor introduce any additional requirement. The expressed views are not authoritative and cannot prejudge any future actions the European Commission may take, including potential positions before the Court of Justice of the European Union, which is competent to authoritatively interpret Union law.