How do the requirements for products with digital elements under the CRA take account of the obligations to make data available to users or third parties under the Data Act?

The CRA determines inter alia that products with digital elements shall be made available on the market only where they meet certain cybersecurity requirements (Article 6). Manufacturers have to ensure that when placing products with digital elements on the market, they are designed, developed and produced in accordance with those requirements (Article 13). Manufacturers will have to carry out a risk assessment comprising an analysis of cybersecurity risks based on the intended purpose and reasonably foreseeable use of the product.

Where a product with digital elements within the meaning of the CRA may also be subject to the requirements of the DA to make data available to users or third parties (Articles 4 and 5 DA), the manufacturer will need to ensure that relevant requirements under the DA are also considered as part of the risk assessment. Manufacturers should keep in mind that while the DA obliges access to product and related service data to users and third parties, it also establishes measures for data holders to restrict or refuse data sharing in certain cases (e.g. using the so-called ‘trade secret’ and ‘safety and security’ handbrakes (Articles 4(8) and 5(11), and 4(2), DA respectively).