Does the classification of a product as important or critical impact the manufacturer’s risk assessment?

In accordance with paragraphs (1) to (3) of Article 13, the CRA establishes that manufacturers of products with digital elements are to implement the essential cybersecurity requirements in a way that is proportionate to the risks of the product with digital elements, based on the intended purpose and reasonably foreseeable use as well as the conditions of use of the product with digital elements, taking into account the length of time the product is expected to be in use. Irrespective of whether the product with digital elements is considered to be an important or critical product with digital elements, manufacturers are to carry out a comprehensive cybersecurity risk assessment and indicate how the essential cybersecurity requirements are implemented as informed by the risk assessment, including their testing and assurance.

For example, a manufacturer wishes to place on the market two different versions of a VPN. In accordance with its risk assessment, the manufacturer determines that one of the two VPNs presents more substantial risks, for example because that VPN is intended to be deployed in a critical infrastructure environment, while the other VPN presents fewer risks, for example because it is intended only for use in a residential setting. Consequently, the manufacturer is expected to implement the essential requirements for both products in such a way that it ensures that the respective risks are mitigated accordingly.