CRA FAQ

In accordance with Articles 7(1) and 8(1), a manufacturer should look at the core functionality of its product with digital elements to determine whether that product is an important or critical product with digital elements and is therefore subject to the corresponding conformity assessment procedures.

The technical descriptions of the categories of important and critical products with digital elements are laid down in Commission Implementing Regulation (EU) 2025/2392 of 28 November 2025 on the technical description of the categories of important and critical products with digital elements.

As specified in Article 7(1), integrating an important or critical product with digital elements into another product with digital elements does not automatically render that product subject to the conformity assessment procedures applicable to important and critical products. For example, integrating an embedded browser as a component of a news app for use in smartphones does not in itself render the news app subject to the conformity assessment procedure applicable to products with digital elements that have the core functionality of "standalone and embedded browsers". Similarly, integrating a secure element into a laptop does not in itself render the laptop subject to the conformity assessment procedure applicable to products with digital elements that have the core functionality of "smartcards and similar devices, including secure elements".

As stated in 3.1 What determines if a product with digital elements is an important or critical product?, the core functionality of the product with digital elements into which other components are integrated determines whether that product is an important or critical product with digital elements.

In accordance with paragraphs (1) to (3) of Article 13, the CRA establishes that manufacturers of products with digital elements are to implement the essential cybersecurity requirements in a way that is proportionate to the risks of the product with digital elements, based on the intended purpose and reasonably foreseeable use as well as the conditions of use of the product with digital elements, taking into account the length of time the product is expected to be in use. Irrespective of whether the product with digital elements is considered to be an important or critical product with digital elements, manufacturers are to carry out a comprehensive cybersecurity risk assessment and indicate how the essential cybersecurity requirements are implemented as informed by the risk assessment, including their testing and assurance.

For example, a manufacturer wishes to place on the market two different versions of a VPN. In accordance with its risk assessment, the manufacturer determines that one of the two VPNs presents more substantial risks, for example because that VPN is intended to be deployed in a critical infrastructure environment, while the other VPN presents fewer risks, for example because it is intended only for use in a residential setting. Consequently, the manufacturer is expected to implement the essential requirements for both products in such a way that it ensures that the respective risks are mitigated accordingly.

As explained in Recital 4 of Commission Implementing Regulation (EU) 2025/2392 of 28 November 2025 on the technical description of the categories of important and critical products with digital elements, the fact that a product with digital elements performs functions other than or additional to its core functionality does not in itself mean that the product with digital elements does not have the core functionality of an important or critical product. For example, products that have the core functionality of "operating systems" (an important product with digital elements of Class I) often include software that performs ancillary functions not included in the technical description of that product category, such as calculators or simple graphics editors. Products with digital elements often also incorporate components that have the functionality of another important or critical product with digital elements, such as an operating system integrating browser functionality, or a router integrating firewall functionality. This, however, does not in itself mean that such products with digital elements do not have the core functionality of "operating systems" or "routers, modems intended for the connection to the internet, and switches" (also important products with digital elements of Class I), respectively.

On the other hand, a product that has the ability to perform the function(s) of an important or critical product category but whose core functionality itself is different from that of such product category is not to be considered to have that core functionality. For example, a security orchestration, automation and response (SOAR) software often has the ability to perform the functions of "security information and event management (SIEM) systems". However, as the SOAR's core functionality is different from that of a SIEM, SOAR software is generally not to be considered to have the core functionality of "security information and event management (SIEM) systems". Similarly, a smartphone typically integrates components that perform the functions of several important or critical products, such as an operating system or an integrated password manager. However, as a smartphone's core functionality is not that of an operating system or of a password manager, it is generally not to be considered to have the core functionality of an operating system or of a password manager.