Both the CRA and Regulation (EU) 2018/1139 (also known as the 'EASA Basic Regulation') establish rules for placing products on the market. The CRA applies to products with digital elements, while the EASA Basic Regulation applies to aeronautical products, parts, and equipment (including software).
The EASA Basic Regulation sets out essential requirements, including those for protection against information security threats, and mandates EASA certification of civil aircraft and related products in accordance with Implementing Regulation (EU) 748/2012, Part 21.
Since 2020, the European Union Aviation Safety Agency (EASA) has explicitly integrated information security aspects into its certification rules by amending several Certification Specifications and issuing new guidance.
On that basis, Article 2(3) of the CRA exempts products certified under Regulation (EU) 2018/1139 from its applicability.
However, products that fall within scope of Regulation (EU) 2018/1139 but that are not certified under that Regulation, such as drones in the open category (the majority of leisure drone activities and low-risk commercial activities), may be covered by the CRA (if they are products with digital elements and are made available on the market).
Also, where components are intended for integration into products certified under Regulation (EU) 2018/1139 but those components are not certified under that Regulation, those components may be covered by the CRA (if they are products with digital elements and made available on the market).
Disclaimer
Disclaimer: This document is prepared by the Commission services and should not be considered as representative of the European Commission’s official position. The replies to the FAQs do not extend in any way the rights and obligations deriving from applicable legislation nor introduce any additional requirement. The expressed views are not authoritative and cannot prejudge any future actions the European Commission may take, including potential positions before the Court of Justice of the European Union, which is competent to authoritatively interpret Union law.