CRA FAQ

The CRA and the Data Act (DA) are essentially of a different nature, with the former setting rules for the making available of products with digital elements on the market, while the latter lays down rules for (amongst other things) the making available of product data and related services data to other entities.

However, in certain cases the requirements of the CRA and the DA may be applicable to similar products. In certain cases, a product with digital elements within the meaning of the CRA may also be a connected product or a related service within the meaning of the DA.

For example, home appliances that contain hardware and software and can be connected to the internet for their functionality, such as a ‘smart’ refrigerator, may also collect data concerning their use and be able to communicate that product data via the Internet. In that sense, the smart refrigerator may be a product with digital elements within the meaning of the CRA and a connected product within the meaning of the DA at the same time.

The CRA determines inter alia that products with digital elements shall be made available on the market only where they meet certain cybersecurity requirements (Article 6). Manufacturers have to ensure that when placing products with digital elements on the market, they are designed, developed and produced in accordance with those requirements (Article 13). Manufacturers will have to carry out a risk assessment comprising an analysis of cybersecurity risks based on the intended purpose and reasonably foreseeable use of the product.

Where a product with digital elements within the meaning of the CRA may also be subject to the requirements of the DA to make data available to users or third parties (Articles 4 and 5 DA), the manufacturer will need to ensure that relevant requirements under the DA are also considered as part of the risk assessment. Manufacturers should keep in mind that while the DA obliges access to product and related service data to users and third parties, it also establishes measures for data holders to restrict or refuse data sharing in certain cases (e.g. using the so-called ‘trade secret’ and ‘safety and security’ handbrakes (Articles 4(8) and 5(11), and 4(2), DA respectively).

Under the DA, there is no strict (re)design product obligation. Rather, manufacturers remain free to design products as they see fit, as long as the obligations related to making data available are complied with.

Whilst the CRA is set to apply fully by 11 December 2027, products with digital elements placed on the market before that date are only subject to the CRA’s cybersecurity requirements if, from that date, they are subject to a substantial modification (Article 69(2) CRA). Reporting obligations, e.g. for actively exploited vulnerabilities, apply for all products with digital elements (Article 14). See also 1.4 Does the CRA apply to products with digital elements placed on the market before 11 December 2027?