CRA FAQ

The CRA and the General Data Protection Regulation (GDPR) are of a different nature and there is no legal overlap. The CRA sets out obligations for economic operators making available products with digital elements on the market while the GDPR provides for rules, including obligations, for natural and legal persons acting as controllers or processors of personal data processing.

While of a different nature, these regulations may complement each other. The CRA provides for cybersecurity requirements for products with digital elements that may contribute to the protection of personal data of natural persons. These include amongst other things the confidentiality and integrity of personal and other data, data minimisation, a secure by default configuration as well as requirements relating to vulnerabilities handling and minimising the impact of significant incidents (Annex I). Similarly, the GDPR provides for requirements for personal data processing activities, such as data minimisation and data integrity and confidentiality principles (Article 5 GDPR), the obligation for data protection by design (Article 25 GDPR), data security (Article 32 GDPR), and the notification of personal data breaches (Article 33 GDPR), which may contribute to the cybersecurity of products with digital elements.

However, the manufacturer’s compliance for a product with digital elements with the requirements of the CRA does not have any formal impact on the tools used by controllers or processors under the GDPR to demonstrate compliance of the processing of personal data with the GDPR (such as by means of codes of conduct (Article 40 GDPR) or certification schemes (Article 42 GDPR)).