CRA FAQ - European Health Data Space Regulation (Regulation (EU) 2025/327)

2.7.1 What is the interplay between the CRA and the European Health Data Space Regulation?

The CRA and the European Health Data Space (EHDS) Regulation both provide rules for the making available on the market of products: the CRA provides for essential cybersecurity requirements for products with digital elements, while the EHDS Regulation provides, amongst other things, essential requirements, including interoperability and logging requirements, and further obligations to be complied with for Electronic Health Record (EHR) systems.

A product may be a product with a digital element within the meaning of the CRA and an EHR system within the meaning of the EHDS Regulation at the same time.

Example: A computer or a software that has been marketed and procured by a hospital designed for storing and viewing patient summaries while delivering healthcare services, could be a product with digital elements within the meaning of the CRA that is also an EHR system, within the meaning of the EHDS Regulation.

Disclaimer

Disclaimer: This document is prepared by the Commission services and should not be considered as representative of the European Commission’s official position. The replies to the FAQs do not extend in any way the rights and obligations deriving from applicable legislation nor introduce any additional requirement. The expressed views are not authoritative and cannot prejudge any future actions the European Commission may take, including potential positions before the Court of Justice of the European Union, which is competent to authoritatively interpret Union law.

Go to page

2.7.2 Should a product comply with both the CRA and EHDS Regulation requirements?

A product may be a product with digital elements within the meaning of the CRA and an EHR system within the meaning of the EHDS Regulation at the same time. In such cases, a product will need to comply with the requirements set out in both the CRA and the EHDS Regulation (Recital 112 EHDS Regulation). The cybersecurity requirements set out in the CRA and the EHDS Regulation are of such a nature that compliance with the requirements of either the CRA or the EHDS Regulation alone will not fully satisfy those of the other Regulation.

However, the CRA (Article 13(4) CRA) determines that for products with digital elements that are also EHR systems, the cybersecurity risk assessment required by the CRA may be part of the risk assessment required by the EHDS Regulation.

Disclaimer

Disclaimer: This document is prepared by the Commission services and should not be considered as representative of the European Commission’s official position. The replies to the FAQs do not extend in any way the rights and obligations deriving from applicable legislation nor introduce any additional requirement. The expressed views are not authoritative and cannot prejudge any future actions the European Commission may take, including potential positions before the Court of Justice of the European Union, which is competent to authoritatively interpret Union law.

Go to page

2.7.3 Should a manufacturer ensure the assessment of conformity for a product through the procedures set out in both the CRA and EHDS Regulation?

Both the CRA and the EHDS Regulation provide for conformity assessment procedures for relevant products. In the case of the CRA this applies to products with digital elements, whereas under the EHDS Regulation this applies to the harmonised software components of EHR systems (as defined in Article 25(1) EHDS Regulation).

However, this does not mean that manufacturers need to ensure the assessment of conformity of the cybersecurity of a product through the procedures set out in both the CRA and the EHDS Regulation in cases where a product is a product with digital elements within the meaning of the CRA and an EHR system within the meaning of the EHDS Regulation at the same time. The CRA (Article 32(5a), which was introduced by the EHDS Regulation) determines that in such cases the conformity assessment procedure of the EHDS Regulation should apply instead of the procedure of the CRA.

Disclaimer

Disclaimer: This document is prepared by the Commission services and should not be considered as representative of the European Commission’s official position. The replies to the FAQs do not extend in any way the rights and obligations deriving from applicable legislation nor introduce any additional requirement. The expressed views are not authoritative and cannot prejudge any future actions the European Commission may take, including potential positions before the Court of Justice of the European Union, which is competent to authoritatively interpret Union law.

Go to page

2.7.4 Should the manufacturer draw up separate EU declarations of conformity per Union legal act?

Concerning the drawing up of the EU declaration of conformity by the manufacturer, Article 39(2) of the EHDS Regulation provides for a single EU declaration of conformity to be drawn up in respect of all Union legal acts applicable to the EHR system. That EU declaration of conformity shall contain all the information required for the identification of the Union legal acts to which it relates. The CRA provides the same for products with digital elements in Article 28(3).

Disclaimer

Disclaimer: This document is prepared by the Commission services and should not be considered as representative of the European Commission’s official position. The replies to the FAQs do not extend in any way the rights and obligations deriving from applicable legislation nor introduce any additional requirement. The expressed views are not authoritative and cannot prejudge any future actions the European Commission may take, including potential positions before the Court of Justice of the European Union, which is competent to authoritatively interpret Union law.

Go to page

🏥 2.7 European Health Data Space Regulation (Regulation (EU) 2025/327)