Summary

The EU Cyber Resilience Act (CRA) addresses the cybersecurity requirements for products with digital elements classified as high-risk AI systems, ensuring they meet essential cybersecurity standards and undergo appropriate conformity assessments.

Relevant CRA Provisions

• Recital (51)
• Article 12

Detailed Explanation

The CRA mandates that products with digital elements classified as high-risk AI systems must comply with essential cybersecurity requirements. These products are deemed to meet the cybersecurity requirements of Regulation (EU) 2024/1689 if they fulfill specific criteria: they must meet the essential cybersecurity requirements outlined in Annex I, their manufacturing processes must comply with these requirements, and the necessary level of cybersecurity protection must be demonstrated in the EU declaration of conformity. The conformity assessment for these products generally follows the procedure outlined in Article 43 of Regulation (EU) 2024/1689. However, important or critical products with digital elements are subject to the CRA’s conformity assessment procedures regarding essential cybersecurity requirements. Manufacturers of these products may also participate in AI regulatory sandboxes as per Article 57 of Regulation (EU) 2024/1689.

Obligations for Stakeholders

• Manufacturers: Must ensure that high-risk AI systems comply with essential cybersecurity requirements, demonstrate this compliance in the EU declaration of conformity, and may participate in AI regulatory sandboxes.
• Market Surveillance Authorities: Responsible for ensuring compliance with the CRA, including conducting market surveillance and coordinating with other relevant authorities. They must also cooperate with national cybersecurity certification authorities and provide guidance to economic operators.
• Open-Source Software Stewards: Must comply with the obligations set out in Article 24 and take appropriate corrective actions if non-compliance is found.