Summary

This article outlines the certification and labeling requirements under the EU Cyber Resilience Act (CRA) for products with digital elements, ensuring they meet essential cybersecurity standards and are properly labeled to indicate compliance.

Relevant CRA Provisions

• Recital (89)
• Recital (81)
• Recital (82)
• Article 29
• Article 30
• Article 12

Detailed Explanation

The CRA mandates that products with digital elements must undergo specific certification processes to ensure they comply with essential cybersecurity requirements. The CE marking is a critical component of this process, indicating that a product conforms to the necessary standards. The CE marking must be visibly, legibly, and indelibly affixed to the product or its packaging. For software products, it can be placed on the accompanying EU declaration of conformity or on a website, provided it is easily accessible. The height of the CE marking can be less than 5 mm if it remains visible and legible. The marking should be applied before the product is placed on the market and may include additional pictograms or marks indicating special cybersecurity risks.

Products certified under existing European cybersecurity certification schemes, such as those established by Regulation (EU) 2019/881, are presumed to be in compliance with the CRA’s essential cybersecurity requirements. This presumption applies to the extent that the certification covers the relevant requirements. Manufacturers may be exempt from third-party conformity assessments if a European cybersecurity certificate has been issued at least at the ‘substantial’ level.

Obligations for Stakeholders

• Manufacturers: Must ensure products with digital elements comply with essential cybersecurity requirements, obtain necessary certifications, and affix the CE marking correctly. They should participate in relevant certification schemes and ensure that any required third-party assessments are conducted.
• Distributors and Importers: Must verify that products they place on the market are certified and correctly labeled with the CE marking. They should ensure that the EU declaration of conformity is available and accurate.
• Open Source Software Stewards: Should ensure that any digital elements they provide are compliant with the CRA’s requirements and are properly certified and labeled.