Summary

The EU Cyber Resilience Act (CRA) introduces comprehensive cybersecurity requirements for products with digital elements, including emerging technologies such as IoT, AI, and blockchain. This article examines the specific implications and regulatory challenges posed by the CRA on these technologies, focusing on development, deployment, and compliance requirements.

Relevant CRA Provisions

• Recital (4)
• Recital (6)
• Recital (17)
• Recital (30)
• Recital (97)
• Article 7
• Article 12
• Article 26
• Article 33

Detailed Explanation

The CRA aims to establish a harmonized regulatory framework for cybersecurity across the EU, addressing the gaps in existing Union law and reducing legal uncertainty for manufacturers and users of products with digital elements. It introduces horizontal cybersecurity requirements that apply to all such products, ensuring a consistent approach across the internal market. The Regulation also acknowledges the unique challenges posed by emerging technologies and provides specific provisions to support their development and compliance.

For high-risk AI systems, the CRA requires compliance with essential cybersecurity requirements and the involvement of notified bodies for conformity assessment. It allows for derogations and the use of regulatory sandboxes to foster innovation. The Regulation also provides tailored support for microenterprises and small and medium-sized enterprises, including simplified technical documentation and access to regulatory sandboxes.

Obligations for Stakeholders

• Manufacturers: Must ensure their products with digital elements comply with the essential cybersecurity requirements. For high-risk AI systems, they must demonstrate compliance through an EU declaration of conformity and participate in conformity assessment procedures. Manufacturers can also engage in AI regulatory sandboxes to test innovative products.
• Distributors and Importers: While not explicitly mentioned in the provided extracts, they are generally required to ensure that the products they place on the market comply with the CRA’s requirements.
• Open Source Software Stewards: The CRA takes into account the nature of different development models of software distributed and developed under free and open-source software licenses, providing tailored guidance and support.
• Microenterprises and Small Enterprises: Benefit from specific support measures, including awareness-raising, training, dedicated communication channels, and simplified technical documentation. They can also access cyber resilience regulatory sandboxes for testing innovative products.