Summary

This article outlines the specific security requirements and best practices for ensuring the safe integration and operation of AI and ML technologies within products, in alignment with the Cyber Resilience Act’s (CRA) objectives. It emphasizes the essential cybersecurity requirements for high-risk AI systems and the obligations of manufacturers to ensure compliance.

Relevant CRA Provisions

• Recital (51)
• Recital (54)
• Article 6
• Article 12

Detailed Explanation

The CRA imposes specific cybersecurity requirements on products with digital elements, including those incorporating AI and ML technologies. High-risk AI systems, as defined under Article 6 of Regulation (EU) 2024/1689, must comply with the essential cybersecurity requirements outlined in the CRA. These requirements ensure that products are secure both at the time of placing on the market and throughout their expected use.

Manufacturers must fulfill the essential cybersecurity requirements set out in Part I of Annex I and ensure that their processes comply with the requirements in Part II of Annex I. Additionally, the level of cybersecurity protection must be demonstrated in the EU declaration of conformity. For high-risk AI systems, the conformity assessment procedure outlined in Article 43 of Regulation (EU) 2024/1689 applies, with notified bodies competent to assess compliance.

Important and critical products with digital elements, as listed in Annexes III and IV, are subject to stricter conformity assessment procedures to ensure a higher level of cybersecurity. Manufacturers must conduct a cybersecurity risk assessment to identify relevant risks and apply suitable standards or specifications. If certain essential cybersecurity requirements are not applicable, manufacturers must provide a clear justification and take alternative measures to address identified risks.

Obligations for Stakeholders

• Manufacturers: Must ensure that products with digital elements, including high-risk AI systems, meet the essential cybersecurity requirements. They must conduct cybersecurity risk assessments, apply relevant standards, and demonstrate compliance through the EU declaration of conformity.
• Distributors and Importers: Must verify that products comply with the CRA’s requirements before placing them on the market. They should ensure that manufacturers have provided the necessary documentation and declarations of conformity.