Summary

Critical and important products under the CRA are subject to heightened cybersecurity requirements and conformity assessment procedures due to their significant impact on cybersecurity and potential adverse effects on users and supply chains.

Relevant CRA Provisions

– Recital 10, Recital 43, Recital 44, Recital 45, Recital 46, Recital 48, Recital 51
– Article 7, Article 8

Detailed Explanation

The CRA distinguishes between critical and important products with digital elements based on the level of cybersecurity risk they pose. Critical products are those with significant cybersecurity-related functionalities and are critical dependencies for essential entities. They may cause serious disruptions if vulnerabilities are exploited. Important products are divided into two classes (I and II) based on the level of risk they pose, with class II products subject to stricter conformity assessments due to their higher potential for adverse effects.

Obligations for Stakeholders

– Manufacturers: Must ensure that critical and important products comply with the essential cybersecurity requirements. For critical products, manufacturers may be required to obtain a European cybersecurity certificate. For important products, manufacturers must undergo the specified conformity assessment procedures.