Menu
Close-up of an illuminated laptop keyboard in a dimly lit setting. The focus is on the Windows key, which is prominently lit among other keys like Shift, Z, X, and Alt. The lighting creates a blue-tinted glow across the keys, highlighting the keyboard's sleek design.

Commission publishes guidance on Cyber Resilience Act

On December 3, 2025, the European Commission published its first set of technical FAQs on the EU Cyber Resilience Act (CRA). The CRA establishes EU‑wide cybersecurity requirements for products with digital elements (PDEs), including IoT devices, hardware components, and certain software. While the CRA becomes fully applicable on December 11, 2027, manufacturers will be subject to early reporting obligations for actively exploited vulnerabilities and significant incidents from September 11, 2026.

The FAQs clarify when a product falls within the CRA’s scope, focusing on whether a PDE has a direct or indirect logical or physical connection to a device or network. A direct logical connection exists where the PDE initiates or manages communications, such as a browser establishing an HTTPS connection. An indirect connection may arise where the PDE itself does not communicate externally but operates on a host system that does, such as an offline text editor running on a network‑connected operating system.

The Commission also addresses the interaction between the CRA and other EU digital legislation, including the Machinery Regulation, the GDPR, and the Data Act. The FAQs confirm that a single PDE may be subject to overlapping obligations, notably under the CRA and the Data Act. Manufacturers are therefore expected to consider data access and sharing duties under the Data Act when assessing cybersecurity risks under the CRA, reflecting the increasingly interconnected nature of EU digital regulation.

Finally, the FAQs provide guidance on cybersecurity risk assessments, emphasizing the relevance of a product’s intended purpose and reasonably foreseeable use or misuse. Products designed for professional users may still require safeguards and instructions that account for potential non‑professional use. Where foreseeable misuse exists, related risks must be clearly communicated to users. Manufacturers placing PDEs on the EU market should review the FAQs carefully to ensure alignment with the Commission’s interpretation, particularly ahead of further guidance expected for microenterprises and SMEs.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *