In short, the CRA lays down rules for ensuring that manufacturers improve the security of products with digital elements (PDE) from the design and development phase throughout the whole life cycle. It also contains provisions that aim to enhance transparency regarding the security properties of PDE's, as well as to enable businesses and consumers to use such products securely.
The CRA will apply to all PDE's whose 'intended and reasonably foreseeable use' includes a direct or indirect logical or physical data connection to a device or network. It does, however, exclude a range of products, such as Software-as-a-service (SaaS) products, medical devices and motor vehicles, since these products are already covered by other legislative acts.
Key provisions under the CRA?
When will the CRA apply?
To allow manufacturers, notified bodies and Member States time to adapt to the new requirements, the CRA is proposed to become applicable 24 months after its entry into force, except for the reporting obligation on manufacturers, which would apply from 12 months after the date of entry into force.
The proposed CRA is open for feedback until 22November 2022. If you would like to share your views on the proposal with the European Commission, you can do so by visiting the following link and clicking the yellow "Give feedback" button: