Understanding “Products with Digital Elements” Under the Cyber Resilience Act (CRA)
If you’re evaluating whether your product falls under the Cyber Resilience Act (CRA), you’ve likely encountered the term “Product with Digital Elements” (PDE). This term is central to the CRA, and understanding it is crucial.
The Cyber Resilience Act (CRA) defines the scope of its regulations in Article 2, which explicitly references “products with digital elements.” According to the CRA:
Article 2 – Scope
1. This Regulation applies to products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network.
In order to clarify terms like “product with digital elements”, the CRA provides a formal definition in Article 3 (Definitions):
(1) ‘product with digital elements’ means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market
separately;
So – what are the important factors to identify a PDE falling in scope of the CRA:
- Software or hardware product
Not only physical hardware products are covered by the CRA, also software products are in scope. - Data connection
If a product with digital elements includes a data connection to another device or network, it falls in scope of the Cyber Resilience Act (CRA). It is important to note that this does not apply solely to network connections. As clarified in Question 1.3 of the CRA Implementation FAQ, any connection that transmits data – such as USB, Bluetooth, Profinet, CAN-Bus, or software interfaces – is included in this definition.
If a product with digital elements falls in scope of the CRA, also its remote data processing solutions are in scope.
The term “Product with Digital Elements” (PDE) is a cornerstone of the Cyber Resilience Act (CRA). Understanding whether your product qualifies as a PDE is the first step toward identifying if your product is in scope of the CRA. By identifying your products early and implementing robust cybersecurity measures in compliance with the CRA, you can navigate the new EU regulation with confidence.
