EU: Implementing regulation on products with digital elements

 

The EU Commission has published a Draft Commission implementing regulation on the technical description of the categories of important and critical products with digital elements pursuant to Regulation (EU) 2024/2847 of the European Parliament and of the Council (‘Cyber Resilience Act’).

In scope are products with digital elements (i.e. software, including standalone software, and hardware and its remote data processing, including hardware and software components) whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.

Specifically, this draft measure concerns those product categories listed in Annex III and IV of the Cyber Resilience Act.

As foreseen by Article 32 of the Cyber Resilience Act, important products with digital elements that fall under class I as set out in Annex III will either need to follow harmonised standards, common specifications, or European cybersecurity certification schemes, or otherwise undergo third-party conformity assessment.

Important products with digital elements that fall under class II as set out in Annex III and critical products with digital elements as set out in Annex IV will need to undergo third-party conformity assessment.

There are the following objectives for the regulation:

Cyber-attacks can spread across the internal market within minutes, with most incidents arising from vulnerabilities in products. To address this, the main regulation targets two key issues: the generally low cybersecurity standards of many products with digital elements sold within the EU internal market, and the tendency of manufacturers to neglect providing updates to fix vulnerabilities throughout a product’s lifecycle. The proposed rules aim to tackle these challenges by introducing mandatory, horizontal cybersecurity requirements for manufacturers and obligating them to supply up-to-date information and instructions to customers.

Under these rules, manufacturers are held responsible for ensuring that products with digital elements placed on the EU internal market comply with cybersecurity standards. The objective is to prevent deceptive practices and strengthen consumer protection. Additionally, the rules seek to benefit business users and consumers by increasing transparency regarding security features and by reinforcing fundamental rights, such as privacy and data protection. By reducing cybersecurity risks linked to insecure digital products, the regulation also aims to safeguard human health and safety.

Furthermore, the rules strive to harmonise and simplify cybersecurity requirements for digital products across the EU, preventing conflicting obligations from different EU sectoral and national laws. This approach would improve legal certainty for both EU-based and non-EU operators seeking to access the EU market.

The proposed date of adoption is the 3rd quarter 2025.

To find out more about product compliance in the EU, please do not hesitate to contact the Product Compliance Institute.