EU Cyber Resilience Act FAQ Interplay With Other EU Laws

No.

The CRA is a horizontal product-cybersecurity regime. It adds mandatory cybersecurity rules for products with digital elements, but it does not generally replace other Union acts that regulate the same product from another angle, such as product safety, machinery, data protection, health-data systems, or AI. Depending on the product, the CRA may apply alongside those other acts, unless the CRA itself excludes the product or a later delegated act limits the CRA for a specific product framework.

Yes.

That is a normal CRA scenario. The Commission FAQ gives machinery, radio equipment, EHR systems, and connected products that are also subject to the Data Act as examples of products that may have to comply with more than one Union framework at once.

The starting point is the CRA's express exclusions and any delegated acts adopted under Article 2(5).

Some products are excluded directly by Article 2, including products to which the medical-device and in vitro-diagnostic frameworks apply, products to which Regulation (EU) 2019/2144 applies, products certified under the civil-aviation framework, and marine equipment in scope of Directive 2014/90/EU. In addition, Delegated Regulation (EU) 2025/1535 excludes products falling within the scope of Regulation (EU) No 168/2013, except L1e category vehicles designed to pedal. More generally, Article 2(5) allows the Commission to limit or exclude the CRA for products covered by other Union rules that address the same risks, but only where that is consistent with the overall framework and delivers the same or a higher level of protection.

The CRA complements them; it does not duplicate them.

Recital 3 says existing Union cybersecurity law, including Regulation (EU) 2019/881 and Directive (EU) 2022/2555, does not directly cover mandatory security requirements for products with digital elements. Recital 24 adds that the CRA is intended to facilitate compliance by digital infrastructure providers with NIS2 supply-chain requirements by making the products they use more secure and better supported. The CRA also operates without prejudice to Union-level NIS2 supply-chain risk assessments.

Where a wallet product falls within the CRA's scope, both frameworks apply.

Recital 33 says providers of European Digital Identity Wallets should comply with both the CRA's horizontal essential cybersecurity requirements and the specific security requirements in Article 5a of Regulation (EU) No 910/2014. The same recital also says that, where the Commission has specified a presumption of conformity, a European cybersecurity certification scheme under Regulation (EU) 2019/881 may be used to help demonstrate compliance with both frameworks for the covered requirements.

They are complementary, but they do not serve the same function.

The Product Liability Directive deals with compensation for damage caused by defective products. The CRA sets ex ante cybersecurity obligations for products placed on the market. The Commission FAQ explains that CRA duties such as security-update obligations can become relevant when defectiveness and damage are assessed under the Product Liability Directive.

A product can fall under both.

The CRA covers essential cybersecurity requirements for products with digital elements. The Machinery Regulation covers essential health and safety requirements for machinery and related products, including some cybersecurity-related safety issues. Recital 53 and the Commission FAQ both say manufacturers of products in scope of both regimes need to comply with both sets of requirements.

No.

The Commission FAQ says compliance with only one regime cannot automatically be treated as full compliance with the other. There may be synergies where the same technical work addresses similar cybersecurity risks, but the manufacturer still has to demonstrate that on the basis of a risk assessment and the applicable standards or technical specifications. The applicable conformity assessment procedures under both frameworks also remain relevant.

They cover different kinds of risks.

The CRA addresses cybersecurity risks for products with digital elements. The GPSR addresses product safety for consumer products. Article 11 of the CRA says the GPSR continues to apply to aspects and risks not covered by the CRA, unless those risks are already governed by another specific Union harmonisation law.

Yes.

If the product also presents safety risks that are not covered by the CRA, and those risks are not already addressed by a more specific Union product regime, the GPSR may still apply to those safety aspects.

The key issue is timing.

The Commission FAQ says that, for the categories of radio equipment covered by Delegated Regulation (EU) 2022/30, the RED cybersecurity requirements apply to products placed on the market from 1 August 2025 until 10 December 2027. For those same products placed on the market on or after 11 December 2027, the CRA applies instead for the relevant cybersecurity requirements. The FAQ also says a repeal of the RED delegated act from 11 December 2027 would not undo RED market-surveillance treatment for products already placed on the market during the RED period.

Article 12 sets a specific coordination rule.

Where a product is both a CRA product and a high-risk AI system, compliance with the CRA can satisfy the AI Act's cybersecurity requirement in Article 15 to the extent covered by the CRA declaration of conformity. As a rule, the AI Act conformity assessment procedure applies for those cybersecurity requirements. But Article 12(3) preserves the CRA's stricter conformity assessment routes for important and critical CRA products where the AI Act would otherwise rely on internal control.

A product may need to comply with both.

The Commission FAQ says a product may be both a product with digital elements under the CRA and an EHR system under the EHDS Regulation. In that case, both sets of requirements can apply. The same FAQ also says the CRA cybersecurity risk assessment may form part of the EHDS risk assessment, and that, for the covered EHR-system scenario, the EHDS conformity assessment route applies instead of the CRA route because the EHDS introduced Article 32(5a) into the CRA.

They are different legal regimes.

The CRA regulates products placed on the market. The GDPR regulates the processing of personal data by controllers and processors. They can support similar security outcomes, but the CRA does not replace the GDPR and the GDPR does not replace the CRA.

No.

The Commission FAQ says CRA compliance has no formal effect on the separate GDPR tools used to demonstrate compliance with data-protection law. The two frameworks may reinforce each other in practice, but they are not interchangeable.

The two regimes address different issues, but one product may fall under both.

The CRA is about the making available of products with digital elements and their cybersecurity. The Data Act is about access to and sharing of product data and related service data. The Commission FAQ says manufacturers should take relevant Data Act data-access obligations into account in the CRA risk assessment where those obligations apply to the same product.

No, not as a general rule in the CRA materials.

The Commission FAQ says the Data Act does not create a standalone rule that all already marketed products must be redesigned solely because of the Data Act. It also explains that CRA cybersecurity requirements apply fully from 11 December 2027, while products already placed on the market before that date are generally brought into those requirements only if they are substantially modified after that date. The same FAQ adds that CRA reporting obligations apply more broadly.

Not in the same way, and sometimes not at all.

Article 2 excludes products to which the medical-device and in vitro-diagnostic frameworks apply, products to which Regulation (EU) 2019/2144 applies, products certified under the civil-aviation framework, and marine equipment within Directive 2014/90/EU. Separately, Delegated Regulation (EU) 2025/1535 excludes products falling within the scope of Regulation (EU) No 168/2013, except L1e category vehicles designed to pedal. The Commission FAQ adds an important aviation nuance: products that fall within the aviation framework but are not certified under Regulation (EU) 2018/1139 may still be covered by the CRA, and separately marketed components intended for certified aviation products may also remain in scope if those components are not themselves certified under that framework.

No, not merely because they can also be used for defence or national-security purposes.

The CRA excludes products developed or modified exclusively for national security or defence purposes and products specifically designed to process classified information. The Commission FAQ adds that dual-use products with both civilian and defence applications remain subject to the CRA unless they are modified exclusively for national security or defence purposes.

Yes.

Article 28(3) requires a single EU declaration of conformity where more than one Union act requiring such a declaration applies to the product. The Commission FAQ confirms the same logic for overlapping CRA and EHDS scenarios.

Often yes, but the manufacturer still has to prove compliance with each law separately.

For CRA Article 12 products that are also subject to other Union acts with technical-documentation requirements, Article 31(3) requires a single technical-documentation set. Article 13(4) also allows the CRA cybersecurity risk assessment to form part of the risk assessment required by those other Union acts. The Commission FAQ adds that manufacturers may use one combined risk assessment or separate risk assessments, but they must be able to demonstrate compliance with each applicable regime.

No.

Outside the CRA's express exclusions and specific delegated acts adopted under Article 2(5), the existence of sector-specific cybersecurity requirements does not by itself switch the CRA off. Recital 28 makes clear that limitation or exclusion for other Union rules requires an additional Commission act and depends on the overall framework addressing the same risks at the same or a higher level of protection.

No.

The Commission FAQ says components intended for certified aviation products may still be covered where the component itself is not certified under Regulation (EU) 2018/1139, and the same logic applies to components intended for marine equipment where the component itself is not within Directive 2014/90/EU. The draft guidance adds a more specific rule for vehicle frameworks: components designed and constructed exclusively for integration into vehicles covered by Regulation (EU) 2019/2144 or Regulation (EU) No 168/2013 can stay outside the CRA, but generic components that can also be used elsewhere remain in scope. It also says distribution facts matter: if a non-exclusive component is offered through channels open beyond the automotive supply chain, such as general retail or public online sales, it falls within the CRA regardless of intended-use statements.

Partly, for a limited time and only for the risks those certificates actually cover.

Article 69(1) says EU type-examination certificates and approval decisions issued regarding cybersecurity requirements under other Union harmonisation legislation remain valid until 11 June 2028, unless they expire earlier or that other legislation provides otherwise. The draft guidance explains that this does not amount to full CRA compliance. It only means the manufacturer does not need to reassess or re-demonstrate compliance for the already covered cybersecurity risks during that period. The manufacturer must still perform the CRA cybersecurity risk assessment and address any additional risks not covered by the earlier certificate, including where the prior certificate was issued under the RED cybersecurity regime or the Machinery Regulation.

Yes, in the Article 12 coordination setup.

Article 12(2) says that, for products with digital elements that are also high-risk AI systems, the relevant AI Act conformity assessment procedure applies for the covered cybersecurity requirements. For that assessment, notified bodies that are competent under the AI Act may also assess conformity with the CRA Annex I requirements, provided their compliance with the CRA notified-body requirements in Article 39 has been assessed in the AI Act notification context. Article 12(3) then preserves the CRA's own stricter routes for important and critical CRA products where the AI Act would otherwise use internal control.