The European Union’s Cyber Resilience Act (CRA) is a comprehensive piece of legislation designed to enhance cybersecurity across a wide range of products with digital elements. While the act aims to establish a baseline level of security for digital products sold within the EU, it is important to note that certain categories of products are exempt from its requirements. These exemptions ensure that the CRA’s scope remains focused and avoids unnecessary burdens on products already subject to stringent regulations or those posing minimal cybersecurity risks.

Products Governed by Existing Regulations

One of the key exemptions within the CRA pertains to products already covered by industry-specific cybersecurity regulations. This exemption recognizes that certain sectors, due to their inherent sensitivity and potential impact on safety and security, have well-established regulatory frameworks in place to address cybersecurity risks. These sectors include:

• Medical devices: The medical device industry is heavily regulated to ensure the safety and efficacy of products. Existing regulations, such as the EU’s Medical Device Regulation (MDR), already address cybersecurity concerns related to medical devices, making it unnecessary to duplicate these requirements under the CRA.
• Motor vehicles: The automotive industry is subject to rigorous safety and security standards, including those addressing cybersecurity threats to connected vehicles. The CRA exempts motor vehicles to avoid conflicting requirements and allow the industry to continue innovating within its established regulatory framework.
• Civil aviation products: Aviation safety is paramount, and the industry operates under strict regulations that encompass cybersecurity considerations. Exempting civil aviation products from the CRA prevents regulatory overlap and ensures a consistent approach to cybersecurity in this safety-critical sector.
• Marine equipment: Similar to aviation, the maritime industry adheres to stringent safety and security standards, including those related to cybersecurity for vessels and related equipment. Exempting marine equipment from the CRA acknowledges the existing regulatory framework governing cybersecurity in this sector.

Products developed exclusively for national security and defense purposes are also excluded from the scope of the CRA. This exemption recognizes the unique requirements and sensitivities surrounding national security and defense applications, which are often subject to classified information and specialized security protocols.

Open-Source Software

The CRA generally exempts free and open-source software (FOSS), acknowledging the significant contributions of the open-source community to software development and innovation. However, this exemption comes with important caveats. If a business engages in any of the following activities related to FOSS, the CRA would apply:

• Charging for the FOSS itself: When a business commercializes FOSS by charging for its distribution or licensing, it becomes subject to the CRA’s requirements.
• Charging for technical support services: If a business provides paid technical support services for FOSS, the CRA applies to ensure the security of those services.
• Processing personal data beyond what is necessary for functionality: If FOSS processes personal data beyond what is strictly required for its intended functionality, it falls under the CRA’s scope to protect user privacy and data security.

While the exemption for FOSS encourages continued open-source development, the conditions outlined above raise concerns about accountability for mixed-use scenarios. For example, if a company incorporates FOSS into a commercial product that falls under the CRA’s scope, it is crucial to ensure that the FOSS component also meets the necessary cybersecurity standards.

Standalone and Internal-Use Products

Standalone products that are not connected to a network are exempt from the CRA. This exemption recognizes that products operating in isolation from networks pose a significantly lower cybersecurity risk. Without network connectivity, these products are not susceptible to remote attacks or vulnerabilities that could compromise their security.

Similarly, products developed exclusively for internal use within an organization and not placed on the EU market are exempt from the CRA. This exemption recognizes that products used solely within an organization’s internal environment do not pose the same level of risk as products sold to the public or used in broader commercial settings.

Organizations can establish their own internal cybersecurity policies and procedures for these products without being subject to the CRA’s requirements.

Software as a Service (SaaS) and Platform as a Service (PaaS)

SaaS and PaaS products are generally exempt from the CRA because they do not inherently involve the operation of a physical product with digital elements. SaaS and PaaS typically provide software functionality and services over the internet, without requiring users to install software on their own devices. However, there is an exception to this exemption: If the SaaS or PaaS service directly connects to a device’s functionality, the CRA would apply. For instance, software for a fitness wearable that connects to a cloud-based platform for data synchronization and analysis would be subject to the CRA.

The exemptions within the CRA demonstrate a thoughtful approach to cybersecurity regulation, ensuring that the legislation focuses on products that pose the most significant risks while minimizing unnecessary burdens on specific sectors and innovative technologies.

Understanding these exemptions is essential for businesses and developers operating within the EU to determine whether their products fall within the scope of the CRA and to ensure compliance with its requirements when applicable.