
During our webinar, Navigating EU Cybersecurity Compliance for Connected Products, attendees raised detailed questions about the Cyber Resilience Act (CRA), RED cybersecurity requirements, product classification, conformity assessment, incident reporting, cloud systems, and security support periods.
We answered several questions during the live session. For the main webinar takeaways, including RED scoping, EN 18031 risk assessment, documentation, evidence preparation, and CRA reporting readiness, read our RED, EN 18031 and CRA Readiness Guide: Practical Answers from the QIMA Webinar.
We were unable to cover every question during the session, so our cybersecurity experts prepared the additional answers below.
This article reflects the regulatory and standardization status as of July 2026. CRA reporting obligations apply from 11 September 2026, while the main CRA requirements apply from 11 December 2027.
These answers provide general technical guidance. The correct classification and conformity assessment route for a specific product must be determined using its complete technical documentation, intended purpose, reasonably foreseeable use, connectivity, and security architecture.
The closest match under Implementing Regulation (EU) 2025/2392 is likely to be “smartcards or similar devices, including secure elements”, which is a Critical product category.
This is because the card’s core functionality appears to be secure cryptographic key storage and transaction signing in a card form factor. However, a precise classification requires a careful assessment.
The Annex IV technical description requires the secure element to provide resistance to attacks at least at AVA_VAN.4 under Common Criteria.
Depending on the chip, the product may be classified as follows:
A JavaCard-based secure element at AVA_VAN.4 may be classified as Critical.
A tamper-resistant chip at AVA_VAN.2 or AVA_VAN.3 may be classified as Important Class II.
A security microcontroller below AVA_VAN.2 may be classified as Important Class I.
A simple NFC memory chip with cryptographic processing performed in software elsewhere will likely remain in the Default category.
According to the draft CRA guidance, classification is based on the single core functionality of the product as a whole.
In this case, the core functionality is more accurately described as secure key storage and transaction signing, rather than sending and receiving crypto assets. Broadcasting the transaction to the blockchain is normally performed by the mobile application, not by the card.
This distinction matters when comparing the product with the technical descriptions in the Implementing Regulation.
CRA Article 32(4) requires European cybersecurity certification for Critical products. The relevant scheme is expected to be EUCC, which is based on Common Criteria and the applicable Protection Profile for secure elements.
Harmonized standards and EUCC certification can both provide presumption of conformity with the CRA Essential Cybersecurity Requirements, but their use depends on the product category and the applicable conditions.
Two points must be checked before relying on an EUCC certificate for CRA conformity.
An EUCC certificate only covers what is included within its defined Target of Evaluation, or TOE.
The manufacturer must verify that the TOE boundary covers everything included in the CRA conformity claim. Depending on the product design, this may include:
The secure element
Firmware
The wallet application running on the secure element
The NFC interface
The mobile application, where it forms part of the product
Any backend processing that qualifies as a Remote Data Processing Solution
The delegated act defining the conditions under which EUCC provides presumption of conformity with the CRA has not yet been adopted.
Until it applies, Critical products must follow the fallback procedure for Important Class II products. This requires mandatory third-party assessment using Module B plus Module C, or Module H, with a notified body.
The delegated act will also define the required EUCC assurance level, which must be at least “substantial” and may be “high”, depending on the identified risk.
Both platform-level and application-level standards may be relevant:
prEN 50764, Cybersecurity requirements for platforms of smartcards and similar devices, including secure elements. This covers the secure element hardware and firmware platform. It will normally be relevant to the chip manufacturer, but it may also apply where the wallet manufacturer designs its own chip.
prEN 18330, Cybersecurity requirements for smartcards or similar devices, including secure elements, application layer. This covers the wallet application running on the secure element and is more directly relevant to the wallet manufacturer.
prEN 40000-1-2, prEN 40000-1-3, and prEN 40000-1-4, horizontal standards covering cyber resilience principles, risk-based compliance, vulnerability handling, and generic cybersecurity requirements.
At the time of writing, these standards have not been cited in the Official Journal of the European Union as CRA harmonized standards. They therefore do not yet provide presumption of conformity.
The next step is to identify the chip and its Common Criteria certification level, define the precise product boundary, document the mobile application’s role, and map the product’s core functionality against the technical descriptions in Implementing Regulation (EU) 2025/2392.
Once prEN 50764 and prEN 18330 are published, their scope sections should be reviewed carefully to determine how they apply to the specific product and how responsibilities are divided between the secure element platform and the application running on it.
Where classification remains uncertain, the manufacturer should consult the relevant market surveillance authority or conformity assessment body before selecting a conformity assessment route.
EN 18031 should not be seen as being directly replaced by EN 40000.
Under the Radio Equipment Directive, the preferred approach for demonstrating compliance with the cybersecurity requirements in Articles 3(3)(d), 3(3)(e), and 3(3)(f) is to apply the harmonized EN 18031 series, taking into account the restrictions included in its Official Journal citation.
From 11 December 2027, products covered by the CRA will need to comply with the CRA Essential Cybersecurity Requirements and use standards aligned with or harmonized under the CRA.
EN 40000 is a broader CRA-related standard series with several parts. For example, EN 40000-1-3 focuses on vulnerability handling, while other parts address risk-based compliance processes and generic cybersecurity requirements.
Product-specific security requirements must still be selected based on the product’s risk assessment and classification.
EN 18031 may therefore remain useful technical evidence where its requirements are relevant. However, CRA conformity will require the manufacturer to map the product’s risks and the CRA Essential Cybersecurity Requirements against the applicable EN 40000 parts, product-specific standards, or other justified technical specifications.
Each distinct product type, including each form factor, must be covered by the conformity assessment and EU Declaration of Conformity. For a card and a ring, this will normally mean assessing both product types.
However, the practical amount of repeated work depends on the selected conformity assessment module.
Module H may be the most efficient route in this situation.
The notified body assesses and certifies the manufacturer’s quality management system covering the relevant product types. Adding a new form factor can then be handled as an extension to the existing quality system, rather than as a complete reassessment from the beginning.
Under Module B plus Module C, a separate EU-type examination certificate may be required for each product type.
However, test results, technical documentation, and other evidence from the first assessment can be reused where the underlying technology is identical, including:
The secure element
Firmware
Cryptographic functions
Security architecture
Update mechanisms
Where the core functionality and security architecture are the same, the additional assessment should focus on the differences introduced by the form factor, such as the physical interface, hardware integration, tamper resistance, and attack surface.
Module H may be the more efficient route for manufacturers planning to place multiple related product variants on the market. The treatment of individual models and product types should be confirmed with the selected notified body.
The classification requires a thorough analysis of the product’s core functionality based on its complete documentation.
This includes:
Intended purpose
Technical documentation
Instructions for use
Promotional materials
Actual technical implementation
The manufacturer must make this determination. A classification cannot be assumed from the word “gateway” alone.
According to the “fully matches” test described in the draft CRA guidance, the product’s core functionality must fully match the technical description of an Annex III or Annex IV category to qualify as Important or Critical.
For a ZigBee gateway whose documented core functionality is local smart home device control, such as switching or dimming lights, two categories may initially appear relevant.
The technical description for routers requires the product to establish and control data flow between different networks using routing protocol mechanisms and algorithms at the network layer.
A protocol bridge used for device control may fall short of this definition, but the result must be verified against the actual technical implementation.
This category applies to smart home products whose core functionality is related to the physical security of consumers, such as connected door locks, cameras, and alarm systems.
Light control does not normally fully match this description.
If the product’s core functionality does not fully match any Annex III or Annex IV technical description, it will generally remain in the Default category.
However, the outcome may be different if the complete product documentation shows that internet-facing routing or an explicit security function forms part of its core functionality.
The report should not be submitted separately by each factory.
It should be submitted by the company or legal manufacturer responsible for placing the product on the EU market.
In practice, all factories should report relevant issues internally to one central product security or CRA responsible team.
This central team should:
Decide whether the case meets the CRA reporting requirements
Collect the required information
Prepare the notification
Submit it through the Single Reporting Platform
Coordinate any required communication to users
For reporting purposes, the relevant location is normally the manufacturer’s main establishment in the EU.
This generally means the establishment where the main cybersecurity decisions concerning the product are made. If this cannot be determined, it may be linked to the EU establishment with the highest number of employees.
The company should therefore have one central reporting owner and a clear internal escalation process covering all factories and sites.
The CRA does not require manufacturers to use one specific cybersecurity risk assessment methodology.
Manufacturers may select their own approach, provided that it enables them to document:
Risk identification
Risk analysis and evaluation
Risk treatment
The relationship between the identified risks and the CRA Essential Cybersecurity Requirements
The decisions made during the assessment
The risk assessment must support the obligations set out in CRA Article 13 and the technical documentation requirements in Annex VII.
Current sources of guidance include:
The European Commission’s CRA implementation FAQ, particularly the section explaining the required scope, outputs, and documentation
The Commission’s CRA guidance on cybersecurity risk assessment and risk treatment
BSI TR-03183-1, which provides a detailed, step-by-step risk assessment methodology structured around the CRA Annex I requirements
The developing prEN 40000-1-2 standard is expected to provide a structured risk-based compliance process. However, it should not be treated as one mandatory template that can be applied unchanged to every product.
Yes, they can fall within CRA scope.
The CRA defines a product with digital elements as a product whose intended purpose or reasonably foreseeable use includes a direct or indirect, logical or physical data connection to a device or network.
An internet connection or mobile application is therefore not required.
Linked smoke alarms that exchange data directly with each other can meet this definition because they have a direct connection to another device or network.
Whether the product is Default, Important, or Critical must then be assessed separately based on its core functionality.
Installing a custom operating system image will most likely require the distributor to assess whether it has taken on manufacturer obligations under the CRA.
There are two main situations in which a distributor becomes a manufacturer under CRA Article 21:
The distributor places the product on the market under its own name or trademark.
The distributor carries out a substantial modification to the product.
A substantial modification is a change that:
Affects compliance with the CRA Essential Cybersecurity Requirements, or
Changes the intended purpose for which the product was originally assessed
A custom operating system image can change:
Security configurations
Installed or removed software components
Default security settings
Network services
Update mechanisms
Permissions
Logging
The overall attack surface
These changes are likely to affect compliance with the CRA Essential Cybersecurity Requirements and may therefore qualify as a substantial modification.
Where the modification is substantial, the distributor becomes the manufacturer of the modified product and takes on the relevant CRA obligations.
These can include:
Cybersecurity risk assessment
Technical documentation
Conformity assessment
CE marking
Vulnerability handling
Security updates
Incident and vulnerability reporting
The distributor cannot rely only on the CRA compliance of Microsoft, a Linux distributor, or the original device manufacturer. Compliance must be assessed and demonstrated for the final configured product placed on the market.
The cloud provider is not the deciding factor.
What matters is whether the cloud or backend processing qualifies as a Remote Data Processing Solution, or RDPS.
The CRA includes an RDPS within the definition of a product with digital elements when the following conditions are met:
Data is processed at a distance, outside the user’s device or local environment.
The processing solution was designed or developed by, or under the responsibility of, the manufacturer.
Without that processing, the product could not perform one of its functions.
When these conditions are met, the backend forms part of the product with digital elements and must comply with the applicable CRA Annex I requirements.
An RDPS does not need to run on third-party public cloud infrastructure.
Remote processing can qualify as an RDPS when it runs on:
The manufacturer’s own servers
A private cloud
On-premises infrastructure
Infrastructure operated by another provider
Not using AWS, Azure, or Google Cloud does not create an exemption.
Standalone SaaS, PaaS, or IaaS services designed and developed independently of a specific product generally fall outside the CRA product definition. Other legislation, including NIS2, may still apply to these services.
Manufacturers must assess their backend systems against the RDPS criteria on a case-by-case basis. Where they qualify, they must be included within the product boundary, risk assessment, technical documentation, and conformity assessment.
For the CRA, the relevant point is the definition of a product with digital elements.
A product is within the general CRA scope when its intended purpose or reasonably foreseeable use includes a direct or indirect, logical or physical data connection to a device or network.
A multimedia controller communicating through Wi-Fi or Ethernet can therefore fall within CRA scope, even if the application protocol is Art-Net.
The specific protocol name does not determine whether the product is in scope.
For RED cybersecurity, a more detailed assessment is required.
The manufacturer must assess whether the radio equipment can communicate over the internet, either directly or through other equipment.
Using Art-Net does not automatically place the product outside RED cybersecurity scope. The manufacturer should review the complete connectivity architecture, including gateways, routers, remote control systems, and any possible internet access.
The default support period under the CRA is at least five years.
However, the manufacturer must also consider the foreseeable lifetime of the product.
A shorter period may be justified where the product is reasonably expected to be used for less than five years. A longer period is required where the product is expected to remain in use for longer.
The support period should consider:
The product’s intended purpose
Its expected operating lifetime
User expectations
The environment in which it is used
The availability of replacement products
The support periods of incorporated components
Dependencies on operating systems, applications, or external services
Relevant legal and contractual requirements
Products used in operational technology, industrial systems, building infrastructure, or other long-life environments may require a support period significantly longer than five years.
The selected support period should be justified in the risk assessment, documented in the technical documentation, and communicated to users.
One report can cover the same vulnerability across all affected product variants.
CRA Article 14 requires manufacturers to report actively exploited vulnerabilities contained in a product with digital elements. The notification must include general information about the products concerned.
The CRA does not require separate reports for every:
Color
SKU
Form factor
Commercial variant
If the same vulnerability affects both the card and ring because they share the same firmware, software, secure element, or other vulnerable component, one notification covering all affected variants is appropriate.
The notification should clearly identify all affected:
Product types
Models
Hardware versions
Firmware or software versions
If the card and ring use different firmware or security implementations and only one is affected, separate reporting may be appropriate because the products are technically different.
The manufacturer should list all affected variants explicitly in the notification. This allows the same report to cover the full affected product family without unnecessary duplicate submissions.
Yes. Cyberexpert is a cloud-based SaaS platform.
Users access it through a secure web interface where product information, assessments, requirements, and evidence are centrally managed.
This allows teams to:
Collaborate on compliance activities
Track progress
Manage product evidence
Maintain a consistent audit trail
Cyberexpert is designed as an extensible platform rather than a standalone AI application.
It can integrate with external services such as:
Identity providers
Vulnerability management systems
Document repositories
Enterprise compliance platforms
The expert answer confirms that external integrations are supported. The availability of a public API and specific integration options should be confirmed directly with the Cyberexpert team.
Consistency of outputs is supported through several layers:
Structured workflows
Deterministic assessment logic
Human expert review where required
A curated and controlled knowledge base
Standardized AI orchestration
Retrieval-Augmented Generation using controlled sources
Cyberexpert’s core value comes from its compliance logic and structured workflow. AI assists with the process, but outputs are grounded in controlled sources, product information, and defined assessment rules.
Yes.
A smart radio falls within CRA scope because its intended purpose includes a direct connection to a network.
The device initiates and maintains bidirectional IP communication. For example, it sends connection and session requests and receives audio stream data.
This constitutes a direct logical connection to a network.
The fact that the product’s main purpose is radio listening or media playback does not remove it from the CRA’s general scope.
Its classification as a Default, Important, or Critical product must be assessed separately based on its core functionality and the technical descriptions in Implementing Regulation (EU) 2025/2392.
Where the product uses Wi-Fi, Bluetooth, or another radio technology, it may also fall within the Radio Equipment Directive and require a separate RED cybersecurity assessment.
Product names and connectivity labels are not enough to determine RED or CRA obligations.
Manufacturers need to define the product boundary, document the product’s core functionality, identify every connectivity path, determine the applicable product category, and connect each compliance conclusion to technical evidence.
Cyberexpert helps manufacturers structure this work, identify applicable requirements, prepare evidence, and determine where expert review or formal conformity assessment is needed.
Start a free Cyberexpert assessment.
Related Articles