Art. 9 CRA – General Product Safety
Relationship to the General Product Safety Regulation (GPSR)
The Cyber Resilience Act (CRA) is lex specialis for cybersecurity requirements of products with digital elements. Products that comply with the CRA essential cybersecurity requirements (Annex I) are deemed to comply with the cybersecurity aspects of the General Product Safety Regulation (EU) 2023/988 (GPSR).
LEGAL BASIS
Art. 9 CRA: Products with digital elements that comply with the essential requirements laid down in Annex I shall be deemed to comply with the cybersecurity requirements of Regulation (EU) 2023/988 (GPSR).
Recital 28: The CRA complements existing Union product safety legislation and is coherent with the GPSR, the Machinery Regulation, the Radio Equipment Directive, and sector-specific legislation.
The GPSR continues to apply in full for all non-cybersecurity safety aspects. The CRA does not replace existing EU product legislation but complements it with specific cybersecurity requirements.
Delineation Table: CRA and Other EU Product Legislation
| Legislation | Subject Matter | Relationship to CRA |
|---|---|---|
| CRA (EU) 2024/2847 | Cybersecurity requirements for products with digital elements | Lex specialis for cybersecurity |
| GPSR (EU) 2023/988 | General product safety for consumer products | CRA compliance (Annex I) covers cybersecurity aspects |
| RED 2014/53/EU | Radio equipment (Art. 3(3)(d)(e)(f)) | Delegated acts to be aligned with CRA requirements |
| Machinery Regulation (EU) 2023/1230 | Machinery safety | CRA complements; machinery safety remains separate |
| Medical Devices (EU) 2017/745 | Medical devices | Exempt from CRA (Art. 2(2)) |
| Motor Vehicles (EU) 2019/2144 | Vehicle type-approval | Exempt from CRA (Art. 2(2)) |
| Aviation (EU) 2018/1139 | Aviation safety | Exempt from CRA (Art. 2(2)) |
NO DOUBLE REGULATION
The CRA is designed not to duplicate existing sector-specific EU legislation. Products already subject to sector-specific cybersecurity requirements (medical devices, motor vehicles, aviation) are exempt from the CRA. For all other products, the CRA complements existing safety legislation with the cybersecurity dimension.
Practical Implications for BAUER GROUP
Principle
CRA compliance covers cybersecurity requirements exclusively. All other product safety requirements (mechanical safety, electrical safety, EMC, etc.) remain governed by the respective sector-specific legislation.
Product-Specific Scenarios
| Product Type | Applicable Legislation | Note |
|---|---|---|
| IoT devices (e.g. sensors with radio) | CRA + potentially RED | Art. 3(3) RED delegated acts to be aligned with CRA |
| Industrial controllers (PLC, HMI) | CRA + potentially Machinery Regulation | Cybersecurity via CRA, functional safety via Machinery Regulation |
| Software products | CRA + potentially GPSR | CRA compliance satisfies GPSR cybersecurity aspects |
| Medical devices | Only MDR – CRA not applicable | Fully exempt per Art. 2(2) |
Next Steps
- Classify products under both CRA and applicable sector-specific legislation
- Identify compliance gaps between CRA and existing product conformity
- Develop an integrated conformity strategy covering all applicable regulations
Full overview of CRA exemptions and scope: Scope