Source: OJ L 2024/2847, 20.11.2024Current language: EN
- Cyber resilience for products with digital elements
Basic legislative acts
- CRA regulation
Article 5 Procurement or use of products with digital elements
Summary What does Article 5 of the Cyber Resilience Act say?
This article addresses the relationship between the Regulation and the powers of Member States, making clear that the Regulation does not act as a ceiling on cybersecurity requirements.
Member States retain the freedom to impose additional cybersecurity conditions on products with digital elements when procuring or using them for specific purposes, such as national security or defence, as long as those additional requirements are consistent with Union law and are necessary and proportionate.
The article also touches on public procurement, directing Member States to factor in compliance with the essential cybersecurity requirements of the Regulation — including a manufacturer's ability to handle vulnerabilities — when procuring products with digital elements covered by the Regulation.
Important points:
- Member States may impose additional cybersecurity requirements beyond this Regulation for specific procurement or use purposes, including national security and defence, provided those requirements are consistent with Union law and are necessary and proportionate.
- Member States are required to ensure that compliance with the essential cybersecurity requirements of Annex I is taken into consideration during public procurement processes.
- The procurement obligation explicitly includes assessing manufacturers' ability to handle vulnerabilities effectively.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
This Regulation shall not prevent Member States from subjecting products with digital elements to additional cybersecurity requirements for the procurement or use of those products for specific purposes, including where those products are procured or used for national security or defence purposes, provided that such requirements are consistent with Member States’ obligations laid down in Union law and that they are necessary and proportionate for the achievement of those purposes.
Without prejudice to Directives 2014/24/EU and 2014/25/EU, where products with digital elements that fall within the scope of this Regulation are procured, Member States shall ensure that compliance with the essential cybersecurity requirements set out in Annex I to this Regulation, including the manufacturers’ ability to handle vulnerabilities effectively, are taken into consideration in the procurement process.
Relevant recitals
Recital 13 Member states' ability to impose additional requirements
In line with the objective of this Regulation to remove obstacles to the free movement of products with digital elements, Member States should not impede, for the matters covered by this Regulation, the making available on the market of products with digital elements which comply with this Regulation. Therefore, for matters harmonised by this Regulation, Member States cannot impose additional cybersecurity requirements for the making available on the market of products with digital elements. Any entity, public or private, can however establish additional requirements to those laid down in this Regulation for the procurement or use of products with digital elements for its specific purposes, and can therefore choose to use products with digital elements that meet stricter or more specific cybersecurity requirements than those applicable for the making available on the market under this Regulation. Without prejudice to Directives 2014/24/EU(7) and 2014/25/EU(8) of the European Parliament and of the Council, when procuring products with digital elements, which must comply with the essential cybersecurity requirements laid down in this Regulation, including those relating to vulnerability handling, Member States should ensure that such requirements are taken into consideration in the procurement process and that the manufacturers’ ability to effectively apply cybersecurity measures and manage cyber threats are also taken into consideration. Furthermore, Directive (EU) 2022/2555 sets out cybersecurity risk-management measures for essential and important entities as referred to in Article 3 of that Directive that could entail supply chain security measures that require the use by such entities of products with digital elements meeting stricter cybersecurity requirements than those laid down in this Regulation. In accordance with Directive (EU) 2022/2555 and in line with its minimum harmonisation principle, Member States can therefore impose additional cybersecurity requirements for the use of information and communications technology (ICT) products by essential or important entities pursuant to that Directive in order to ensure a higher level of cybersecurity, provided that such requirements are consistent with Member States’ obligations laid down in Union law. Matters not covered by this Regulation can include non-technical factors relating to products with digital elements and the manufacturers thereof. Member States can therefore lay down national measures, including restrictions on products with digital elements or suppliers of such products that take account of non-technical factors. National measures relating to such factors are required to comply with Union law.
Recital 14 Without prejudice to national security
This Regulation should be without prejudice to the Member States’ responsibility for safeguarding national security, in compliance with Union law. Member States should be able to subject products with digital elements that are procured or used for national security or defence purposes to additional measures, provided that such measures are consistent with Member States’ obligations laid down in Union law.
Recital 26 Exemptions for national security
Products with digital elements that are developed or modified exclusively for national security or defence purposes or products that are specifically designed to process classified information fall outside the scope of this Regulation. Member States are encouraged to ensure the same or a higher level of protection for those products as for those falling within the scope of this Regulation.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
vulnerability
Definition
component
Definition
cyber threat
Definition
cybersecurity
Definition
manufacturer
Definition
making available on the market
Definition
product with digital elements
Definition
remote data processing
Definition
electronic information system
Definition
hardware
Definition
software
Footnote 7
Footnote 8