EU CRA explained
@cyberresilienceact.bsky.social
Digital product cybersecurity EU requirements explained
So, by EU CRA, incidents that happen to a product, like a device, affect its capability to protect its data and functions.
September 10, 2025 at 3:41 PM
So, by EU CRA, incidents that happen to a product, like a device, affect its capability to protect its data and functions.
‘incident having an impact on the security of the product with digital elements’ means an incident that negatively
affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability,
authenticity, integrity or confidentiality of data or functions
affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability,
authenticity, integrity or confidentiality of data or functions
September 10, 2025 at 3:38 PM
‘incident having an impact on the security of the product with digital elements’ means an incident that negatively
affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability,
authenticity, integrity or confidentiality of data or functions
affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability,
authenticity, integrity or confidentiality of data or functions
What about incidents related to products with digital elements (by EU CRA)?
September 10, 2025 at 3:38 PM
What about incidents related to products with digital elements (by EU CRA)?
In other words, 'incident' of EU CRA is defined in NIS2 Directive:
‘incident’ means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;
‘incident’ means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;
September 10, 2025 at 3:36 PM
In other words, 'incident' of EU CRA is defined in NIS2 Directive:
‘incident’ means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;
‘incident’ means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;
By EU CRA, ‘incident’ means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;
September 10, 2025 at 3:34 PM
By EU CRA, ‘incident’ means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;
An incident is a security problem that requires action because it affects business operations or security objectives.
September 10, 2025 at 3:32 PM
An incident is a security problem that requires action because it affects business operations or security objectives.
Difference between events and incidents:
Event - Any observable occurrence (e.g, a login attempt, a server restart, an email received)
Incident - An event (or series of events) that causes harm or poses a significant threat (e.g, repeated failed logins → brute-force attack → confirmed compromise)
Event - Any observable occurrence (e.g, a login attempt, a server restart, an email received)
Incident - An event (or series of events) that causes harm or poses a significant threat (e.g, repeated failed logins → brute-force attack → confirmed compromise)
September 10, 2025 at 3:31 PM
Difference between events and incidents:
Event - Any observable occurrence (e.g, a login attempt, a server restart, an email received)
Incident - An event (or series of events) that causes harm or poses a significant threat (e.g, repeated failed logins → brute-force attack → confirmed compromise)
Event - Any observable occurrence (e.g, a login attempt, a server restart, an email received)
Incident - An event (or series of events) that causes harm or poses a significant threat (e.g, repeated failed logins → brute-force attack → confirmed compromise)
Saying In more formal way: An incident is a confirmed occurrence of a security event that negatively impacts (or poses a credible threat to) an organization’s information systems, data, or services.
September 10, 2025 at 3:27 PM
Saying In more formal way: An incident is a confirmed occurrence of a security event that negatively impacts (or poses a credible threat to) an organization’s information systems, data, or services.
Gateways: Can be considered "products with digital elements" or components of "digital infrastructure".
Network servers: May be covered under NIS2 if offered as a critical service (e.g., in utility or smart city settings).
Network servers: May be covered under NIS2 if offered as a critical service (e.g., in utility or smart city settings).
May 21, 2025 at 4:56 PM
Gateways: Can be considered "products with digital elements" or components of "digital infrastructure".
Network servers: May be covered under NIS2 if offered as a critical service (e.g., in utility or smart city settings).
Network servers: May be covered under NIS2 if offered as a critical service (e.g., in utility or smart city settings).
The LoRaWAN gateway and network server (e.g. ChirpStack, Actility) are also covered by EU CRA.
May 21, 2025 at 4:47 PM
The LoRaWAN gateway and network server (e.g. ChirpStack, Actility) are also covered by EU CRA.
But what about the LoRaWan Gateway or Network Server?
May 21, 2025 at 4:46 PM
But what about the LoRaWan Gateway or Network Server?
For example: A LoRaWAN temperature sensor that transmits data via a LoRa gateway to a cloud dashboard is "a product with digital elements" under EU CRA.
May 21, 2025 at 4:46 PM
For example: A LoRaWAN temperature sensor that transmits data via a LoRa gateway to a cloud dashboard is "a product with digital elements" under EU CRA.
From EU CRA-2-1: "This Regulation applies to products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network."
May 21, 2025 at 4:45 PM
From EU CRA-2-1: "This Regulation applies to products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network."
Under Article 2, paragraph 1 of the EU CRA, such devices are considered products with digital elements, even if they do not directly connect to the internet, and communicate only through gateways (as is common in LoRaWAN networks)
May 21, 2025 at 4:44 PM
Under Article 2, paragraph 1 of the EU CRA, such devices are considered products with digital elements, even if they do not directly connect to the internet, and communicate only through gateways (as is common in LoRaWAN networks)
Yes, LoRaWAN End-Nodes — devices such as sensors, actuators, or embedded controllers that use LoRaWAN to transmit or receive data — are subject to the EU Cyber Resilience Act (EU CRA) if they meet the definition of a “product with digital elements”
May 21, 2025 at 4:36 PM
Yes, LoRaWAN End-Nodes — devices such as sensors, actuators, or embedded controllers that use LoRaWAN to transmit or receive data — are subject to the EU Cyber Resilience Act (EU CRA) if they meet the definition of a “product with digital elements”
Definitions under Recommendation 2003/361/EC:
* Micro enterprise: <10 employees & ≤ €2M turnover/balance sheet
* Small enterprise: <50 employees & ≤ €10M turnover/balance sheet
* Medium enterprise: <250 employees & ≤ €50M turnover or ≤ €43M balance sheet
Source: eur-lex.europa.eu/legal-conten...
* Micro enterprise: <10 employees & ≤ €2M turnover/balance sheet
* Small enterprise: <50 employees & ≤ €10M turnover/balance sheet
* Medium enterprise: <250 employees & ≤ €50M turnover or ≤ €43M balance sheet
Source: eur-lex.europa.eu/legal-conten...
EUR-Lex - 32003H0361 - EN - EUR-LexLog inEnglish
eur-lex.europa.eu
May 14, 2025 at 10:59 AM
Definitions under Recommendation 2003/361/EC:
* Micro enterprise: <10 employees & ≤ €2M turnover/balance sheet
* Small enterprise: <50 employees & ≤ €10M turnover/balance sheet
* Medium enterprise: <250 employees & ≤ €50M turnover or ≤ €43M balance sheet
Source: eur-lex.europa.eu/legal-conten...
* Micro enterprise: <10 employees & ≤ €2M turnover/balance sheet
* Small enterprise: <50 employees & ≤ €10M turnover/balance sheet
* Medium enterprise: <250 employees & ≤ €50M turnover or ≤ €43M balance sheet
Source: eur-lex.europa.eu/legal-conten...
In other words. Recommendation 2003/361/EC is a European Commission recommendation that defines the categories of micro, small, and medium-sized enterprises (SMEs).
May 14, 2025 at 10:56 AM
In other words. Recommendation 2003/361/EC is a European Commission recommendation that defines the categories of micro, small, and medium-sized enterprises (SMEs).
‘microenterprises’, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small
enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC;
enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC;
May 14, 2025 at 10:55 AM
‘microenterprises’, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small
enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC;
enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC;
We can expect here that "the same specifications" must be available as a proper documentation by the company who provide and distribute the spare parts.
May 14, 2025 at 10:51 AM
We can expect here that "the same specifications" must be available as a proper documentation by the company who provide and distribute the spare parts.
In this case, a heat pump makers are a device manufacturer offering a cloud-enabled service (sometimes called productized SaaS), not a dedicated SaaS provider like Microsoft or Salesforce. But their SaaS component still falls under CRA requirements for cybersecurity and secure development practices.
May 14, 2025 at 10:34 AM
In this case, a heat pump makers are a device manufacturer offering a cloud-enabled service (sometimes called productized SaaS), not a dedicated SaaS provider like Microsoft or Salesforce. But their SaaS component still falls under CRA requirements for cybersecurity and secure development practices.
Here's the breakdown:
May 14, 2025 at 10:32 AM
Here's the breakdown: