Is Your App a "Product with Digital Elements" Under the CRA?
Let's clarify this straight away. The EU Cyber Resilience Act (CRA) hinges on the term "product with digital elements" (PDE). Does your app—whether mobile, web, or desktop—fit this description?
Understanding the Definition
According to the CRA, a PDE is "a software or hardware product and its remote data processing solutions...the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network" (Article 3,) Point 1).
For your app, consider:
- Does it connect to the internet for updates?
- Does it use APIs to fetch or send data?
- Does it have user accounts that authenticate against a server?
- Does it offer features that require any form of network communication?
- Is it software that runs on a device that itself connects to the internet?
If the answer is yes to any of these, your app is almost certainly a PDE under the CRA. This includes everything from complex SaaS platforms to mobile apps with simple online features or even desktop software that checks for updates.
Software as a PDE
The CRA explicitly states that "software...including software or hardware components being placed on the market separately" falls under the definition (Article 3,) Point 1). So, your application, being software, is directly in scope.
Remote Data Processing Solutions
If your app relies on backend services you provide (e.g., for user data storage, core functionality), these "remote data processing solutions" are also considered part of your PDE, provided their absence would stop the app from performing one of its functions and you designed/developed them (Article 3,) Point 2).
Key Takeway
Virtually all modern mobile, web, and desktop applications that have any form of direct or indirect network connectivity will be classified as "products with digital elements" under the CRA. This triggers the Act's requirements for secure design, development, and lifecycle management.