Skip to main content

CRA and Friends: How It Plays with GDPR, NIS2, and the AI Act

The Cyber Resilience Act doesn't live in a bubble. If you're making software, you're likely juggling other EU rules. Here's a quick rundown of how the CRA fits in.

GDPR (General Data Protection Regulation)

The CRA and GDPR are complementary. By making your software more secure by default (as required by CRA'sAnnex I Part I, points e.g. 2d, 2e, 2g), you're also helping protect personal data, which is a core GDPR principle (Recital 32). Think of CRA as boosting the "security of processing" part of GDPR for your actual product. Authorities will also cooperate (Article 52 Paragraph 7).

NIS2 Directive

NIS2 focuses on the cybersecurity of essential and important entities (like energy, transport, digital infrastructure providers). The CRA helps these entities by ensuring the software products they buy and use are more secure from the start (Recital 24). So, if your software is used by a company covered by NIS2, your CRA compliance helps them meet their own obligations.

AI Act

If your software product with digital elements is also a high-risk AI system under the AI Act, you'll need to navigate both. Good news: complying with the CRA's essential cybersecurity requirements (Annex I) is considered to help meet the AI Act's own cybersecurity requirements (Article 12 Paragraph 1; Recital 51). For conformity assessment (proving you meet the rules), it gets specific. Generally, the AI Act's assessment methods apply. However, if your AI system is also an "important" or "critical" product under the CRA, then the CRA's assessment procedures take precedence for the CRA's cybersecurity requirements (Article 12 Paragraphs 2, 3).

Key Takeway

The takeaway? These laws aim to work together. Strong security under CRA can support your compliance elsewhere.