The Cybersecurity Coalition submitted comments to the European Commission’s open consultation on its draft Implementing Regulation on the technical description of the categories of important and critical products with digital elements pursuant to Regulation (EU) 2024/2847 of the European Parliament and of the Council (“Implementing Regulation”). 

The Implementing Regulation provides the technical descriptions for categories of “important” and “critical” Products with Digital Elements (PDEs) as defined in Annexes III and IV of Regulation (EU) 2024/2847 (i.e., Cyber Resilience Act (CRA)). According to Article 7(1) of the CRA, manufacturers of “important” PDEs will be subject to the conformity assessment procedures for the product referred to in Article 32(2) and (3). Meanwhile, according to Article 8(1), manufacturers of “critical” PDEs could be required to obtain a European cybersecurity certificate for the product under a European cybersecurity certification scheme pursuant to Regulation (EU) 2019/881 (i.e., Cybersecurity Act (CSA)).

The Coalition and its member companies have actively engaged with the European Commission and other relevant European institutions throughout the development of the CRA. In May 2022, the Coalition submitted comments to the Directorate‑General for Communications Networks, Content and Technology’s (DG CONNECT) open consultation, advocating for harmonisation of the CRA with global regulations and standards and for a more targeted scope. Similarly, in February 2023, we submitted comments to the Commission’s Request for Feedback on the CRA, advocating for clarity and harmonisation of incident reporting requirements and for a focus on mitigating known exploited third-party vulnerabilities among other key priorities. 

In the comments on the Implementing Regulation, the Coalition expresses concerns about the Commission’s definition of a PDE's “core functionality.” As written, both the CRA and the Implementing Regulation are ambiguous, allowing a single PDE to possess multiple core functionalities. This would require manufacturers to comply with the requirements for multiple categories, potentially leading to redundant compliance actions when requirements overlap. This issue becomes even more complex when one PDE is integrated into another. To address this, the Coalition recommends that the Commission clarify that each PDE should be classified under one category only, and that additional, non-core functionalities should not subject a PDE to the requirements of other categories.

Furthermore, the Coalition suggests removing the language stating that a PDE’s core functionalities are determined by "reasonably foreseeable use." This phrase introduces further ambiguity regarding which requirements apply to a particular PDE, contradicting the European Commission’s broader simplification efforts under President Ursula von der Leyen.

The Coalition also detailed several technical concerns regarding the definitions of the following categories of PDEs as described in the Implementing Regulations Annex: 

“Important” PDEs

1. Identity management systems and privileged access management software and hardware, including authentication and access control readers, including biometric readers
2. Standalone and embedded browsers
3. Password managers
4. Software that searches for, removes, or quarantines malicious software 
5. Products with digital elements with the function of virtual private network (VPN) 
6. Network management systems
7. Security information and event management (SIEM) systems 
8. Boot managers 
9. Public key infrastructure and digital certificate issuance software 
10. Operating systems
11. Routers, modems intended for the connection to the internet, and switches

“Critical” PDEs

1. Hypervisors and container runtime systems that support virtualized execution of operating systems and similar environments
2. Firewalls, intrusion detection and prevention systems
3. Tamper-resistant microprocessors

‍