Alert: Feedback open for Cyber resilience Act technical description draft regulations

There are more cybersecurity regulations in the horizon – this time for products with digital elements in them.

On 13 March 2025, the European Commission published draft implementing regulations relating to the specific technical descriptions of the important and critical categories of products with digital elements (PEDs). Important or critical PEDs may be subject to more stringent obligations regarding conformity assessment procedures.

You can read our FAQs on the Cyber Resilience Act at EU Cyber Resilience Act | FAQs, which provide some examples of important and critical products.

The draft is open for feedback until 15 April 2025, midnight Brussels time. The link to view the draft regulation and to provide feedback can be found here: Technical description of important and critical products with digital elements.

Annex I of this draft lists the technical descriptions of 19 categories of Class I Important PEDs; and 4 categories of class II PEDs. Annex II lists the technical descriptions of 3 categories of Critical PEDs.

Some points that may be of interest:

• PEDs such as biometric readers, single sign-on software, and multi-factor authentication (MFA) software is likely to fall under category 1, class I of Important PEDS: Identity management systems and privileged access management software and hardware.
• Smart home products are elaborated upon in this draft. For example, Smart home general purpose virtual assistants are described as: internet-connected products with digital elements that process natural language prompts allowing users to interact with the assistant and control connected devices in residential settings.
• PEDs with the function of VPN are described as PEDs that enable access to a restricted-use logical computer network that is constructed from the system resources of a physical or virtual network, typically implemented at layer 3 of the OSI reference model, including cases where products are ultimately intended to provide access from a restricted-use logical computer network to the public internet.

Anyone producing, reselling or distributing PEDs may want to look through the proposals to make sure that they are ready for the new legislation.