On November 28 2025, the European Commission adopted a regulation implementing the Cyber Resilience Act (‘CRA’) – an EU-wide law which lays down cybersecurity requirements for companies that design and sell ‘products with digital elements’. PDEs can take many forms including IoT devices, hardware components, and certain software.
The CRA imposes cybersecurity obligations in connection with all in-scope PDEs, although it categorizes them according to risk. The majority of PDEs fall within a ‘default’ (lowest risk) category, but the implementing regulation clarifies which PDEs fall within ‘important’ and ‘critical’ categories. PDEs falling within those latter categories are subject to more stringent rules on conformity assessment – the legal procedure that the manufacturer must follow to demonstrate that the PDE is compliant with the essential requirements of the CRA.
For example, the new regulation clarifies that:
- ‘Smart home general purpose virtual assistants’ referenced in the ‘important class I’ category of the CRA include PDEs whose core functionality is to ‘communicate on the public Internet, [and] process demands, tasks or questions based on natural language prompts, such as through audio or written input, and that […] provide access to other services or control the functions of connected devices in residential setting.’ Examples include smart speakers with an integrated virtual assistant, and standalone virtual assistants.
- ‘Firewalls’ listed in the ‘important class II’ category of the CRA include PDEs whose core functionality is to ‘protect a connected network or system from unauthorized access by monitoring and restricting data communication traffic to and from that network.’ Examples include network firewalls and application firewalls such as web application firewalls or filters and anti-spam gateways.
- ‘Hardware devices with security boxes’, which constitute a ‘critical’ category of the CRA, and include PDEs whose core functionality is to ‘securely store, process, or manage sensitive data or perform cryptographic operations, and that consist of multiple discrete components, incorporating a hardware physical envelope providing tamper evidence, resistance or response as countermeasures against physical attack.’ Examples include physical payment terminals and hardware security modules that generate and manage cryptographic elements.
The implementing regulation contains similar descriptions and examples for other categories of PDEs, such as connected toys, wearable health monitors, and password managers.
Manufacturers selling PDEs on the EU market should review the implementing regulation now to determine the category/ies into which their products fall, so that they can understand the obligations that they will need to comply with. For more information on the CRA and its obligations, please see our advisory published here.
