Towards clear guidance for remote data processing solutions under the CRA

Executive summary
The Cyber Resilience Act (CRA) presents a critical step towards a high level of cybersecurity across the Union. Its success, however, depends on effective implementation. Uncertainty remains amongst manufacturers – those that must comply with, and implement, the CRA – regarding the extent to which cloud solutions will fall within its scope. The forthcoming CRA guidance must urgently provide clarity on this long-debated question.

To ensure the CRA imposes manageable obligations, the following boundaries should be considered:

• Cloud solutions should be in scope of the CRA only if they qualify as a remote data processing solution integrated into a product with digital elements. To be considered as such, the cloud solution must be: 1) essential for the functions of the product; and 2) designed, developed and applied by (or on behalf of) the manufacturer.
• The scope of remote data processing solutions should be limited to bidirectional data exchanges directly enhancing product functions with a remote processing capability. It would, thereby, exclude services solely receiving or transmitting data, or not interacting directly with a product to enable one or more of its functions.
• General-purpose cloud services that are not specifically designed and developed on behalf of a manufacturer of products with digital elements should be explicitly excluded from the scope of the CRA. Such services do not meet the criteria of remote data processing solutions, and are typically subject to the NIS2 Directive, obliging a high level of cybersecurity.