EN 
FR 
DE 
IT How the CRA Applies to AI and ML Products
Does the Cyber Resilience Act apply to AI and ML products? Discover the scope, specific obligations, and interaction with the EU AI Act.
Artificial intelligence is transforming digital products, but where is the boundary between the Cyber Resilience Act and the EU AI Act? If your product incorporates AI or ML components, here is how to navigate these two major regulations.
1. Does the CRA apply to AI products?
Yes, if the AI product is a product with digital elements under the CRA. This includes software applications embedding ML models, IoT devices using on-device AI, SaaS platforms with generative AI features, and commercialized LLM APIs. However, an AI model distributed solely as a service (via API) without being integrated into a product may fall under different frameworks.
2. Relationship with the EU AI Act
The EU AI Act and the CRA are complementary but distinct: the AI Act regulates risks from the use of AI itself (transparency, human oversight, algorithmic bias), while the CRA regulates cybersecurity of the digital product that embeds or uses AI. An AI product may be subject to both regulations simultaneously.
3. CRA obligations specific to AI products
3.1 Training data security
The CRA requires products to be resilient against data corruption attempts. For AI products, this means protecting training datasets from poisoning, validating data pipeline integrity, and logging training data access.
3.2 Inference security
Inference and model extraction attacks must be addressed: protection against model stealing, adversarial attacks (modified inputs to deceive the model), and abnormal API usage detection.
3.3 SBOM for AI components
The SBOM must include AI frameworks, libraries, and models used, with their respective versions and licenses. Pre-trained models must be traced with their source and exact version.
4. Practical recommendations
- Cross-audit CRA / AI Act: Do not treat these regulations separately. Identify overlapping requirements and share evidence.
- Document AI pipelines: Traceability of data, models, and decisions is a common requirement.
- Plan for evolution: Both regulatory frameworks continue to evolve. The CRA / AI Act relationship will see further clarification in coming years.
The boundary between product security (CRA) and AI ethics (AI Act) is sometimes blurred, but compliance with both is essential for bringing innovative AI products to the European market.