EU CRA explained

Gateways: Can be considered "products with digital elements" or components of "digital infrastructure".

Network servers: May be covered under NIS2 if offered as a critical service (e.g., in utility or smart city settings).

The LoRaWAN gateway and network server (e.g. ChirpStack, Actility) are also covered by EU CRA.

But what about the LoRaWan Gateway or Network Server?

For example: A LoRaWAN temperature sensor that transmits data via a LoRa gateway to a cloud dashboard is "a product with digital elements" under EU CRA.

From EU CRA-2-1: "This Regulation applies to products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network."

Under Article 2, paragraph 1 of the EU CRA, such devices are considered products with digital elements, even if they do not directly connect to the internet, and communicate only through gateways (as is common in LoRaWAN networks)

Yes, LoRaWAN End-Nodes — devices such as sensors, actuators, or embedded controllers that use LoRaWAN to transmit or receive data — are subject to the EU Cyber Resilience Act (EU CRA) if they meet the definition of a “product with digital elements”

How EU CRA affects LoRaWan End-Nodes? The ones that are beyond gateway. Are they subject to EU-CRA?

Definitions under Recommendation 2003/361/EC:
* Micro enterprise: <10 employees & ≤ €2M turnover/balance sheet
* Small enterprise: <50 employees & ≤ €10M turnover/balance sheet
* Medium enterprise: <250 employees & ≤ €50M turnover or ≤ €43M balance sheet

Source: eur-lex.europa.eu/legal-conten...

In other words. Recommendation 2003/361/EC is a European Commission recommendation that defines the categories of micro, small, and medium-sized enterprises (SMEs).

‘microenterprises’, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small
enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC;

What is the "Recommendation 2003/361/EC" mentioned in the EU CRA?

It is defined in paragraph 19 of Article 3 "Definitions" of CHAPTER I "GENERAL PROVISIONS"

We can expect here that "the same specifications" must be available as a proper documentation by the company who provide and distribute the spare parts.

The EU CRA does not apply to spare parts that are made available on the market to replace identical components
in products with digital elements and that are manufactured according to the same specifications as the components that
they are intended to replace.

In this case, a heat pump makers are a device manufacturer offering a cloud-enabled service (sometimes called productized SaaS), not a dedicated SaaS provider like Microsoft or Salesforce. But their SaaS component still falls under CRA requirements for cybersecurity and secure development practices.

Here's the breakdown:

An example: If a heat pump manufacturer offers an Azure-based cloud application for users to remotely monitor or adjust heating, they are not strictly a SaaS company in the traditional sense — but they are offering a SaaS component as part of their connected product ecosystem.

But what does the EU CRA says about cloud services provided by a device manufacturer?

Directive (EU) 2022/2555 (NIS2) does apply to cloud computing services, regardless of whether they operate under IaaS, PaaS, or SaaS models.

While NIS2 focuses on service providers, the EU CRA complements it by regulating the security of digital products used in those services.

While NIS2 focuses on the operational security of essential and important entities, the EU CRA targets the cybersecurity of products with digital elements (hardware & software). But they overlap.

Key Points: Cloud providers are critical digital infrastructure. They must implement risk management measures, conduct incident reporting, and coordinate with national authorities. The requirements apply to IaaS, PaaS, and SaaS models. Applies also to non-EU cloud provider services within the EU.

According to Annex I, Section 8 of the Directive: "Providers of cloud computing services, data center services, and content delivery network services" are considered essential entities under NIS2 — meaning they are subject to the directive's strictest cybersecurity requirements.

Does NIS2 Apply to Cloud Computing Services? Yes. NIS2 explicitly applies to providers of cloud computing services.

NISD 2 Tracker The Network and Information Systems Directive (NISD) was adopted by Member States of the European Union on 9 May 2018.

As a side note, NIS2 must be transposed into national law of EU governments by October 17, 2024. So far, the progress has been lacking, unfortunately: www.twobirds.com/en/trending-...

Directive (EU) 2022/2555 is the Network and Information Security Directive (NIS2), which came into force on January 16, 2023. It replaces the original NIS Directive (2016) and introduces stronger cybersecurity requirements for a broader range of sectors — including cloud computing services.

In EU CRA, "cloud" in mentioned only in paragraph 12. "Cloud solutions constitute remote data processing solutions within the meaning of this Regulation only if they meet
the definition laid down in this Regulation. ..." In the same paragraph, the "Directive (EU) 2022/2555" is mentioned. What is it?

Businesses Should Take a Lifecycle Approach to Device Security HP's Alex Holland sets out how organizations can secure devices from procurement to end-of-life

Businesses Should Take a Lifecycle Approach to Device Security - Infosecurity Magazine www.infosecurity-magazine.com/opinions/bus...

To conclude. XSS is primarily a browser-based threat, but any device with a web interface is at risk. IoT, industrial, and consumer devices often expose web UIs that may be poorly secured. Device manufacturers should follow secure coding practices: input validation, output escaping, CSP headers, etc

Devices only accessed through CLI or secure APIs (e.g., over SSH or MQTT) typically aren't vulnerable to XSS (but may have other vulnerabilities like command injection).