EU CRA explained

So, by EU CRA, incidents that happen to a product, like a device, affect its capability to protect its data and functions.

‘incident having an impact on the security of the product with digital elements’ means an incident that negatively
affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability,
authenticity, integrity or confidentiality of data or functions

What about incidents related to products with digital elements (by EU CRA)?

In other words, 'incident' of EU CRA is defined in NIS2 Directive:

‘incident’ means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;

By EU CRA, ‘incident’ means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;

An incident is a security problem that requires action because it affects business operations or security objectives.

Difference between events and incidents:

Event - Any observable occurrence (e.g, a login attempt, a server restart, an email received)

Incident - An event (or series of events) that causes harm or poses a significant threat (e.g, repeated failed logins → brute-force attack → confirmed compromise)

Saying In more formal way: An incident is a confirmed occurrence of a security event that negatively impacts (or poses a credible threat to) an organization’s information systems, data, or services.

An incident meaning - In cybersecurity and IT operations, an incident means any event that:

a) Disrupts or has the potential to disrupt normal operations,

b) Threatens confidentiality, integrity, or availability of information, or

c) Violates security policies or acceptable use.

Gateways: Can be considered "products with digital elements" or components of "digital infrastructure".

Network servers: May be covered under NIS2 if offered as a critical service (e.g., in utility or smart city settings).

The LoRaWAN gateway and network server (e.g. ChirpStack, Actility) are also covered by EU CRA.

But what about the LoRaWan Gateway or Network Server?

For example: A LoRaWAN temperature sensor that transmits data via a LoRa gateway to a cloud dashboard is "a product with digital elements" under EU CRA.

From EU CRA-2-1: "This Regulation applies to products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network."

Under Article 2, paragraph 1 of the EU CRA, such devices are considered products with digital elements, even if they do not directly connect to the internet, and communicate only through gateways (as is common in LoRaWAN networks)

Yes, LoRaWAN End-Nodes — devices such as sensors, actuators, or embedded controllers that use LoRaWAN to transmit or receive data — are subject to the EU Cyber Resilience Act (EU CRA) if they meet the definition of a “product with digital elements”

How EU CRA affects LoRaWan End-Nodes? The ones that are beyond gateway. Are they subject to EU-CRA?

Definitions under Recommendation 2003/361/EC:
* Micro enterprise: <10 employees & ≤ €2M turnover/balance sheet
* Small enterprise: <50 employees & ≤ €10M turnover/balance sheet
* Medium enterprise: <250 employees & ≤ €50M turnover or ≤ €43M balance sheet

Source: eur-lex.europa.eu/legal-conten...

In other words. Recommendation 2003/361/EC is a European Commission recommendation that defines the categories of micro, small, and medium-sized enterprises (SMEs).

‘microenterprises’, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small
enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC;

What is the "Recommendation 2003/361/EC" mentioned in the EU CRA?

It is defined in paragraph 19 of Article 3 "Definitions" of CHAPTER I "GENERAL PROVISIONS"

We can expect here that "the same specifications" must be available as a proper documentation by the company who provide and distribute the spare parts.

The EU CRA does not apply to spare parts that are made available on the market to replace identical components
in products with digital elements and that are manufactured according to the same specifications as the components that
they are intended to replace.

In this case, a heat pump makers are a device manufacturer offering a cloud-enabled service (sometimes called productized SaaS), not a dedicated SaaS provider like Microsoft or Salesforce. But their SaaS component still falls under CRA requirements for cybersecurity and secure development practices.

Here's the breakdown:

An example: If a heat pump manufacturer offers an Azure-based cloud application for users to remotely monitor or adjust heating, they are not strictly a SaaS company in the traditional sense — but they are offering a SaaS component as part of their connected product ecosystem.

But what does the EU CRA says about cloud services provided by a device manufacturer?

Directive (EU) 2022/2555 (NIS2) does apply to cloud computing services, regardless of whether they operate under IaaS, PaaS, or SaaS models.

While NIS2 focuses on service providers, the EU CRA complements it by regulating the security of digital products used in those services.

While NIS2 focuses on the operational security of essential and important entities, the EU CRA targets the cybersecurity of products with digital elements (hardware & software). But they overlap.