Products with digital elements

According to Article 3(1) of the EU's Cyber Resilience Act (CRA), it is any software or hardware product and its remote data processing solutions, whose intended or reasonably foreseeable use includes a direct or indirect data connection to a device or network. This broad definition covers all connected devices, from smart home appliances and IIoT equipment to software or hardware components sold separately.

The EU Cyber Resilience Act (CRA) has extraterritorial effect, meaning any product sold in the EU market must meet its cybersecurity requirements and bear the CE marking. For an export-oriented economy like Taiwan, non-compliance can lead to severe fines of up to €15 million or 2.5% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Products may also be banned, withdrawn, or recalled, resulting in a complete loss of access to the EU market and significant supply chain disruptions.

The primary regulation is the EU's Cyber Resilience Act (CRA). To meet its requirements, companies can implement related standards as a compliance framework, such as: ISO/IEC 27001 for an overall Information Security Management System (ISMS); the IEC 62443 series for industrial automation and control systems (especially IEC 62443-4-1 for secure product development lifecycle requirements, which aligns closely with CRA's secure-by-design principles); and ISO/IEC 27034 for application security.

Winners Consulting is Taiwan's first firm to integrate ERM, industrial engineering, technology law, and data science. Our founder has a background in preventive law, and our team includes tech lawyers, ISO Lead Auditors, and AI experts. We help clients seamlessly integrate CRA compliance into existing ISO management systems, corporate governance, and internal controls, avoiding redundant efforts. With extensive experience advising semiconductor leaders like TSMC and MediaTek, we provide the most effective compliance path for your products.