Article

Back to articles
#AIAct #CRA #Cybersecurity #Cyber Resilience #Artificial Intelligence #High-Risk AI Systems #EU Legislation #Digital Security #AI Regulation #Cyber Resilience Act #AI Regulation #Cybersecurity

The AI Act and the CRA. What is the relationship between them?

12.8.2025 | Autor: Peter Čičala
7

The Relationship Between the AI Act and the CRA: How New EU Regulations Link the Cybersecurity of Digital Products to Artificial Intelligence Regulation. One Goal – Two Regulations.

The AI Act and the CRA. What is the relationship between them?

Reason and Objective of Adopting the CRA

In late 2024, Regulation (EU) 2024/2847 of the European Parliament and of the Council, known as the Cyber Resilience Act (hereinafter “CRA”), was adopted. Its main objective is to establish a regulatory framework for the development and placing on the EU single market of secure products with digital components, thereby minimizing the number of cyber vulnerabilities and strengthening manufacturers’ responsibility throughout the entire lifecycle of these products.

The CRA complements existing horizontal legislative frameworks in the field of cybersecurity, which, while addressing systemic issues (e.g., the security of supply chains or network services), do not contain explicit cybersecurity requirements for digital products as such. These regulations include, in particular:

  • Regulation (EU) 2019/881 on ENISA and cybersecurity certification (the so-called Cybersecurity Act),
  • Directive (EU) 2022/2555 (NIS 2) on measures to ensure a high common level of cybersecurity in the Union.

The adoption of the CRA therefore represents a logical legislative extension of the existing framework and significantly strengthens the protection of both end-users and operators of digital solutions.

What is the nature of the relationship between the AI Act and the CRA?

It is less well known in legal practice that the CRA and the AI Act (Regulation (EU) 2024/1689 of the European Parliament and of the Council) are interconnected—not only substantively but also legislatively. However, both regulations explicitly refer to one another, specifically to ensure the cybersecurity of high-risk AI systems.

The AI Act imposes strict requirements on high-risk artificial intelligence systems, including technical and organizational security. According to Article 15 of the AI Act, these systems must be “designed and developed to achieve an appropriate level of accuracy, reliability, and cybersecurity, and to perform consistently in these respects throughout their entire lifecycle.” In essence, this requires that AI systems be resistant to attempts by unauthorized third parties to alter their use, outputs, or performance by exploiting system vulnerabilities, while the relevant technical solutions to ensure this must be proportionate to the relevant circumstances and risks.

The relationship between the CRA and the AI Act can best be explained by answering the question, “How does the AI Act enable the demonstration of an AI system’s compliance with cybersecurity requirements?”

  1. Through compliance with the Cybersecurity Act
  2. or
  3. Through compliance with the CRA (Cybersecurity Resilience Act).

Compliance of high-risk AI systems with the CRA? How is this achieved?

Article 12 of the CRA is relevant in this case, pursuant to which a relevant high-risk AI system meets cybersecurity requirements if:

  • it meets the essential cybersecurity requirements set out in Part I of Annex I to the CRA;
  • the processes implemented by the manufacturer/provider are in accordance with the essential cybersecurity requirements set out in Part II of Annex I to the CRA,

whereby the level of cybersecurity protection required under Article 15 of the AI Act must be demonstrated in an EU declaration of conformity issued under the CRA.

However, for the above rules to apply, it is essential that the high-risk AI system fall within the scope of the CRA or be a product with digital elements.

The linkage between the AI Act and the CRA thus ensures that artificial intelligence systems that also fall under the CRA regulatory framework are subject to a comprehensive and unified cybersecurity regime, without duplication in conformity assessment. At the same time, however, this rule must not lead to a reduction in the level of security safeguards established for important and critical products with digital elements under the CRA.

Compliance with cybersecurity requirements under the CRA = compliance with cybersecurity requirements under the AI Act

Conclusion: One compliance – two regulations

The interconnection between the CRA and the AI Act creates synergy between the cybersecurity of digital products and the regulation of artificial intelligence. Compliance with the CRA = compliance with Article 15 of the AI Act, provided the conditions set forth by law are met.

This harmonization significantly reduces the regulatory burden and increases legal certainty for manufacturers of high-risk AI systems, particularly in technologically complex cases where AI and cybersecurity form an inseparable whole.

Peter Čičala

Peter Čičala

He studied at the Faculty of Law of Trnava University in Trnava, where he successfully completed his master’s degree in 2024 by passing the state examination in civil, criminal, and labor law, along with the defense of his master’s thesis on the topic “Procedural and Other Aspects of Detecting Corruption Offenses.” During his studies, he worked at the Slovak Environmental Agency as a project manager within the Recovery Plan, where he primarily collaborated with the legal department on preparing opinions regarding the allocation of funds from the Recovery Plan mechanism. He has been working at the law firm Hronček & Partners s. r. o. since 2024 as a legal trainee. He specializes in competition law, commercial law, European law, and international law. One of the projects he has been involved in was a collaboration with an investor from the People’s Republic of China regarding the international transit of goods to the United States, specifically concerning European and international legal regulations on the rules of preferential and non-preferential origin of goods, including the legal framework of the Union Customs Code (UCC). Among other things, he is currently involved in a development project for family businesses, the aim of which is to provide expert advice for the successful management of intergenerational succession in family businesses.