Side-by-side
| Dimension | AI Act | CRA |
|---|---|---|
| Scope | AI systems on the EU market. | Products with digital elements (hardware + software) on the EU market — excluding cloud SaaS. |
| Trigger | Article 6 (Annex I/III) or GPAI. | Product has digital elements (CRA Art 3) and is in scope (CRA Art 2 with carve-outs). |
| Substantive controls | Articles 9–15. | CRA Art 13 + Annex I (security properties, vulnerability handling). |
| Conformity | Annex VI internal default; Annex VII for biometric ID; integrated under Art 43(3) for Annex I products. | Default conformity; Annex VIII for important products (Class I/II in CRA Annex III); third-party for critical products (CRA Annex IV). |
| Vulnerability reporting | Art 73 serious-incident reporting (15 days; 2 days for fundamental-rights breach). | Art 14 — 24h actively exploited vulnerability notification to ENISA via the single reporting platform; severe-incident notification 72h. |
| Maximum fine | EUR 35M / 7%. | EUR 15M / 2.5% (essential requirements); EUR 10M / 2% (other obligations). |
| Application | 2 August 2026 (high-risk). | 11 December 2027 (substantive obligations); 11 September 2026 (vulnerability reporting). |
The combined product case
An AI-enabled connected product (a smart camera with object recognition, an industrial sensor with embedded ML, a connected medical device with on-device AI) is in scope of both regulations. The integration:
- AI Act Article 43(3) directs conformity assessment under the sectoral procedure — for CRA-covered products that means the CRA Annex VIII (or VII for important products) procedure absorbs the AI Act check.
- The CE marking applies to both regimes; one mark, one declaration of conformity covering both.
- The CRA Annex VII technical documentation extends with the AI Act Annex IV elements.
- CRA Annex I §1 cybersecurity properties (confidentiality, integrity, availability) overlap directly with AI Act Article 15 — manufacturers run a single test plan against both.
- CRA Annex I §2 vulnerability-handling requirements add: SBOM publication, coordinated-disclosure policy, free security updates throughout the support period (default minimum five years), notification of vulnerabilities through ENISA's single reporting platform.
Where the regimes diverge
- The CRA's 24-hour clock for actively exploited vulnerabilities is materially shorter than the AI Act's 15-day serious-incident clock. For AI-implicated vulnerabilities, the CRA clock controls.
- The CRA mandates a five-year minimum support period (CRA Art 13(8)). The AI Act has no equivalent stand-alone provision; in practice the AI Act post-market monitoring (Art 72) extends through the same period.
- The CRA explicitly carves out certain categories — including some software covered by other Union law and most cloud SaaS. AI Act applies to AI in those carved-out contexts independently.
- CRA Annex III "important products" and Annex IV "critical products" lists may include AI components (intrusion-detection AI, security-assistive AI), bringing higher-class conformity assessment.
Practical compliance
- Confirm whether the product is in CRA scope (CRA Art 2) before designing the conformity strategy. SaaS-only AI is in AI Act scope but mostly outside CRA scope.
- Build one integrated technical file across CRA Annex VII and AI Act Annex IV.
- Set up one vulnerability-handling pipeline that satisfies CRA Annex I §2 and feeds the AI Act Article 73 serious-incident workflow when AI behaviour is implicated.
- Publish an SBOM and coordinated-disclosure policy aligned with CRA Annex I §2(7) and §2(8).
- Plan for the 11 September 2026 CRA vulnerability-reporting go-live — this lands before the substantive 11 December 2027 deadline.