Has anyone here already done a dual mapping of CRA vs AI Act requirements? Especially for edge AI or embedded systems that could qualify as high-risk AI?
The two regulations actually align in some areas—and seem intentionally written to let you reuse parts of your compliance effort.
Some examples where CRA and AI Act sync up:
- If you meet CRA Annex I (Part I & II) on cybersecurity and vulnerability handling, you may already comply with the AI Act’s Article 15 (security by design & resilience).
- The CRA’s DoC and CE marking process can be reused for the AI Act if the product falls under both (CRA Article 12(1)).
But there are key differences too:
- CRA covers the full lifecycle, including post-market security updates and vulnerability disclosures.
The AI Act focuses more on training data, model behavior, and operational risks. - Conformity assessments can differ: CRA classification (Annex III or IV) determines your route, while the AI Act uses an AI-specific risk tiering system.
- Incident types and reporting obligations aren’t the same—even if you’re reporting issues to ENISA under CRA, that doesn’t cover you under AI Act Article 62.
How are you all handling this dual compliance?
Trying to align everything into a unified process, or treating CRA and AI Act as separate tracks?