The Shield, the Sword, and the Key
Why Europe’s digital rulebook only makes sense as a set of three
Most commentary on the EU’s new digital product rules stops at two instruments. The Cyber Resilience Act is described as the shield: the regime that pushes secure-by-design into products with digital elements, and that extends a manufacturer’s responsibility across the whole expected lifetime of a product. The revised Product Liability Directive is described as the sword: the regime that sharpens the consequences when a digital product causes harm, and that closes the grey areas around software, AI systems, and post-sale updates.
The shield-and-sword framing is useful, and it is not wrong. But it is incomplete. The third instrument in this system is eIDAS 2.0, and without it the other two do not fully function.
The part the shield cannot do
A secure product has to be secure for someone. The CRA tells manufacturers how to build and maintain their products; it does not, on its own, answer the question of who is on the other end of the interaction: which user, which business, which device, which authority is actually doing the authenticating, the signing, the transacting.
That question sits with eIDAS 2.0 and, in particular, with the European Digital Identity Wallet. Cross-border authentication for citizens and businesses, qualified digital signatures and seals, website authentication, and the underlying trust services together form the identity layer that the rest of the stack assumes already exists.
It is the key. Without it, a secure-by-design product can still be interacting with an unverified counterparty over a channel whose integrity cannot be proven after the fact. The shield holds; anyone can still walk through the door.
The part the sword cannot do
A sharper liability regime only works if the facts of a case can be reconstructed. The revised PLD expects better documentation, better testing, and better risk management precisely so that, when something goes wrong, there is a defensible account of what the product did and did not do, and of who interacted with it and how.
Identity and trust infrastructure is what makes that account provable rather than asserted. Who signed off. Who accessed. Whose credential authorised the transaction. Whose update was installed. Once harms caused by digital products are explicitly in scope, the evidentiary weight of a qualified signature or a wallet-based authentication is not decorative; it is often the difference between a liability claim that can be defended and one that cannot.
The sword, in other words, needs a chain of custody. eIDAS 2.0 is what supplies it.
Three instruments, one system
Read together, the three instruments describe a coherent European answer to a question that national regimes have been answering in fragments for a decade: what does it mean to place a trustworthy digital product on a single market of nearly 450 million people?
- The CRA sets the floor for how the product itself behaves.
- The revised PLD sets the consequences when that floor is not met and harm results.
- eIDAS 2.0 sets the identity and trust substrate that both of the above depend on.
None of the three is sufficient alone. The CRA without the PLD is a standard without teeth. The PLD without the CRA is a liability regime without a baseline to measure against. And both of them without eIDAS 2.0 operate in an environment where identity is asserted rather than proven, which, in a cross-border market, is the weakest link.
The shift for manufacturers
For businesses placing digital products on the EU market, the practical consequence of reading the three instruments as a system is that compliance stops being a set of parallel projects and starts being a single lifecycle question: can we design, evidence, maintain, and defend this product across its expected lifetime, to verified counterparties, under a harmonised standard, with the consequences that now attach when we cannot?
That is a different question from the one most product organisations have been answering. It is also the question the European regime is, increasingly, built to ask.
With thanks to Molly Butler, whose framework at “From Regulation to Resilience: A discussion on Malta’s implementation of European Digital Regulation on Cyber Security” (Brussels, 29 January 2026) underpins this piece.