The Cyber Resilience Act as another brick in the (useless) wall against the spreading of the spyware market in the EU?

The expansion of the spyware market within the European Union reveals a structural contradiction in EU law and policy. While the European Union has strengthened product cybersecurity through the Regulation (EU) 2024/2847 (Cyber Resilience Act, CRA), it continues to tolerate the consolidation of a spyware market benefiting from the internal market legal and economic infrastructure, while inherently exploiting and preserving the very vulnerabilities in products with digital elements that the CRA is intended to reduce. This article examines whether, and to what extent, the Cyber Resilience Act (CRA) can be used to address that contradiction by casting light on three legal challenges. First, can spyware qualify as a product with digital elements within the meaning of the CRA? Second, how far does the Regulation’s national security exemption limit that possibility, particularly where spyware is developed, procured, or deployed by state actors? Third, can the CRA’s market surveillance and enforcement framework, especially Article 57, realistically be implemented against spyware products that pose significant cybersecurity risks and risks to compliance with Union rules protecting fundamental rights? The article argues that at least some types of spyware fall within the CRA’s material scope and that the Regulation may offer a lever for restricting their circulation on the Union market. At the same time, it shows that the CRA’s applicability, and above all the practical reach of its enforcement regime, is constrained by expansive national security claims, the opacity surrounding state deployment, and the limited willingness of competent authorities to act in politically sensitive cases. More broadly, it shows why any serious EU response must also turn on a narrower reading of national security exceptions and more credible enforcement structures.