EU Cyber Resilience Act FAQ

A product is in CRA scope when it is a product with digital elements, is made available on the EU market, and its intended purpose or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.

Products with digital elements include software or hardware products and their remote data processing solutions, including software or hardware components placed on the market separately. The scope check still needs the Article 2 exclusions, such as certain products already covered by specified Union product regimes, and the national security or defence exclusion.

The CRA assigns obligations by economic-operator role. A manufacturer develops, manufactures, or has a product designed, developed, or manufactured and markets it under its own name or trademark. Importers place products from outside the Union on the EU market, distributors make products available without affecting their properties, and authorised representatives act only within a written mandate from the manufacturer.

A company can have different roles for different products or channels. A business that sells a product under its own name or trademark can become the manufacturer even if another party designed or built the product. A third-country manufacturer also needs an EU-established operator able to perform the Article 4 tasks under the Market Surveillance Regulation.

The CRA splits essential cybersecurity requirements into product properties and vulnerability-handling processes. Manufacturers must design, develop, and produce products in line with Annex I Part I and must operate vulnerability handling in line with Annex I Part II throughout the support period.

The product-property requirements are applied through the manufacturer's cybersecurity risk assessment. If a Part I requirement is not applicable to the product, the manufacturer must justify that in the technical documentation. The vulnerability-handling requirements are not just launch checks; they continue during the support period.

Manufacturers must notify actively exploited vulnerabilities contained in a product with digital elements and severe incidents having an impact on the security of that product. Notification is made via the single reporting platform to the CSIRT designated as coordinator and to ENISA.

An actively exploited vulnerability requires reliable evidence that a malicious actor exploited the vulnerability. A zero-day vulnerability is reportable when that condition is met, but a vulnerability found through good-faith testing without evidence of malicious exploitation is not automatically a mandatory Article 14 report.

Conformity assessment is the legal procedure used to demonstrate that the product and the manufacturer's vulnerability-handling processes meet the CRA's essential requirements. The CRA routes are Module A internal control, Module B plus C EU-type examination with conformity to type, and Module H full quality assurance.

The default category can generally use Module A. Important and critical products may need a notified body, depending on the class, whether harmonised standards are applied, and whether another route such as a European cybersecurity certification scheme becomes mandatory for critical products.

CE marking is the manufacturer's visible declaration that the product complies with applicable EU harmonisation legislation, including the CRA where it applies. It is not a mark of origin and does not mean a product was made in the EU.

Under the CRA, the manufacturer affixes the CE marking only after the relevant conformity assessment has a positive result, the EU declaration of conformity is drawn up, and the product satisfies the applicable requirements. Software products also need CE marking, either on the EU declaration of conformity or on the website accompanying the software product.

The manufacturer must determine the support period when placing the product on the market and must handle vulnerabilities effectively during that period. The period must reflect the expected use time, reasonable user expectations, product nature and intended purpose, relevant Union law, comparable products, operating environment availability, and support periods of core third-party components.

The CRA sets a support period of at least five years unless the product is expected to be in use for less than five years; in that case the support period must correspond to the expected use time. The end date, including at least the month and year, must be clearly available at purchase.

CRA market surveillance is handled under the EU market-surveillance framework for products with digital elements. Authorities can request information and documentation, evaluate compliance, require corrective action, and use restrictive measures such as withdrawal or recall where the CRA conditions are met.

Market surveillance can also address compliant products that still present a significant cybersecurity risk to health or safety, fundamental-rights compliance, services offered by essential entities, or other public-interest protections. Formal non-compliance is also enforceable, including missing CE marking, missing or incorrect EU declaration of conformity, missing notified-body identification number where applicable, or unavailable or incomplete technical documentation.