FAQEUCyber Resilience Act

EU Cyber Resilience Act FAQ Blue Guide Concepts

Understand the market-access concepts that drive CRA timing, compliance cutoffs, and transition decisions, including placing on the market, making available, imports, online sales, and unfinished software testing.

Built for legal, compliance, product, and operations teams that need defensible CRA timing decisions.

Back to main artifactReview sources
Author
Sorena AI
Published
Mar 10, 2026
Updated
Mar 10, 2026
Sections
28

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Mar 10, 2026
Updated Mar 10, 2026
Overview

This FAQ focuses on the Blue Guide concepts that matter most for CRA implementation. If your team is arguing about placement dates, distance sales, warehouse stock, imports, transition inventory, or whether unfinished software can be tested before full compliance, these are the concepts you need to get right.

Search this module

Find a question or answer quickly

28 of 28 sections
Section 1

Why does the Blue Guide matter for CRA interpretation?

Because the CRA sits within the New Legislative Framework product-law architecture and uses the same core concepts that the Blue Guide explains, including placing on the market, making available on the market, CE marking, technical documentation, declarations of conformity, notified bodies, and market surveillance.

The Commission's CRA FAQ repeatedly relies on the Blue Guide when explaining those concepts, and the draft Commission guidance expressly describes the CRA as being built on the NLF.

Citations
Section 2

What is "placing on the market" for CRA purposes?

It is the first making available of an individual product on the Union market.

That is the decisive timing point for CRA compliance, because the applicable requirements are assessed when the individual product is first placed on the market.

Citations
Section 3

What must already be complete when a product is placed on the market?

The required compliance work must already be complete at that point.

The Blue Guide says that, by the time of placing on the market, the manufacturer must have completed the design work against the applicable requirements, the relevant risk and conformity assessment, the declaration of conformity, the marking steps and the technical file. The CRA aligns with that logic by requiring the technical documentation to be drawn up before placement on the market and the cybersecurity risk assessment to be included in it.

Citations
Section 4

What is "making available on the market"?

It is the supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge.

Once a product has already been placed on the market, later supplies in the distribution chain are usually cases of making available, not new placing-on-the-market events.

Citations
Section 5

Does placing on the market happen once per model or once per individual unit?

Once per individual product.

The Blue Guide explains that placing on the market refers to each individual product, not to a model or type. That is why units of an existing model first placed on the market after new requirements apply must comply with the new rules.

Citations
Section 6

Does placing on the market require payment?

No.

The Blue Guide explains that the first supply can be for payment or free of charge. What matters is that the product is complete and supplied for distribution, consumption or use on the Union market.

Citations
Section 7

Does placing on the market require physical handover of the product?

No.

The Blue Guide says placing on the market requires a completed product and an offer or agreement transferring ownership, possession or another property right, but it does not require physical handover.

Citations
Section 8

Does stock in a manufacturer's or importer's warehouse count as placing on the market?

No, not by itself.

Products kept in the stock of the manufacturer, the authorised representative or the importer are not yet placed on the market if they have not yet been supplied for distribution, consumption or use.

Citations
Section 9

Can an internal transfer within the manufacturer's own distribution structure count as placing on the market?

Yes.

The first supply for distribution on the Union market can still be a placing-on-the-market event even if it happens through the manufacturer's own commercial chain rather than through an unrelated distributor.

Citations
Section 10

If the manufacturer first supplies the product to an importer, distributor or end user, which transaction matters for placing on the market?

The first one.

For the individual product, the legal placing-on-the-market event is the first supply for distribution, consumption or use on the Union market, whether that first supply is to an importer, a distributor or directly to the end user.

Citations
Section 11

Does a pre-order or contract signed before manufacture is complete count as placing on the market?

No.

The Blue Guide explains that placing on the market requires the manufacturing stage to be complete. An offer or agreement concluded before the product is finished is not yet placing on the market.

Citations
Section 12

How do distance sales and online sales affect CRA timing?

They can bring a product into EU product-law scope before physical delivery to the customer.

If an online or distance offer is targeted at Union end users, the product is deemed to be made available on the Union market for market-surveillance purposes. The Blue Guide says that whether an offer targets Union end users must be assessed case by case, taking into account factors such as dispatch areas, ordering languages and payment possibilities; mere website accessibility is not enough. Where the product is already manufactured and ready to be shipped, a direct distance sale to an EU end user can also be the placing-on-the-market event for that individual product.

Citations
Section 13

Does an online offer targeting EU customers mean the product is already placed on the market?

Not necessarily.

The Blue Guide distinguishes between products being deemed made available on the Union market for market-surveillance purposes and the actual placing-on-the-market event for the individual product. The latter still depends on the distribution chain and on whether the product is already manufactured and supplied for distribution or use.

Citations
Section 14

When do imported products count as placed on the Union market?

Often at release for free circulation, but not always.

The Blue Guide says products declared for release for free circulation can generally be treated as placed on the market, while also making clear that in practice placing on the market may happen before or after that customs step depending on the distribution chain.

Citations
Section 15

Are products in transit, free zones or temporary storage already placed on the market?

No.

The Blue Guide says placing on the market is considered not to take place where products are introduced into the EU customs territory in transit, placed in free zones, temporary storage, warehouses or other special customs procedures.

Citations
Section 16

If a consumer buys a product in a third country while physically present there and brings it into the EU for personal use, is that placing on the market?

No.

The Blue Guide treats that situation as outside placing on the market. It also distinguishes it from products bought online and shipped into the EU, which do not fall under that carve-out.

Citations
Section 17

Does manufacturing for one's own use count as placing on the market under the CRA?

Usually no.

The Blue Guide says placing on the market does not occur where a product is manufactured for one's own use unless the legislation in question expressly treats own use as an equivalent trigger. The Commission's CRA FAQ applies that logic to the CRA and explains that products developed only for the manufacturer's own use are outside scope unless they are separately placed on the market.

Citations
Section 18

What is "putting into service," and does it usually matter under the CRA?

The Blue Guide defines it as the first use of a product within the Union by the end user for its intended purpose.

That concept matters in some Union product laws, but the CRA's general trigger structure is built around placing on the market and making available on the market, not a separate general putting-into-service trigger.

Citations
Section 19

If a product was lawfully placed on the market before new CRA rules applied, can it still be sold later?

Yes, in principle.

The Blue Guide explains that once a compliant product has been placed on the market, it may continue to be made available later in the distribution chain even if the law changes afterward or the relevant harmonised standards are revised, unless the new legislation provides otherwise. The Commission's CRA FAQ applies the same logic to the CRA transition.

Citations
Section 21

Does repeated renting create a new placing-on-the-market event?

No.

The Blue Guide says repeated renting of the same product does not create a new placing-on-the-market event. The compliance moment remains the first renting or other first supply of that individual product.

Citations
Section 22

Are prototypes or pre-production units shown at trade fairs or demonstrations already placed on the market?

No, provided the Blue Guide and CRA conditions are met.

The Blue Guide treats products displayed or operated under controlled conditions at trade fairs, exhibitions or demonstrations as not yet placed on the market, as long as they are clearly identified as non-compliant and not yet available for placing on the market. The CRA contains the same type of carve-out for products, including prototypes, presented or used at such events.

Citations
Section 23

Can unfinished software be made available for testing before full CRA compliance?

Yes, but only under a narrow CRA exception.

Article 4(3) allows unfinished software such as alpha versions, beta versions or release candidates to be made available on the market for the limited period required for testing, provided it carries a visible sign stating that it does not comply and is not available for purposes other than testing. Recital 37 also says manufacturers should not force users to upgrade to versions released only for testing purposes.

Citations
Section 24

Why does the Blue Guide matter for technical documentation and declarations of conformity under the CRA?

Because the CRA uses the same NLF documentation logic.

The Blue Guide explains the role of technical documentation and the possibility of a single declaration of conformity dossier across several Union acts. The Commission's CRA FAQ relies on that same logic when explaining what technical documentation must contain and how the declaration of conformity works under the CRA.

Citations
Section 25

Why does the Blue Guide matter for intended purpose and reasonably foreseeable use under the CRA?

Because the CRA uses the same product-law logic that compliance cannot be assessed only against the manufacturer's preferred use case.

The Commission's CRA FAQ relies on Blue Guide concepts to explain that the cybersecurity risk assessment must take account of intended purpose, reasonably foreseeable use and reasonably foreseeable misuse, and that those choices also affect the user information that has to be provided.

Citations
Section 26

How are Blue Guide market-placement concepts applied to standalone software supplied digitally?

For software, the CRA follows the same NLF concepts, but the draft Commission guidance explains how they work in a digital delivery model.

According to the draft guidance, once the software manufacturing phase is complete and a given software product is first offered for distribution or use on the Union market in the course of a commercial activity, that software product is regarded as placed on the market. Later downloads or remote access to that same unchanged software product are instances of making available rather than fresh placing-on-the-market events.

Citations
Section 27

Does a later software version that is not a substantial modification get a new placing-on-the-market date?

No.

The draft guidance says later iterations that do not qualify as substantial modifications do not trigger a new conformity assessment and do not change the software product's date of placement on the market. A new placing-on-the-market date arises only where the later iteration qualifies as a substantial modification.

Citations
Section 28

Does the same software-placement rule apply where software is supplied on physical media or combined with hardware?

No.

The draft guidance says the "first offering creates the placing-on-the-market date" logic applies only to standalone software supplied via digital means. If the software is supplied on a USB flash drive or other physical medium, the physical item is the product supplied for distribution. If software is necessary for hardware to perform its intended functions, the hardware and that software together form the product placed on the market.

Citations
Recommended next step

Use Blue Guide Concepts FAQ as a cited research workflow

Research Copilot can turn this blue guide concepts FAQ into a reusable cited workflow for product, legal, engineering, and compliance teams working through CRA decisions.

Research workflow
Open Research Copilot

Start from the blue guide concepts questions that block launch, review, and evidence workflows.

Explore next step
Talk to Sorena
Talk through your CRA implementation

Review evidence gaps, ownership, and next steps for your current product portfolio.

Explore next step
Primary sources

References and citations

Blue Guide 2022
ec.europa.eu38 citations
Referenced sections
  • sections 1.2, 2.2 to 2.8, 4.3, 4.4 and 7
  • section 2.3
  • section 2.3, including footnote 55
Show 11 more
  • sections 2.2 and 2.3
  • section 2.4 and example 5 in section 2.12
  • section 2.4
  • section 2.5 and examples 2 and 7 in section 2.12
  • sections 2.3 and 2.5
  • section 2.3, including footnote 50
  • section 2.6
  • sections 2.3, 2.10 and 4.1.2.5
  • sections 2.3 and 2.10
  • sections 4.3 and 4.4
  • sections 2.8 and 3.1
Cyber Resilience Act
data.europa.eu20 citations
Referenced sections
  • Article 3(21), Article 6 and Article 13
  • Article 13(4), Article 13(12), Article 28, Article 30 and Article 31
  • Article 3(22)
Show 7 more
  • Article 3(21), Article 3(22), Article 6 and Article 13
  • Article 4(2) and recital 36
  • Article 4(3) and recital 37
  • Article 28(3), Article 31 and Annex VII
  • Article 3(21) and Article 3(22)
  • Article 3(30) and recital 41
  • Article 3(1)
European Commission CRA FAQs (January 2026)
ec.europa.eu16 citations
Referenced sections
  • sections 1.4, 4.1.7, 4.1.8, 6.6, 6.8 and 7.2
  • sections 1.4 and 7.2
  • sections 6.6, 6.7 and 6.8
Show 4 more
  • section 7.2
  • section 1.5
  • sections 4.1.8, 6.6 and 6.8
  • sections 4.1.4, 4.1.5, 4.1.7 and 4.1.8
Draft Commission guidance on the CRA (March 2026 draft)
ec.europa.eu10 citations
Referenced sections
  • introduction and section 2.1
  • section 2.3, including footnote 7
  • section 2.1, points 10 to 14
Show 2 more
  • section 2.1, points 15 and 16
  • section 2.1, point 16, and section 2.2, points 17 to 19
Related guides

Explore more topics

Applicability Test | EU Cyber Resilience Act, CRA Product Security and CE Marking
Use this CRA applicability test to confirm product scope, exclusions, remote data processing boundaries, operator role, product classification.
Checklist | EU Cyber Resilience Act, CRA Product Security and CE Marking
Use this Cyber Resilience Act checklist to assign owners, deadlines, evidence, and release gates for scope, Annex I controls, support period operations.
Compliance Program | EU Cyber Resilience Act, CRA Product Security and CE Marking
Build a CRA compliance program that covers product scope, governance, engineering controls, support period operations, Article 14 reporting.
Conformity Assessment and CE Marking | EU Cyber Resilience Act, CRA Product Security and CE Marking
Choose the right CRA conformity route, prepare the declaration of conformity, structure the technical file.
CRA CE Marking FAQ | Meaning, Placement Rules, Software Labeling, Notified Bodies
CRA CE marking FAQ covering what the mark means, when it is mandatory, software and website placement rules, packaging fallback, notified body numbers.
CRA Component Due Diligence FAQ | Third-Party Components, FOSS, SBOM, Vulnerabilities
CRA component due diligence FAQ covering third-party components, FOSS, CE-marked components, SBOM review, risk-based checks, upstream vulnerability reporting.
CRA Conformity Assessment Routes FAQ | Module A, Module B+C, Module H, Critical and Important Products
CRA FAQ on conformity assessment routes covering module A, module B+C, module H, important and critical products, harmonised standards, certification schemes.
CRA Core Functionality FAQ | Important Products, Critical Products, Classification
CRA FAQ on core functionality covering classification of important and critical products, ancillary functions, integrated components.
CRA Cybersecurity Risk Assessment FAQ | Article 13, Threat Modelling, Variants, Constraints
CRA FAQ on cybersecurity risk assessment covering Article 13, threat modelling, intended purpose, foreseeable misuse, external dependencies, documentation.
CRA Declaration of Conformity FAQ | Full vs Simplified, Languages, Updates, Duties
CRA FAQ on the EU declaration of conformity covering full and simplified formats, required contents, languages, updates, single declarations across EU laws.
CRA Economic Operators FAQ | Manufacturers, Importers, Distributors, Authorised Representatives
CRA FAQ on economic operators covering manufacturer, authorised representative, importer, distributor, responsible operator rules, checks, traceability.
CRA Essential Cybersecurity Requirements FAQ | Annex I Part I and Part II
CRA FAQ on the essential cybersecurity requirements covering Annex I Part I and Part II, applicability, evidence, interoperability constraints.
CRA FAQ Hub | Blue Guide Concepts, CE Marking, Component Due Diligence
Browse the CRA FAQ hub for Blue Guide market-access concepts, CE marking, and component due diligence.
CRA Hardware and Software Boundaries FAQ | Product Scope, Combined Products, Source Code
CRA FAQ on hardware and software boundaries covering combined products, standalone software, source code, companion apps, remote data processing.
CRA Harmonised Standards and Common Specifications FAQ | Presumption of Conformity, OJ Publication
CRA FAQ on harmonised standards, common specifications, and certification schemes covering presumption of conformity, Official Journal publication.
CRA Important and Critical Products FAQ | Annex III, Annex IV, Core Functionality
CRA FAQ on important and critical products covering Annex III and Annex IV classification, core functionality, conformity routes, FOSS rule limits.
CRA Integrated Components and Dependencies FAQ | Due Diligence, RDPS, Third-Party Components
CRA FAQ on integrated components and dependencies covering due diligence, third-party components, RDPS, cloud dependencies, upstream fixes, FOSS dependencies.
CRA Interplay With Other EU Laws FAQ | RED, AI Act, GDPR, Data Act, EHDS, Machinery
CRA FAQ on interplay with other EU laws covering exclusions, overlap with RED, AI Act, GDPR, Data Act, EHDS, Machinery, GPSR, NIS2, aviation, marine.
CRA Known Exploitable Vulnerabilities at Launch FAQ | Placement on the Market, CVEs, Late Discoveries
CRA FAQ on known exploitable vulnerabilities at launch covering the launch-time rule, exploitability, known vulnerabilities, CVEs, compensating controls.
CRA Legacy Products FAQ | Pre-2027 Products, Reporting, Grandfathering, Substantial Modification
CRA FAQ on legacy products covering pre-11 December 2027 products, Article 14 reporting, continued sale, substantial modification, spare parts, old designs.
CRA Manufacturer Obligations FAQ | Article 13 Duties, Support Period, Reporting, Documentation
CRA FAQ on manufacturer obligations covering Article 13 duties, risk assessment, support periods, vulnerability handling, reporting, documentation.
CRA Market Surveillance and Enforcement FAQ | Authorities, Safeguards, Sweeps, Formal Non-Compliance
CRA FAQ on market surveillance and enforcement covering authorities, investigations, safeguard procedures, formal non-compliance, sweeps, joint activities.
CRA Module A FAQ | Internal Control, Self-Assessment, Eligibility, Documentation
CRA FAQ on module A covering internal control, eligible products, class I limits, FOSS exception, technical documentation, testing, CE marking.
CRA Module B+C FAQ | EU-Type Examination, Conformity to Type, Notified Bodies
CRA FAQ on module B+C covering EU-type examination, conformity to type, notified-body role, certificate changes, production control, CE marking.
CRA Module H FAQ | Full Quality Assurance, Notified Body Surveillance, CE Marking
CRA FAQ on module H covering full quality assurance, quality-system approval, notified-body surveillance, scope changes, CE marking, language rules, records.
CRA Notified Bodies FAQ | Notification, Scope, NANDO, Independence, Competence
CRA FAQ on notified bodies covering notification, competence, independence, NANDO scope, accreditation, cross-border choice, subcontracting.
CRA Open-Source Software FAQ | FOSS, Commercial Activity, Stewards, Donations, Paid Editions
CRA FAQ on open-source software covering FOSS qualification, commercial activity, donations, paid support, stewards, contributors, repositories.
CRA Over-the-Air Updates FAQ | OTA, Automatic Updates, Secure Distribution, Offline Paths
CRA FAQ on over-the-air updates covering OTA versus automatic updates, secure distribution, screenless products, gateways, offline update paths.
CRA Penalties and Fines FAQ | Fine Tiers, Turnover Caps, SME Carve-Outs, Stewards
CRA FAQ on penalties and fines covering Article 64 fine tiers, turnover caps, SME carve-outs, steward exemptions, cumulative fines, criminal sanctions.
CRA Product Families FAQ | Variants, Shared Assessments, Family Reuse, Conformity Scope
CRA FAQ on product families covering shared risk assessments, family-wide documentation reuse, cybersecurity-relevant variant differences.
CRA Remote Data Processing Solutions FAQ | RDPS Scope, Cloud Services, SaaS Boundaries, Documentation
CRA FAQ on remote data processing solutions covering Article 3(2) RDPS tests, cloud-service boundaries, websites and portals, third-party SaaS, backend scope.
CRA Repairs and Spare Parts FAQ | Repairs, Refurbishment, Spare-Part Exemption, Compatibility
CRA FAQ on repairs and spare parts covering substantial modification, Article 2(6) identical spare parts, non-identical replacements.
CRA Reporting Obligations FAQ | Article 14 Deadlines, CSIRT Filing, User Notices, Legacy Products
CRA FAQ on reporting obligations covering Article 14 deadlines, actively exploited vulnerabilities, severe incidents, CSIRT routing, user notifications.
CRA Scope FAQ | Products with Digital Elements, Connections, Software, Exclusions
CRA FAQ on scope and products with digital elements covering software, firmware, components, direct and indirect connections, offline products, exclusions.
CRA Secure-by-Default FAQ | Default Configuration, Auto Updates, Tailor-Made Limits
CRA FAQ on secure by default covering Annex I default configuration, automatic security updates, opt-outs, components, inapplicability.
CRA Security Updates vs Functionality Updates FAQ | Separation, Free Updates, Article 13(10)
CRA FAQ on security updates versus functionality updates covering separation where technically feasible, free security updates, automatic updates.
CRA Substantial Modification FAQ | Post-Market Changes, New Manufacturer, Legacy Products
CRA FAQ on substantial modification covering Article 3(30), software updates, repairs, new manufacturer status, conformity reassessment.
CRA Support Period FAQ | Placement on the Market, Unit-Level Timing, Update Availability
CRA FAQ on support periods covering Article 13(8), placement on the market timing, unit-level support periods, standalone software, update availability.
CRA Tailor-Made Products FAQ | Business-User Exception, Paid Updates, Evidence
CRA FAQ on tailor-made products covering the narrow business-user carve-out, secure-by-default and paid-update deviations, required evidence.
CRA Technical Documentation FAQ | Annex VII, Languages, Authority Access, Updates
CRA FAQ on technical documentation covering Annex VII content, timing, languages, versioning, authority access, reused documentation, simplified formats.
CRA Transition Period FAQ | Key Dates, Legacy Products, Pre-CRA Stock, RED Interplay
CRA FAQ on the transition period covering entry into force, phased application dates, legacy products, stock and customs timing, standalone software.
CRA Update Availability and Archives FAQ | Article 13(9), Archives, Historical Versions
CRA FAQ on update availability and software archives covering Article 13(9), Article 13(10), Article 13(11), retention of issued security updates.
CRA User Information and Transparency FAQ | Annex II, Support Disclosure, User Notices
CRA FAQ on user information and transparency covering Annex II instructions, support-period disclosure, end-of-support notices, vulnerability notices.
CRA vs RED Cybersecurity Delegated Act | EU Cyber Resilience Act, CRA Product Security and CE Marking
Compare the Cyber Resilience Act with the RED cybersecurity delegated act so you can decide which products fall under which rule, what dates apply.
CRA vs UK PSTI Act | EU Cyber Resilience Act, CRA Product Security and CE Marking
Compare the EU Cyber Resilience Act with the UK PSTI product security regime so your team can plan dual market compliance without mixing two different rule.
CRA Vulnerability Handling FAQ | Lifecycle Duties, Components, Disclosure, Fix Sharing
CRA FAQ on vulnerability handling covering Annex I Part II duties, component vulnerabilities, upstream reporting and fix sharing.
Deadlines and Compliance Calendar | EU Cyber Resilience Act, CRA Product Security and CE Marking
Track the CRA entry into force date, the notified body date, the reporting start date, and the main application date.
Essential Cybersecurity Requirements | EU Cyber Resilience Act, CRA Product Security and CE Marking
Understand the CRA essential cybersecurity requirements in Annex I.
Penalties and Fines | EU Cyber Resilience Act, CRA Product Security and CE Marking
Understand the CRA administrative fine tiers in Article 64, the conduct that attracts the highest penalties, and the evidence that reduces enforcement exposure.
Products with Digital Elements Scope | EU Cyber Resilience Act, CRA Product Security and CE Marking
Understand what counts as a product with digital elements under the CRA, how remote data processing fits, and where the scope boundary usually causes mistakes.
Reporting Obligations | EU Cyber Resilience Act, CRA Product Security and CE Marking
Prepare for CRA Article 14 reporting, including the twenty four hour early warning, the seventy two hour notification, final reports, CSIRT routing.
Requirements | EU Cyber Resilience Act, CRA Product Security and CE Marking
Review the full CRA requirement set, including manufacturer duties, operator duties, support period rules, user information, corrective action, reporting.
SBOM and Vulnerability Management Template | EU Cyber Resilience Act, CRA Product Security and CE Marking
Use this CRA SBOM and vulnerability management template to structure dependency records, triage, remediation, advisory publication, and support period evidence.
Technical Documentation and Audit File | EU Cyber Resilience Act, CRA Product Security and CE Marking
Build a CRA technical documentation file that covers product definition, risk assessment, support period, Annex I mapping, standards use, test evidence.
Vulnerability Handling and Disclosure | EU Cyber Resilience Act, CRA Product Security and CE Marking
Build a CRA vulnerability handling system that covers SBOM, intake, triage, remediation, coordinated vulnerability disclosure, secure updates.