EU Cyber Resilience Act FAQ Blue Guide Concepts

Because the CRA sits within the New Legislative Framework product-law architecture and uses the same core concepts that the Blue Guide explains, including placing on the market, making available on the market, CE marking, technical documentation, declarations of conformity, notified bodies, and market surveillance.

The Commission's CRA FAQ repeatedly relies on the Blue Guide when explaining those concepts, and the draft Commission guidance expressly describes the CRA as being built on the NLF.

It is the first making available of an individual product on the Union market.

That is the decisive timing point for CRA compliance, because the applicable requirements are assessed when the individual product is first placed on the market.

The required compliance work must already be complete at that point.

The Blue Guide says that, by the time of placing on the market, the manufacturer must have completed the design work against the applicable requirements, the relevant risk and conformity assessment, the declaration of conformity, the marking steps and the technical file. The CRA aligns with that logic by requiring the technical documentation to be drawn up before placement on the market and the cybersecurity risk assessment to be included in it.

The role follows the supply-chain function, not the job title on an org chart.

Under the CRA, the manufacturer is the actor that develops, manufactures, or has the product designed, developed or manufactured and markets it under its own name or trademark. The importer is the EU-established actor that places on the market a product bearing the name or trademark of a person established outside the Union. The distributor is the supply-chain actor, other than the manufacturer or importer, that makes the product available on the Union market without affecting its properties.

That distinction matters because the first EU supply is usually the placing-on-the-market event handled by the manufacturer or importer, while later reseller handoffs are usually making-available events handled by distributors.

The importer is not merely a logistics label under the CRA.

Before placing the product on the market, the importer must ensure that the manufacturer has carried out the appropriate conformity assessment, drawn up the technical documentation, applied the CE marking, supplied the EU declaration of conformity and user information, and met the manufacturer identification and support-period information requirements referenced in Article 19.

If the importer considers or has reason to believe the product or the manufacturer processes are not in conformity, it must not place the product on the market until conformity is restored; if there is a significant cybersecurity risk, it must inform the manufacturer and market surveillance authorities.

A distributor has a due-care role even though it normally does not perform the manufacturer conformity assessment.

Before making a product with digital elements available, the distributor must verify that the product bears the CE marking and that the manufacturer and importer have provided the required documents and operator information referenced by Article 20.

If the distributor has reason to believe the product or manufacturer processes are not in conformity, it must not make the product available until conformity is restored. If the product poses a significant cybersecurity risk, it must inform the manufacturer and market surveillance authorities without undue delay.

When it changes the legal role, not merely because it resells the product.

The CRA treats an importer or distributor as the manufacturer if it places a product with digital elements on the market under its own name or trademark, or if it carries out a substantial modification of a product already placed on the market. In that situation, the actor becomes subject to the manufacturer obligations in Articles 13 and 14.

It is the manufacturer-facing conformity signal for the CRA and other applicable Union harmonisation legislation, not a cybersecurity rating or a mark of EU origin.

The CRA defines CE marking as the mark by which the manufacturer indicates that the product with digital elements and the manufacturer processes conform to the CRA essential cybersecurity requirements and to other applicable Union harmonisation legislation that provides for CE marking. The Blue Guide adds that CE marking is affixed after the relevant conformity assessment and declaration work, and that it is not a mark showing where the product was made.

It is the supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge.

Once a product has already been placed on the market, later supplies in the distribution chain are usually cases of making available, not new placing-on-the-market events.

Once per individual product.

The Blue Guide explains that placing on the market refers to each individual product, not to a model or type. That is why units of an existing model first placed on the market after new requirements apply must comply with the new rules.

No.

The Blue Guide explains that the first supply can be for payment or free of charge. What matters is that the product is complete and supplied for distribution, consumption or use on the Union market.

No.

The Blue Guide says placing on the market requires a completed product and an offer or agreement transferring ownership, possession or another property right, but it does not require physical handover.

No, not by itself.

Products kept in the stock of the manufacturer, the authorised representative or the importer are not yet placed on the market if they have not yet been supplied for distribution, consumption or use.

Yes.

The first supply for distribution on the Union market can still be a placing-on-the-market event even if it happens through the manufacturer's own commercial chain rather than through an unrelated distributor.

The first one.

For the individual product, the legal placing-on-the-market event is the first supply for distribution, consumption or use on the Union market, whether that first supply is to an importer, a distributor or directly to the end user.

No.

The Blue Guide explains that placing on the market requires the manufacturing stage to be complete. An offer or agreement concluded before the product is finished is not yet placing on the market.

They can bring a product into EU product-law scope before physical delivery to the customer.

If an online or distance offer is targeted at Union end users, the product is deemed to be made available on the Union market for market-surveillance purposes. The Blue Guide says that whether an offer targets Union end users must be assessed case by case, taking into account factors such as dispatch areas, ordering languages and payment possibilities; mere website accessibility is not enough. Where the product is already manufactured and ready to be shipped, a direct distance sale to an EU end user can also be the placing-on-the-market event for that individual product.

Not necessarily.

The Blue Guide distinguishes between products being deemed made available on the Union market for market-surveillance purposes and the actual placing-on-the-market event for the individual product. The latter still depends on the distribution chain and on whether the product is already manufactured and supplied for distribution or use.

Often at release for free circulation, but not always.

The Blue Guide says products declared for release for free circulation can generally be treated as placed on the market, while also making clear that in practice placing on the market may happen before or after that customs step depending on the distribution chain.

No.

The Blue Guide says placing on the market is considered not to take place where products are introduced into the EU customs territory in transit, placed in free zones, temporary storage, warehouses or other special customs procedures.

No.

The Blue Guide treats that situation as outside placing on the market. It also distinguishes it from products bought online and shipped into the EU, which do not fall under that carve-out.

Usually no.

The Blue Guide says placing on the market does not occur where a product is manufactured for one's own use unless the legislation in question expressly treats own use as an equivalent trigger. The Commission's CRA FAQ applies that logic to the CRA and explains that products developed only for the manufacturer's own use are outside scope unless they are separately placed on the market.

The Blue Guide defines it as the first use of a product within the Union by the end user for its intended purpose.

That concept matters in some Union product laws, but the CRA's general trigger structure is built around placing on the market and making available on the market, not a separate general putting-into-service trigger.

Yes, in principle.

The Blue Guide explains that once a compliant product has been placed on the market, it may continue to be made available later in the distribution chain even if the law changes afterward or the relevant harmonised standards are revised, unless the new legislation provides otherwise. The Commission's CRA FAQ applies the same logic to the CRA transition.

Yes.

The relevant question is whether the individual product had already been placed on the market before the new rules applied. If it had, later storage and resale within the distribution chain do not create a new placing-on-the-market event.

No.

The Blue Guide says repeated renting of the same product does not create a new placing-on-the-market event. The compliance moment remains the first renting or other first supply of that individual product.

No, provided the Blue Guide and CRA conditions are met.

The Blue Guide treats products displayed or operated under controlled conditions at trade fairs, exhibitions or demonstrations as not yet placed on the market, as long as they are clearly identified as non-compliant and not yet available for placing on the market. The CRA contains the same type of carve-out for products, including prototypes, presented or used at such events.

Yes, but only under a narrow CRA exception.

Article 4(3) allows unfinished software such as alpha versions, beta versions or release candidates to be made available on the market for the limited period required for testing, provided it carries a visible sign stating that it does not comply and is not available for purposes other than testing. Recital 37 also says manufacturers should not force users to upgrade to versions released only for testing purposes.

Because the CRA uses the same NLF documentation logic.

The Blue Guide explains the role of technical documentation and the possibility of a single declaration of conformity dossier across several Union acts. The Commission's CRA FAQ relies on that same logic when explaining what technical documentation must contain and how the declaration of conformity works under the CRA.

Because the CRA uses the same product-law logic that compliance cannot be assessed only against the manufacturer's preferred use case.

The Commission's CRA FAQ relies on Blue Guide Concepts to explain that the cybersecurity risk assessment must take account of intended purpose, reasonably foreseeable use and reasonably foreseeable misuse, and that those choices also affect the user information that has to be provided.

For software, the CRA follows the same NLF concepts, but the draft Commission guidance explains how they work in a digital delivery model.

According to the draft guidance, once the software manufacturing phase is complete and a given software product is first offered for distribution or use on the Union market in the course of a commercial activity, that software product is regarded as placed on the market. Later downloads or remote access to that same unchanged software product are instances of making available rather than fresh placing-on-the-market events.

No.

The draft guidance says later iterations that do not qualify as substantial modifications do not trigger a new conformity assessment and do not change the software product's date of placement on the market. A new placing-on-the-market date arises only where the later iteration qualifies as a substantial modification.

No.

The draft guidance says the "first offering creates the placing-on-the-market date" logic applies only to standalone software supplied via digital means. If the software is supplied on a USB flash drive or other physical medium, the physical item is the product supplied for distribution. If software is necessary for hardware to perform its intended functions, the hardware and that software together form the product placed on the market.