EU Cyber Resilience Act FAQ CE Marking

Under the CRA, the CE marking is the manufacturer's visible indication that the product with digital elements, and the processes put in place by the manufacturer, conform to the CRA's essential cybersecurity requirements and to any other applicable Union harmonisation legislation that also provides for CE marking.

It is the visible consequence of the conformity-assessment process. It is not a separate licence or approval stamp issued by authorities.

It supports free circulation by signalling presumed compliance with the applicable CE-marking legislation.

The Blue Guide explains that products bearing the CE marking are presumed to comply with the applicable Union harmonisation legislation and therefore benefit from free circulation. The CRA follows the same logic: Member States must not impede the making available on the market of products that comply with the Regulation, and recital 36 links that free movement function to CRA CE marking.

Yes, as the general rule for products with digital elements that are placed on the Union market under the CRA.

The manufacturer must affix the CE marking before placing the product on the market, after the applicable conformity assessment has been completed. The Blue Guide also makes clear that products not covered by Union legislation providing for CE marking must not bear the CE marking.

No, not as a general rule.

The CE marking remains the manufacturer's declaration of conformity on its sole responsibility. Some CRA conformity-assessment routes involve a notified body, but the CE marking does not by itself mean that a public authority approved the product.

No.

The CE marking indicates conformity with the applicable legislation. It is not a mark of origin and does not show where the product was manufactured.

The manufacturer may affix it, and the Blue Guide also recognises affixing by an authorised representative acting on the manufacturer's behalf.

Even where an authorised representative is used, the manufacturer remains ultimately responsible for conformity and for the CE marking.

Yes.

Under the CRA, an importer or distributor that places a product on the market under its own name or trademark, or that carries out a substantial modification, is treated as the manufacturer. A different natural or legal person that substantially modifies a product and makes it available on the market can also become the manufacturer for the affected product or part. The Blue Guide reflects the same general NLF logic.

Before the product with digital elements is placed on the market.

That means the manufacturer cannot defer CE marking until after launch or leave it to later stages in the distribution chain.

No.

The manufacturer must first complete the applicable conformity assessment procedure with a positive result. The CRA FAQ states this directly, and the Blue Guide says the CE marking may not, in principle, be affixed until the conformity assessment has been completed.

As a rule, it must be affixed visibly, legibly and indelibly to the product itself.

If that is not possible or not warranted because of the nature of the product, the CRA requires it to be affixed to the packaging and to the EU declaration of conformity accompanying the product.

No.

The Blue Guide is clear that moving the CE marking off the product cannot be justified on purely aesthetic grounds. The exception is only for cases where affixing it to the product is not possible or not warranted because of the product's nature.

No.

Under Article 30(1), the CRA gives the website option only for products with digital elements in the form of software. For other products, the rule is product first, with packaging and accompanying EU declaration of conformity as the fallback where the nature of the product justifies it.

For software products, the CE marking must be affixed either to the EU declaration of conformity or on the website accompanying the software product.

If the website option is used, the relevant section must be easily and directly accessible to consumers.

It must be visible, legible and indelible.

The height may be below 5 mm only where the nature of the product justifies that and the mark still remains visible and legible. The CRA FAQ adds that reduced size cannot be justified by aesthetics alone and that the mark should not be placed where it is not easily visible in the product's intended use.

Not as a purely electronic-only substitute.

The Blue Guide says electronic labelling only is not allowed. At the same time, it notes that some on-product technological solutions, such as certain LCD displays, can be acceptable where they still satisfy the visibility, legibility and indelibility requirements. For software, the CRA separately allows the CE marking on the accompanying website or EU declaration of conformity.

Yes, but only within limits.

Under the CRA, the CE marking may be followed by a pictogram or other mark indicating a special cybersecurity risk or use if such markings are set out in implementing acts. More generally, the Blue Guide allows additional markings only where they serve a different function, do not create confusion with the CE marking, and do not reduce its visibility or legibility.

Under the CRA, only where the conformity assessment procedure is based on full quality assurance under module H.

That is different from module B+C. Under module B+C, the manufacturer affixes the CE marking after obtaining the EU-type certificate, but Article 30(4) does not require the notified body's identification number to follow the CE marking for that route.

Yes.

The Blue Guide explains that the CE marking and, where relevant, the notified body's identification number do not need to be affixed within the Union. They may also be affixed in a third country, for example where the product is manufactured there.

No.

The CRA recital on open-source software stewards says they should not be permitted to affix the CE marking to the products with digital elements whose development they support, because that light-touch steward regime does not make them subject to the same obligations as manufacturers.

No.

The Blue Guide says CE-marked components or parts do not automatically guarantee that the finished product complies. The manufacturer of the finished product must still verify the finished product as such. The CRA FAQ makes the same practical point from the component-due-diligence angle: CE-marked components can support the manufacturer's compliance work, but the CRA does not require manufacturers to integrate only CE-marked components.

The same CE marking indicates that the product also meets those other applicable Union harmonisation acts.

That is also why the CRA requires a single EU declaration of conformity when multiple applicable Union acts apply to the same product.

Importers must ensure before placing the product on the market that the product bears the CE marking and is accompanied by the EU declaration of conformity and the required user information. Distributors must verify before making the product available that the product bears the CE marking and that the specified manufacturer and importer obligations have been met.

So CE marking is not only a manufacturer-side issue. Other economic operators are expected to check for it as part of their own CRA duties.

Yes, if it is not yet being made available on the market.

The CRA allows the presentation or use of a non-compliant product, including a prototype, at trade fairs, exhibitions, demonstrations or similar events, provided that it carries a visible sign clearly stating that it does not comply and will not be made available on the market until it does.

Yes, but only within the CRA's specific testing exception.

Article 4(3) allows unfinished software to be made available for a limited period required for testing purposes if it carries a visible sign stating that it does not comply with the CRA and is not available for purposes other than testing. Recital 37 and the Commission FAQ explain that this covers alpha, beta and release candidate software, that manufacturers should perform a risk assessment and comply to the extent possible with the relevant security and vulnerability-handling requirements, and that they should not force users to upgrade to testing versions. Article 4(4) excludes certain safety components from this exception.

No.

CE marking comes after conformity assessment, but the manufacturer still has continuing obligations under the CRA, including vulnerability handling, support-period duties, corrective actions, and keeping the technical documentation and declaration of conformity available for the required period.

Missing or improper CE marking is treated as formal non-compliance under the CRA.

Market surveillance authorities must require the relevant manufacturer to end the non-compliance. If the problem persists, Member States must take appropriate measures to restrict or prohibit the product from being made available on the market or to ensure recall or withdrawal. In addition, non-compliance with Article 30(1) to (4) can trigger administrative fines under Article 64(3).