FAQEUCyber Resilience Act

EU Cyber Resilience Act FAQ Core Functionality

Use this CRA FAQ to understand how core functionality determines whether a product is in the default category, an important-product category, or a critical-product category.

Built for compliance, product, certification, legal, and engineering teams deciding CRA classification and conformity routes.

Back to main artifactReview sources
Author
Sorena AI
Published
Mar 10, 2026
Updated
Mar 10, 2026
Sections
21

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Mar 10, 2026
Updated Mar 10, 2026
Overview

Core functionality is the classification hinge for CRA conformity assessment. This FAQ focuses on how manufacturers should determine what a product mainly is, how to distinguish core functionality from ancillary functions, and how to avoid category mistakes that change the applicable route under Article 32.

Search this module

Find a question or answer quickly

21 of 21 sections
Section 1

What is "core functionality" under the CRA?

The CRA does not define the term expressly in the regulation itself, but the draft Commission guidance explains it as the product's main features and technical capabilities, without which it would not be able to meet its intended purpose.

Citations
Recommended next step

Use EU Cyber Resilience Act FAQ Core Functionality as a cited research workflow

Research Copilot can turn EU Cyber Resilience Act FAQ Core Functionality into a reusable cited workflow for teams implementing EU Cyber Resilience Act FAQ.

Research workflow
Open Research Copilot

Start from EU Cyber Resilience Act FAQ Core Functionality and move to source-backed decisions and evidence workflows.

Explore next step
Talk to Sorena
Talk through your EU Cyber Resilience Act FAQ implementation

Review evidence gaps, ownership, and next steps for EU Cyber Resilience Act FAQ.

Explore next step
Section 3

How should a manufacturer determine a product's core functionality?

The draft Commission guidance says the manufacturer should assess the product's main features and technical capabilities in light of its intended purpose, specific context and conditions of use.

The guidance also says that this assessment can be supported by the instructions for use, promotional or sales materials, manufacturer statements and the technical documentation. That aligns with the CRA definitions of intended purpose and reasonably foreseeable use.

Citations
Section 4

Is core functionality about the whole product or about one component inside it?

It is about the product as a whole.

The CRA and the Commission FAQ make clear that the integration of a product or component with important or critical functionality does not by itself determine the classification of the finished product. The key question is the core functionality of the finished product itself.

Citations
Section 5

Can a product perform many functions but still have only one core functionality for CRA classification?

Yes.

The draft Commission guidance says a product may not have more than one core functionality for the purpose of determining the applicable conformity assessment regime, even if it has many additional or ancillary features.

Citations
Section 7

If a product can perform the functions of an important or critical category, does that automatically mean it has that core functionality?

No.

The draft Commission guidance says a product may be capable of performing functions associated with an important or critical category and still have a different core functionality. The assessment should focus on what the product mainly is, not on whether one feature overlaps with a listed category.

Citations
Section 8

If a product integrates an operating system, browser, firewall or secure element, does that decide the product's own core functionality?

No.

The Commission FAQ gives concrete examples: integrating an embedded browser into a news app does not make the app a browser for CRA classification, and integrating a secure element into a laptop does not make the laptop a secure element product. The same logic applies more broadly to other integrated listed components.

Citations
Section 9

Can a product fall outside a listed category because it goes beyond that category's core functionality?

Yes.

The Commission FAQ and the draft guidance use SOAR software as an example. Even though a SOAR tool may perform SIEM-like functions, it is generally not treated as having the core functionality of a SIEM if its own core functionality is different.

Citations
Section 10

Can a product fall outside a listed category because it falls short of that category's core functionality?

Yes.

The draft Commission guidance gives the example of security-related tools that collect and visualise logs but do not perform the full analytical and actionable functions associated with SIEM systems. Partial overlap is not enough by itself.

Citations
Section 11

Are partial similarities in domain, purpose or deployment context enough to classify a product as important or critical?

No.

The draft Commission guidance says the assessment should focus on the product's actual features and technical capabilities, as reflected in its intended purpose, rather than on vague product groupings, shared market context or partially overlapping functions.

Citations
Section 12

Must the manufacturer document the chosen core functionality?

Yes.

The draft Commission guidance says the product's core functionality should be clearly identified so that the applicable conformity assessment regime can be determined and checked. That fits with the CRA's broader documentation framework, including the need to describe the product's intended purpose and the conformity assessment procedure followed.

Citations
Section 13

Can a manufacturer describe the product strategically to avoid being classified as important or critical?

No.

The draft Commission guidance says a manufacturer may not misrepresent its product's core functionality in order to avoid the applicable conformity assessment regime. Clear inconsistencies between promotional materials, instructions for use and technical documentation can indicate that kind of misrepresentation.

Citations
Section 14

Does core functionality determine only the conformity route, or also the scope of compliance?

It determines the route, but the whole product still has to comply.

The draft Commission guidance explains that core functionality is the classification tool. It does not limit the product's broader compliance obligations. The conformity assessment and the manufacturer's risk assessment still have to address the product as a whole.

Citations
Section 15

If a harmonised standard covers the product's core functionality, does that automatically give full presumption of conformity for the whole product?

No.

The draft Commission guidance explains that a harmonised standard may support the use of internal control for an important class I product where it covers the core functionality, but the presumption of conformity extends only to the parts whose risks are actually covered by that standard. Additional functions and additional risks may still need to be addressed through other means.

Citations
Section 16

What should manufacturers use as the main reference for deciding whether a product matches a listed CRA category by core functionality?

The Commission FAQ says the technical descriptions of the important and critical product categories are laid down in Commission Implementing Regulation (EU) 2025/2392, and the draft Commission guidance also relies on those descriptions.

So in practice, manufacturers should not classify products only by label or market intuition. They should compare the product's real features and technical capabilities against the category descriptions referred to in the CRA materials.

Citations
Section 17

What if a product's core functionality does not match any Annex III or Annex IV category?

Then it falls into the default category.

The CRA does not use the term "default category" in the legal text itself, but the draft Commission guidance uses it for products whose core functionality does not match a category in Annex III or Annex IV. Those products follow the general conformity-assessment regime in Article 32(1), rather than the special routes for important or critical products.

Citations
Section 18

Are product names, marketing labels, or sales positioning enough to determine core functionality?

No.

The relevant question is whether the product's actual features and technical capabilities match the technical description of a listed category. Marketing and sales materials do matter as evidence of intended purpose and context of use, but they do not replace the underlying feature and capability analysis. If those materials conflict with the instructions for use or the technical documentation, the draft guidance treats that as a warning sign that the manufacturer may be misrepresenting the product's core functionality.

Citations
Section 19

Does use in a critical or sensitive environment by itself make a product important or critical?

No.

Classification turns on core functionality, not on deployment environment alone. A product's operating context can still matter greatly for the cybersecurity risk assessment and for the measures the manufacturer must implement, but it does not by itself change a product into an important or critical category if the product's own core functionality does not match one of the listed categories.

Citations
Section 20

If two products have the same core functionality, can they still require different cybersecurity measures?

Yes.

The Commission FAQ gives this directly with two different VPN products. Both may have the same core functionality and therefore the same CRA category, but the manufacturer still has to perform a product-specific cybersecurity risk assessment. A VPN intended for critical infrastructure may require more demanding measures than a VPN intended only for residential use, even though both remain VPN products for classification purposes.

Citations
Section 21

What is an example of a product that does have the core functionality of a listed category?

The draft Commission guidance gives a positive example for operating systems.

A software product that provides an abstraction layer over hardware, manages the execution of software components, handles process and memory management, input-output control, scheduling, resource allocation, and exposes system services and APIs so that applications can reliably run on the platform is treated in the guidance as having the core functionality of an operating system.

Citations
Primary sources

References and citations

Draft Commission guidance on the CRA (March 2026 draft)
ec.europa.eu20 citations
Referenced sections
  • points 123 and 124
  • points 122 and 123
  • point 124
Show 16 more
  • points 123 and 136
  • points 125 and 128
  • points 125 and 131
  • points 126 and 127
  • points 126 and 136
  • point 127 and Example 50
  • point 127 and Example 51
  • point 127
  • point 128
  • point 129
  • points 131 and 134 to 136
  • points 133 to 139
  • footnote 15 and Examples 48 to 53
  • point 122 and footnote 16
  • points 124, 127 and 129
  • point 124 and Example 48
European Commission CRA FAQs (January 2026)
ec.europa.eu11 citations
Referenced sections
  • section 3.1
  • sections 3.1 and 3.2
  • section 3.4
Show 5 more
  • sections 3.2 and 3.4
  • sections 3.1 and 3.4
  • sections 3.1 and 6.1
  • sections 3.1 and 3.3
  • section 3.3
Cyber Resilience Act
data.europa.eu10 citations
Referenced sections
  • Article 7(1), Article 8(1) and Article 32
  • Article 3(23), Article 3(24) and Annex VII
  • Article 7(1)
Show 6 more
  • Annex VII and Annex V
  • Article 13(2) to Article 13(4) and Article 32
  • Article 27(1), Article 27(5) and Article 32(2)
  • Article 7(1), Article 8(1) and Article 32(1)
  • Article 3(23) and Annex VII
  • Article 13(2) and Article 13(3)
Related guides

Explore more topics

Applicability Test | EU Cyber Resilience Act, CRA Product Security and CE Marking
Use this CRA applicability test to confirm product scope, exclusions, remote data processing boundaries, operator role, product classification.
Checklist | EU Cyber Resilience Act, CRA Product Security and CE Marking
Use this Cyber Resilience Act checklist to assign owners, deadlines, evidence, and release gates for scope, Annex I controls, support period operations.
Compliance Program | EU Cyber Resilience Act, CRA Product Security and CE Marking
Build a CRA compliance program that covers product scope, governance, engineering controls, support period operations, Article 14 reporting.
Conformity Assessment and CE Marking | EU Cyber Resilience Act, CRA Product Security and CE Marking
Choose the right CRA conformity route, prepare the declaration of conformity, structure the technical file.
CRA Blue Guide Concepts FAQ | Placing on the Market, Making Available, Distance Sales
CRA FAQ on Blue Guide concepts used in Cyber Resilience Act interpretation: placing on the market, making available, putting into service, online sales.
CRA CE Marking FAQ | Meaning, Placement Rules, Software Labeling, Notified Bodies
CRA CE marking FAQ covering what the mark means, when it is mandatory, software and website placement rules, packaging fallback, notified body numbers.
CRA Component Due Diligence FAQ | Third-Party Components, FOSS, SBOM, Vulnerabilities
CRA component due diligence FAQ covering third-party components, FOSS, CE-marked components, SBOM review, risk-based checks, upstream vulnerability reporting.
CRA Conformity Assessment Routes FAQ | Module A, Module B+C, Module H, Critical and Important Products
CRA FAQ on conformity assessment routes covering module A, module B+C, module H, important and critical products, harmonised standards, certification schemes.
CRA Cybersecurity Risk Assessment FAQ | Article 13, Threat Modelling, Variants, Constraints
CRA FAQ on cybersecurity risk assessment covering Article 13, threat modelling, intended purpose, foreseeable misuse, external dependencies, documentation.
CRA Declaration of Conformity FAQ | Full vs Simplified, Languages, Updates, Duties
CRA FAQ on the EU declaration of conformity covering full and simplified formats, required contents, languages, updates, single declarations across EU laws.
CRA Economic Operators FAQ | Manufacturers, Importers, Distributors, Authorised Representatives
CRA FAQ on economic operators covering manufacturer, authorised representative, importer, distributor, responsible operator rules, checks, traceability.
CRA Essential Cybersecurity Requirements FAQ | Annex I Part I and Part II
CRA FAQ on the essential cybersecurity requirements covering Annex I Part I and Part II, applicability, evidence, interoperability constraints.
CRA FAQ Hub | Blue Guide Concepts, CE Marking, Component Due Diligence
Browse the CRA FAQ hub for Blue Guide market-access concepts, CE marking, and component due diligence.
CRA Hardware and Software Boundaries FAQ | Product Scope, Combined Products, Source Code
CRA FAQ on hardware and software boundaries covering combined products, standalone software, source code, companion apps, remote data processing.
CRA Harmonised Standards and Common Specifications FAQ | Presumption of Conformity, OJ Publication
CRA FAQ on harmonised standards, common specifications, and certification schemes covering presumption of conformity, Official Journal publication.
CRA Important and Critical Products FAQ | Annex III, Annex IV, Core Functionality
CRA FAQ on important and critical products covering Annex III and Annex IV classification, core functionality, conformity routes, FOSS rule limits.
CRA Integrated Components and Dependencies FAQ | Due Diligence, RDPS, Third-Party Components
CRA FAQ on integrated components and dependencies covering due diligence, third-party components, RDPS, cloud dependencies, upstream fixes, FOSS dependencies.
CRA Interplay With Other EU Laws FAQ | RED, AI Act, GDPR, Data Act, EHDS, Machinery
CRA FAQ on interplay with other EU laws covering exclusions, overlap with RED, AI Act, GDPR, Data Act, EHDS, Machinery, GPSR, NIS2, aviation, marine.
CRA Known Exploitable Vulnerabilities at Launch FAQ | Placement on the Market, CVEs, Late Discoveries
CRA FAQ on known exploitable vulnerabilities at launch covering the launch-time rule, exploitability, known vulnerabilities, CVEs, compensating controls.
CRA Legacy Products FAQ | Pre-2027 Products, Reporting, Grandfathering, Substantial Modification
CRA FAQ on legacy products covering pre-11 December 2027 products, Article 14 reporting, continued sale, substantial modification, spare parts, old designs.
CRA Manufacturer Obligations FAQ | Article 13 Duties, Support Period, Reporting, Documentation
CRA FAQ on manufacturer obligations covering Article 13 duties, risk assessment, support periods, vulnerability handling, reporting, documentation.
CRA Market Surveillance and Enforcement FAQ | Authorities, Safeguards, Sweeps, Formal Non-Compliance
CRA FAQ on market surveillance and enforcement covering authorities, investigations, safeguard procedures, formal non-compliance, sweeps, joint activities.
CRA Module A FAQ | Internal Control, Self-Assessment, Eligibility, Documentation
CRA FAQ on module A covering internal control, eligible products, class I limits, FOSS exception, technical documentation, testing, CE marking.
CRA Module B+C FAQ | EU-Type Examination, Conformity to Type, Notified Bodies
CRA FAQ on module B+C covering EU-type examination, conformity to type, notified-body role, certificate changes, production control, CE marking.
CRA Module H FAQ | Full Quality Assurance, Notified Body Surveillance, CE Marking
CRA FAQ on module H covering full quality assurance, quality-system approval, notified-body surveillance, scope changes, CE marking, language rules, records.
CRA Notified Bodies FAQ | Notification, Scope, NANDO, Independence, Competence
CRA FAQ on notified bodies covering notification, competence, independence, NANDO scope, accreditation, cross-border choice, subcontracting.
CRA Open-Source Software FAQ | FOSS, Commercial Activity, Stewards, Donations, Paid Editions
CRA FAQ on open-source software covering FOSS qualification, commercial activity, donations, paid support, stewards, contributors, repositories.
CRA Over-the-Air Updates FAQ | OTA, Automatic Updates, Secure Distribution, Offline Paths
CRA FAQ on over-the-air updates covering OTA versus automatic updates, secure distribution, screenless products, gateways, offline update paths.
CRA Penalties and Fines FAQ | Fine Tiers, Turnover Caps, SME Carve-Outs, Stewards
CRA FAQ on penalties and fines covering Article 64 fine tiers, turnover caps, SME carve-outs, steward exemptions, cumulative fines, criminal sanctions.
CRA Product Families FAQ | Variants, Shared Assessments, Family Reuse, Conformity Scope
CRA FAQ on product families covering shared risk assessments, family-wide documentation reuse, cybersecurity-relevant variant differences.
CRA Remote Data Processing Solutions FAQ | RDPS Scope, Cloud Services, SaaS Boundaries, Documentation
CRA FAQ on remote data processing solutions covering Article 3(2) RDPS tests, cloud-service boundaries, websites and portals, third-party SaaS, backend scope.
CRA Repairs and Spare Parts FAQ | Repairs, Refurbishment, Spare-Part Exemption, Compatibility
CRA FAQ on repairs and spare parts covering substantial modification, Article 2(6) identical spare parts, non-identical replacements.
CRA Reporting Obligations FAQ | Article 14 Deadlines, CSIRT Filing, User Notices, Legacy Products
CRA FAQ on reporting obligations covering Article 14 deadlines, actively exploited vulnerabilities, severe incidents, CSIRT routing, user notifications.
CRA Scope FAQ | Products with Digital Elements, Connections, Software, Exclusions
CRA FAQ on scope and products with digital elements covering software, firmware, components, direct and indirect connections, offline products, exclusions.
CRA Secure-by-Default FAQ | Default Configuration, Auto Updates, Tailor-Made Limits
CRA FAQ on secure by default covering Annex I default configuration, automatic security updates, opt-outs, components, inapplicability.
CRA Security Updates vs Functionality Updates FAQ | Separation, Free Updates, Article 13(10)
CRA FAQ on security updates versus functionality updates covering separation where technically feasible, free security updates, automatic updates.
CRA Substantial Modification FAQ | Post-Market Changes, New Manufacturer, Legacy Products
CRA FAQ on substantial modification covering Article 3(30), software updates, repairs, new manufacturer status, conformity reassessment.
CRA Support Period FAQ | Placement on the Market, Unit-Level Timing, Update Availability
CRA FAQ on support periods covering Article 13(8), placement on the market timing, unit-level support periods, standalone software, update availability.
CRA Tailor-Made Products FAQ | Business-User Exception, Paid Updates, Evidence
CRA FAQ on tailor-made products covering the narrow business-user carve-out, secure-by-default and paid-update deviations, required evidence.
CRA Technical Documentation FAQ | Annex VII, Languages, Authority Access, Updates
CRA FAQ on technical documentation covering Annex VII content, timing, languages, versioning, authority access, reused documentation, simplified formats.
CRA Transition Period FAQ | Key Dates, Legacy Products, Pre-CRA Stock, RED Interplay
CRA FAQ on the transition period covering entry into force, phased application dates, legacy products, stock and customs timing, standalone software.
CRA Update Availability and Archives FAQ | Article 13(9), Archives, Historical Versions
CRA FAQ on update availability and software archives covering Article 13(9), Article 13(10), Article 13(11), retention of issued security updates.
CRA User Information and Transparency FAQ | Annex II, Support Disclosure, User Notices
CRA FAQ on user information and transparency covering Annex II instructions, support-period disclosure, end-of-support notices, vulnerability notices.
CRA vs RED Cybersecurity Delegated Act | EU Cyber Resilience Act, CRA Product Security and CE Marking
Compare the Cyber Resilience Act with the RED cybersecurity delegated act so you can decide which products fall under which rule, what dates apply.
CRA vs UK PSTI Act | EU Cyber Resilience Act, CRA Product Security and CE Marking
Compare the EU Cyber Resilience Act with the UK PSTI product security regime so your team can plan dual market compliance without mixing two different rule.
CRA Vulnerability Handling FAQ | Lifecycle Duties, Components, Disclosure, Fix Sharing
CRA FAQ on vulnerability handling covering Annex I Part II duties, component vulnerabilities, upstream reporting and fix sharing.
Deadlines and Compliance Calendar | EU Cyber Resilience Act, CRA Product Security and CE Marking
Track the CRA entry into force date, the notified body date, the reporting start date, and the main application date.
Essential Cybersecurity Requirements | EU Cyber Resilience Act, CRA Product Security and CE Marking
Understand the CRA essential cybersecurity requirements in Annex I.
Penalties and Fines | EU Cyber Resilience Act, CRA Product Security and CE Marking
Understand the CRA administrative fine tiers in Article 64, the conduct that attracts the highest penalties, and the evidence that reduces enforcement exposure.
Products with Digital Elements Scope | EU Cyber Resilience Act, CRA Product Security and CE Marking
Understand what counts as a product with digital elements under the CRA, how remote data processing fits, and where the scope boundary usually causes mistakes.
Reporting Obligations | EU Cyber Resilience Act, CRA Product Security and CE Marking
Prepare for CRA Article 14 reporting, including the twenty four hour early warning, the seventy two hour notification, final reports, CSIRT routing.
Requirements | EU Cyber Resilience Act, CRA Product Security and CE Marking
Review the full CRA requirement set, including manufacturer duties, operator duties, support period rules, user information, corrective action, reporting.
SBOM and Vulnerability Management Template | EU Cyber Resilience Act, CRA Product Security and CE Marking
Use this CRA SBOM and vulnerability management template to structure dependency records, triage, remediation, advisory publication, and support period evidence.
Technical Documentation and Audit File | EU Cyber Resilience Act, CRA Product Security and CE Marking
Build a CRA technical documentation file that covers product definition, risk assessment, support period, Annex I mapping, standards use, test evidence.
Vulnerability Handling and Disclosure | EU Cyber Resilience Act, CRA Product Security and CE Marking
Build a CRA vulnerability handling system that covers SBOM, intake, triage, remediation, coordinated vulnerability disclosure, secure updates.