FAQEUCyber Resilience Act

EU Cyber Resilience Act FAQ Essential Cybersecurity Requirements

Use this CRA FAQ to understand how Annex I Part I and Part II work, what applies to every in-scope product, and how manufacturers must justify, document, and evidence compliance.

Built for product security, engineering, legal, certification, and compliance teams interpreting the CRA's core technical requirements.

Back to main artifactReview sources
Author
Sorena AI
Published
Mar 10, 2026
Updated
Mar 10, 2026
Sections
20

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Mar 10, 2026
Updated Mar 10, 2026
Overview

The CRA's essential cybersecurity requirements are the core compliance baseline for products with digital elements. This FAQ focuses on how Annex I Part I and Part II differ, when requirements apply, how manufacturers justify inapplicability, and what evidence is needed to show conformity at product level.

Search this module

Find a question or answer quickly

20 of 20 sections
Section 1

What are the CRA's essential cybersecurity requirements?

The CRA splits the essential cybersecurity requirements into two parts:

- Part I of Annex I covers the cybersecurity properties the product itself must have

- Part II of Annex I covers the vulnerability-handling processes the manufacturer must put in place

Citations
Recommended next step

Use EU Cyber Resilience Act FAQ Essential Cybersecurity Requirements as a cited research workflow

Research Copilot can turn EU Cyber Resilience Act FAQ Essential Cybersecurity Requirements into a reusable cited workflow for teams implementing EU Cyber Resilience Act FAQ.

Research workflow
Open Research Copilot

Start from EU Cyber Resilience Act FAQ Essential Cybersecurity Requirements and move to source-backed decisions and evidence workflows.

Explore next step
Talk to Sorena
Talk through your EU Cyber Resilience Act FAQ implementation

Review evidence gaps, ownership, and next steps for EU Cyber Resilience Act FAQ.

Explore next step
Section 2

Do products with digital elements need to comply with both Part I and Part II of Annex I?

Yes.

Under Article 6, products may only be made available on the market where the product meets the Part I requirements and the manufacturer's processes comply with the Part II requirements.

Citations
Section 3

Do Part I and Part II work in exactly the same way over time?

No.

Part I focuses on the product as placed on the market. Part II contains vulnerability-handling obligations that manufacturers must comply with when the product is placed on the market and throughout the support period.

Citations
Section 4

Does the CRA prescribe one fixed technical checklist or one mandatory methodology for meeting the essential cybersecurity requirements?

No.

The requirements are objective-oriented and technology-neutral. The CRA does not mandate one specific cybersecurity risk-assessment methodology. Manufacturers can choose their methodology, but it must support identifying, evaluating and treating the relevant risks and documenting how the essential requirements are met.

Citations
Section 5

Are all Annex I requirements mandatory for every product in exactly the same way?

Not in exactly the same way.

For Part II, manufacturers need to comply with all vulnerability-handling requirements. For Part I, Article 13(3) requires the manufacturer to determine through the cybersecurity risk assessment which point (2) requirements are applicable to the product and how they are implemented. If a specific requirement is not applicable, the manufacturer must include a clear justification in the technical documentation.

Citations
Section 6

What does Annex I Part I, point (1) mean in practice?

It is the general product-level requirement to ensure an appropriate level of cybersecurity based on the risks.

The March 2026 draft guidance explains that this point is meant to catch additional cybersecurity risks identified by the risk assessment that are not otherwise adequately addressed by the other specific Part I requirements. In most cases, complying with the other applicable Part I requirements will also satisfy point (1), but if additional relevant risks remain, the manufacturer still has to address them at product level.

Citations
Section 7

Does the CRA require products to be free from all vulnerabilities?

No.

The CRA does not require a product to be free from all vulnerabilities. For placement on the market, the relevant product requirement is that, on the basis of the cybersecurity risk assessment and where applicable, the product is made available without known exploitable vulnerabilities. After placement on the market, the manufacturer must address and remediate relevant vulnerabilities without delay in line with Part II of Annex I.

Citations
Section 8

Can a manufacturer rely on its own risk appetite, product strategy or cost constraints to leave cybersecurity risks untreated?

No.

The draft guidance says residual cybersecurity risk is assessed against the CRA's regulatory threshold, not against the manufacturer's internal risk tolerance, commercial strategy or cost preferences. If identified risks are not adequately addressed, the product cannot simply be placed on the market anyway.

Citations
Section 9

Can user instructions compensate for product design shortcomings?

No.

The CRA requires manufacturers to place a compliant product on the market. Information and instructions can support secure installation, operation, integration and deployment, but the draft guidance says they cannot be used to compensate for product-design shortcomings or to justify leaving incompatible risks untreated.

Citations
Section 10

How should Annex I Part I be read in practice?

Part I, point (2) is a structured set of product-security outcomes that the manufacturer must apply where relevant on the basis of the cybersecurity risk assessment.

It covers, among other things:

- no known exploitable vulnerabilities at placement on the market

- secure-by-default configuration

- the ability to address vulnerabilities through security updates

- protection from unauthorised access

- confidentiality and integrity protection

- data minimisation

- protection of essential and basic functions, including after incidents

- attack-surface reduction

- exploitation-mitigation techniques

- security-related logging and monitoring

- secure removal and transfer of data and settings

Citations
Section 11

Do the essential requirements apply only to the local device, or to the whole product as placed on the market?

They apply to the whole product.

The Commission FAQ says the cybersecurity risk assessment must cover the entire product with digital elements, including remote data processing when it is in scope and supporting functions that form part of the product. The draft guidance likewise explains that risks from external services, networks and other dependencies may need to be addressed through product-level measures so that the product as a whole complies.

Citations
Section 12

What if a specific essential requirement is incompatible with interoperability needs or with other Union law?

The CRA recognises that this can happen, but it is not a free pass.

If a requirement is not applicable because of the nature of the product, the manufacturer must clearly justify that in the technical documentation. Recital 55 and the Commission FAQ give interoperability as an example. If cybersecurity risks still arise in relation to that inapplicable requirement, the manufacturer must address those risks by other appropriate means.

Citations
Section 13

Do harmonised standards define the only acceptable way to meet the essential requirements?

No.

Harmonised standards are voluntary and do not replace the manufacturer's own duty to assess risks and demonstrate compliance. They can support conformity, but manufacturers may also use other technical means if they document how the applicable essential requirements are met.

Citations
Section 14

How do CRA Annex I and Annex II work together on the essential cybersecurity requirements and user information?

Annex I sets the substantive cybersecurity outcomes and processes that the product and manufacturer must meet. Annex II requires the manufacturer to give users the information they need to install, operate, update, integrate and decommission the product securely.

That includes, among other things, the intended purpose, security properties, significant cybersecurity-risk circumstances, support-period information, update information, secure decommissioning information, and information needed by downstream integrators.

Citations
Section 15

How is a manufacturer expected to show that the CRA essential cybersecurity requirements are actually met?

The CRA does not prescribe one evidence format, but it does require the manufacturer to document how the applicable essential requirements are met.

That means the manufacturer needs to show in the cybersecurity risk assessment and technical documentation:

- which Part I requirements are applicable

- how they are implemented

- how Part I point (1) and Part II are applied

- what technical means, standards, specifications or other solutions are used

- what testing, review or other evidence supports those conclusions

Citations
Section 16

Do the essential cybersecurity requirements apply only to important or critical products?

No.

The essential cybersecurity requirements in Annex I apply horizontally to all products with digital elements that are in scope. The important or critical classification affects the conformity-assessment route, not whether the Annex I requirements apply in the first place.

Citations
Section 17

Do the essential cybersecurity requirements apply to each individual unit placed on the market, even when products are manufactured in series?

Yes.

Recital 38 makes clear that the essential cybersecurity requirements, including the vulnerability-handling requirements, apply to each individual product with digital elements when it is placed on the market, whether the product is manufactured as an individual unit or in series. The recital gives a practical example: each individual product placed on the market should already have received all security patches or updates available to address relevant security issues at that time.

Citations
Section 18

Can a manufacturer transfer responsibility for meeting the essential cybersecurity requirements to users, integrators or other third parties?

No.

The March 2026 draft guidance says the CRA does not allow the manufacturer to transfer cybersecurity risk or responsibility to users or third parties. Information and instructions can support secure deployment, operation or integration, and can inform users about residual risks, but the obligation to place a secure product on the market and demonstrate conformity with the essential cybersecurity requirements remains with the manufacturer.

Citations
Section 19

If identified cybersecurity risks cannot be adequately addressed through appropriate measures, can the product still be placed on the market with warnings or accepted residual risk?

No.

The draft guidance says that where identified risks cannot be adequately addressed through appropriate measures, compliance may require changes to the product's design, functionality or intended purpose. Cost or commercial feasibility alone is not a sufficient reason to leave such risks untreated, and warnings cannot justify placing a product on the market where the remaining risks are incompatible with the essential cybersecurity requirements.

Citations
Section 20

If interoperability requires a less secure measure or protocol, what do the essential cybersecurity requirements expect?

The CRA allows justified constraints, but not an automatic downgrade.

Where a product must interoperate with existing systems that only support an older or less secure approach, the manufacturer may rely on that approach only if it is necessary for interoperability, the associated risks are identified and documented, and other appropriate mitigation measures are implemented. The draft guidance adds that if it is technically feasible to support both the secure and the less secure option, the secure option is expected to be implemented and enabled by default, while the less secure option should be used only where interoperability requires it.

Citations
Primary sources

References and citations

Cyber Resilience Act
data.europa.eu20 citations
Referenced sections
  • Article 6, Annex I
  • Article 6, Article 13(1)
  • Article 6, Article 13(1), Article 13(7)-(9), Annex I
Show 14 more
  • Article 13(2)-(4), Annex I
  • Article 13(3)-(4), Annex I
  • Article 13(2)-(3), Annex I Part I, point (1)
  • Annex I Part I, point (2)(a), Annex I Part II, point (2)
  • Article 13(18), Annex II
  • Annex I Part I
  • Article 3(1), Article 13(2)-(5), Annex I
  • Article 13(4), recital 55
  • Article 27, Article 31, Annex I
  • Article 13(18)-(19), Annex I, Annex II
  • Article 13(3)-(4), Article 31, Annex VII
  • Article 6, Article 7, Article 8
  • recital 38, Article 13(1)
  • Article 13(2)-(4), Annex I Part I, point (1)
European Commission CRA FAQs (January 2026)
ec.europa.eu10 citations
Referenced sections
  • section 4.1.3
  • section 4.1.2, section 4.2.1
  • section 4.2.2, section 4.3.1
Show 5 more
  • section 4.1.3, section 4.2.1
  • section 4.1.1
  • section 4.1.7, section 4.2.1
  • section 4.1.1, section 4.2.1
  • section 4.2.1
Related guides

Explore more topics

Applicability Test | EU Cyber Resilience Act, CRA Product Security and CE Marking
Use this CRA applicability test to confirm product scope, exclusions, remote data processing boundaries, operator role, product classification.
Checklist | EU Cyber Resilience Act, CRA Product Security and CE Marking
Use this Cyber Resilience Act checklist to assign owners, deadlines, evidence, and release gates for scope, Annex I controls, support period operations.
Compliance Program | EU Cyber Resilience Act, CRA Product Security and CE Marking
Build a CRA compliance program that covers product scope, governance, engineering controls, support period operations, Article 14 reporting.
Conformity Assessment and CE Marking | EU Cyber Resilience Act, CRA Product Security and CE Marking
Choose the right CRA conformity route, prepare the declaration of conformity, structure the technical file.
CRA Blue Guide Concepts FAQ | Placing on the Market, Making Available, Distance Sales
CRA FAQ on Blue Guide concepts used in Cyber Resilience Act interpretation: placing on the market, making available, putting into service, online sales.
CRA CE Marking FAQ | Meaning, Placement Rules, Software Labeling, Notified Bodies
CRA CE marking FAQ covering what the mark means, when it is mandatory, software and website placement rules, packaging fallback, notified body numbers.
CRA Component Due Diligence FAQ | Third-Party Components, FOSS, SBOM, Vulnerabilities
CRA component due diligence FAQ covering third-party components, FOSS, CE-marked components, SBOM review, risk-based checks, upstream vulnerability reporting.
CRA Conformity Assessment Routes FAQ | Module A, Module B+C, Module H, Critical and Important Products
CRA FAQ on conformity assessment routes covering module A, module B+C, module H, important and critical products, harmonised standards, certification schemes.
CRA Core Functionality FAQ | Important Products, Critical Products, Classification
CRA FAQ on core functionality covering classification of important and critical products, ancillary functions, integrated components.
CRA Cybersecurity Risk Assessment FAQ | Article 13, Threat Modelling, Variants, Constraints
CRA FAQ on cybersecurity risk assessment covering Article 13, threat modelling, intended purpose, foreseeable misuse, external dependencies, documentation.
CRA Declaration of Conformity FAQ | Full vs Simplified, Languages, Updates, Duties
CRA FAQ on the EU declaration of conformity covering full and simplified formats, required contents, languages, updates, single declarations across EU laws.
CRA Economic Operators FAQ | Manufacturers, Importers, Distributors, Authorised Representatives
CRA FAQ on economic operators covering manufacturer, authorised representative, importer, distributor, responsible operator rules, checks, traceability.
CRA FAQ Hub | Blue Guide Concepts, CE Marking, Component Due Diligence
Browse the CRA FAQ hub for Blue Guide market-access concepts, CE marking, and component due diligence.
CRA Hardware and Software Boundaries FAQ | Product Scope, Combined Products, Source Code
CRA FAQ on hardware and software boundaries covering combined products, standalone software, source code, companion apps, remote data processing.
CRA Harmonised Standards and Common Specifications FAQ | Presumption of Conformity, OJ Publication
CRA FAQ on harmonised standards, common specifications, and certification schemes covering presumption of conformity, Official Journal publication.
CRA Important and Critical Products FAQ | Annex III, Annex IV, Core Functionality
CRA FAQ on important and critical products covering Annex III and Annex IV classification, core functionality, conformity routes, FOSS rule limits.
CRA Integrated Components and Dependencies FAQ | Due Diligence, RDPS, Third-Party Components
CRA FAQ on integrated components and dependencies covering due diligence, third-party components, RDPS, cloud dependencies, upstream fixes, FOSS dependencies.
CRA Interplay With Other EU Laws FAQ | RED, AI Act, GDPR, Data Act, EHDS, Machinery
CRA FAQ on interplay with other EU laws covering exclusions, overlap with RED, AI Act, GDPR, Data Act, EHDS, Machinery, GPSR, NIS2, aviation, marine.
CRA Known Exploitable Vulnerabilities at Launch FAQ | Placement on the Market, CVEs, Late Discoveries
CRA FAQ on known exploitable vulnerabilities at launch covering the launch-time rule, exploitability, known vulnerabilities, CVEs, compensating controls.
CRA Legacy Products FAQ | Pre-2027 Products, Reporting, Grandfathering, Substantial Modification
CRA FAQ on legacy products covering pre-11 December 2027 products, Article 14 reporting, continued sale, substantial modification, spare parts, old designs.
CRA Manufacturer Obligations FAQ | Article 13 Duties, Support Period, Reporting, Documentation
CRA FAQ on manufacturer obligations covering Article 13 duties, risk assessment, support periods, vulnerability handling, reporting, documentation.
CRA Market Surveillance and Enforcement FAQ | Authorities, Safeguards, Sweeps, Formal Non-Compliance
CRA FAQ on market surveillance and enforcement covering authorities, investigations, safeguard procedures, formal non-compliance, sweeps, joint activities.
CRA Module A FAQ | Internal Control, Self-Assessment, Eligibility, Documentation
CRA FAQ on module A covering internal control, eligible products, class I limits, FOSS exception, technical documentation, testing, CE marking.
CRA Module B+C FAQ | EU-Type Examination, Conformity to Type, Notified Bodies
CRA FAQ on module B+C covering EU-type examination, conformity to type, notified-body role, certificate changes, production control, CE marking.
CRA Module H FAQ | Full Quality Assurance, Notified Body Surveillance, CE Marking
CRA FAQ on module H covering full quality assurance, quality-system approval, notified-body surveillance, scope changes, CE marking, language rules, records.
CRA Notified Bodies FAQ | Notification, Scope, NANDO, Independence, Competence
CRA FAQ on notified bodies covering notification, competence, independence, NANDO scope, accreditation, cross-border choice, subcontracting.
CRA Open-Source Software FAQ | FOSS, Commercial Activity, Stewards, Donations, Paid Editions
CRA FAQ on open-source software covering FOSS qualification, commercial activity, donations, paid support, stewards, contributors, repositories.
CRA Over-the-Air Updates FAQ | OTA, Automatic Updates, Secure Distribution, Offline Paths
CRA FAQ on over-the-air updates covering OTA versus automatic updates, secure distribution, screenless products, gateways, offline update paths.
CRA Penalties and Fines FAQ | Fine Tiers, Turnover Caps, SME Carve-Outs, Stewards
CRA FAQ on penalties and fines covering Article 64 fine tiers, turnover caps, SME carve-outs, steward exemptions, cumulative fines, criminal sanctions.
CRA Product Families FAQ | Variants, Shared Assessments, Family Reuse, Conformity Scope
CRA FAQ on product families covering shared risk assessments, family-wide documentation reuse, cybersecurity-relevant variant differences.
CRA Remote Data Processing Solutions FAQ | RDPS Scope, Cloud Services, SaaS Boundaries, Documentation
CRA FAQ on remote data processing solutions covering Article 3(2) RDPS tests, cloud-service boundaries, websites and portals, third-party SaaS, backend scope.
CRA Repairs and Spare Parts FAQ | Repairs, Refurbishment, Spare-Part Exemption, Compatibility
CRA FAQ on repairs and spare parts covering substantial modification, Article 2(6) identical spare parts, non-identical replacements.
CRA Reporting Obligations FAQ | Article 14 Deadlines, CSIRT Filing, User Notices, Legacy Products
CRA FAQ on reporting obligations covering Article 14 deadlines, actively exploited vulnerabilities, severe incidents, CSIRT routing, user notifications.
CRA Scope FAQ | Products with Digital Elements, Connections, Software, Exclusions
CRA FAQ on scope and products with digital elements covering software, firmware, components, direct and indirect connections, offline products, exclusions.
CRA Secure-by-Default FAQ | Default Configuration, Auto Updates, Tailor-Made Limits
CRA FAQ on secure by default covering Annex I default configuration, automatic security updates, opt-outs, components, inapplicability.
CRA Security Updates vs Functionality Updates FAQ | Separation, Free Updates, Article 13(10)
CRA FAQ on security updates versus functionality updates covering separation where technically feasible, free security updates, automatic updates.
CRA Substantial Modification FAQ | Post-Market Changes, New Manufacturer, Legacy Products
CRA FAQ on substantial modification covering Article 3(30), software updates, repairs, new manufacturer status, conformity reassessment.
CRA Support Period FAQ | Placement on the Market, Unit-Level Timing, Update Availability
CRA FAQ on support periods covering Article 13(8), placement on the market timing, unit-level support periods, standalone software, update availability.
CRA Tailor-Made Products FAQ | Business-User Exception, Paid Updates, Evidence
CRA FAQ on tailor-made products covering the narrow business-user carve-out, secure-by-default and paid-update deviations, required evidence.
CRA Technical Documentation FAQ | Annex VII, Languages, Authority Access, Updates
CRA FAQ on technical documentation covering Annex VII content, timing, languages, versioning, authority access, reused documentation, simplified formats.
CRA Transition Period FAQ | Key Dates, Legacy Products, Pre-CRA Stock, RED Interplay
CRA FAQ on the transition period covering entry into force, phased application dates, legacy products, stock and customs timing, standalone software.
CRA Update Availability and Archives FAQ | Article 13(9), Archives, Historical Versions
CRA FAQ on update availability and software archives covering Article 13(9), Article 13(10), Article 13(11), retention of issued security updates.
CRA User Information and Transparency FAQ | Annex II, Support Disclosure, User Notices
CRA FAQ on user information and transparency covering Annex II instructions, support-period disclosure, end-of-support notices, vulnerability notices.
CRA vs RED Cybersecurity Delegated Act | EU Cyber Resilience Act, CRA Product Security and CE Marking
Compare the Cyber Resilience Act with the RED cybersecurity delegated act so you can decide which products fall under which rule, what dates apply.
CRA vs UK PSTI Act | EU Cyber Resilience Act, CRA Product Security and CE Marking
Compare the EU Cyber Resilience Act with the UK PSTI product security regime so your team can plan dual market compliance without mixing two different rule.
CRA Vulnerability Handling FAQ | Lifecycle Duties, Components, Disclosure, Fix Sharing
CRA FAQ on vulnerability handling covering Annex I Part II duties, component vulnerabilities, upstream reporting and fix sharing.
Deadlines and Compliance Calendar | EU Cyber Resilience Act, CRA Product Security and CE Marking
Track the CRA entry into force date, the notified body date, the reporting start date, and the main application date.
Essential Cybersecurity Requirements | EU Cyber Resilience Act, CRA Product Security and CE Marking
Understand the CRA essential cybersecurity requirements in Annex I.
Penalties and Fines | EU Cyber Resilience Act, CRA Product Security and CE Marking
Understand the CRA administrative fine tiers in Article 64, the conduct that attracts the highest penalties, and the evidence that reduces enforcement exposure.
Products with Digital Elements Scope | EU Cyber Resilience Act, CRA Product Security and CE Marking
Understand what counts as a product with digital elements under the CRA, how remote data processing fits, and where the scope boundary usually causes mistakes.
Reporting Obligations | EU Cyber Resilience Act, CRA Product Security and CE Marking
Prepare for CRA Article 14 reporting, including the twenty four hour early warning, the seventy two hour notification, final reports, CSIRT routing.
Requirements | EU Cyber Resilience Act, CRA Product Security and CE Marking
Review the full CRA requirement set, including manufacturer duties, operator duties, support period rules, user information, corrective action, reporting.
SBOM and Vulnerability Management Template | EU Cyber Resilience Act, CRA Product Security and CE Marking
Use this CRA SBOM and vulnerability management template to structure dependency records, triage, remediation, advisory publication, and support period evidence.
Technical Documentation and Audit File | EU Cyber Resilience Act, CRA Product Security and CE Marking
Build a CRA technical documentation file that covers product definition, risk assessment, support period, Annex I mapping, standards use, test evidence.
Vulnerability Handling and Disclosure | EU Cyber Resilience Act, CRA Product Security and CE Marking
Build a CRA vulnerability handling system that covers SBOM, intake, triage, remediation, coordinated vulnerability disclosure, secure updates.