Does every CVE or component vulnerability automatically block CRA placement on the market?
No. A public CVE, advisory, or component finding is a triage trigger, not an automatic launch ban for every product variant.
The manufacturer still has to verify whether the reported vulnerability is real, whether the affected code or function is present and reachable in its product, whether the vulnerable component is invoked or loaded in use, what access is required, whether compensating controls change exploitability, and whether the product's actual operational environment makes exploitation practical.
Section 4.2.2 lists operational and technical factors for case-by-case exploitability assessment, including code invocation, access required, and compensating controls.
Draft guidance point 213 says a reported exploitable vulnerability does not by itself prove practical exploitability or applicability to the specific product.
How should a manufacturer decide whether a late-stage vulnerability blocks launch under the CRA?
Treat a late-stage potentially exploitable vulnerability as a release gate.
The release decision should record the vulnerability source, affected product and version, component or code path, exploitability analysis under practical operational conditions, severity, potential impact, compensating controls, available fix or mitigation, and the cybersecurity risk assessment conclusion. If the vulnerability is known and exploitable for the product at placement on the market, the grounded answer is to fix or otherwise bring the product into conformity before launch rather than rely on a post-launch patch plan.
Article 13(1)-(4) requires manufacturers to design, develop, produce, document, and assess products against the Annex I requirements before placing them on the market.
Draft guidance points 214-215 address potentially exploitable vulnerabilities discovered shortly before the product enters the distribution chain and describe a risk-based decision between secure placement and pre-launch fixing.
Can a manufacturer rely on a plan to patch later if the vulnerability is already known and exploitable before placement on the market?
No, not as a substitute for the launch-time Annex I requirement.
The CRA separates the placement-on-the-market requirement from the later support-period vulnerability-handling regime. A post-launch patch process is required for vulnerabilities handled during the support period, but it does not cure placing a product on the market while a known exploitable vulnerability is already present and applicable.
Annex I Part I point (2)(a) applies at launch, while Annex I Part II point (2) requires vulnerability remediation during the vulnerability-handling lifecycle.
How does the CRA treat vulnerabilities found after placement on the market but before the final user receives the product?
The Commission FAQ says the launch-time obligation applies at placement on the market. If a newly discovered vulnerability appears after that point, the manufacturer is not expected to fix it before the product reaches the final user solely because of Annex I Part I point (2)(a).
That does not end the analysis. The manufacturer still has to handle vulnerabilities during the support period, including addressing and remediating vulnerabilities without delay in relation to the risks posed. Depending on the risk, that may mean a security update, workaround advisory, configuration guidance, or another remedy.
Does the CRA launch rule cover vulnerabilities in integrated third-party components?
Yes. The launch decision is about the product with digital elements as placed on the market, including integrated components.
Article 13 requires due diligence when integrating third-party components so they do not compromise the cybersecurity of the product. Recital 34 and the Commission FAQ also explain that vulnerability-handling obligations apply to the product in its entirety, including integrated components. A component CVE therefore needs product-specific applicability and exploitability triage, not automatic dismissal because the flaw is upstream.
Sections 4.3.6 and 4.4.2 explain component vulnerability handling and component due-diligence actions such as vulnerability database checks, security testing, SCA, SBOM review, and support-period checks.
How do secure-by-default settings affect a known-exploitable-vulnerability launch decision?
Secure-by-default is a separate Annex I requirement, but it often affects exploitability and launch risk.
If a vulnerable service, interface, algorithm, default credential, or update setting is exposed by default, the release gate should evaluate both requirements together: whether the product is being made available without known exploitable vulnerabilities, and whether the default configuration is secure for the product's intended purpose and reasonably foreseeable use. If a configuration change is the mitigation, the evidence should show that the secure state is the market-delivered default, not only an optional hardening guide.
Annex I Part I point (2)(b) requires secure-by-default configuration, and point (2)(c) covers security updates and automatic update settings where applicable.
Section 4.2.4 explains that secure-by-default depends on intended purpose, reasonably foreseeable use, and the manufacturer's cybersecurity risk assessment.
Does the CRA launch-time rule require evidence that the vulnerability is actively exploited in the wild?
No. Known exploitable vulnerability and actively exploited vulnerability are different CRA concepts.
A launch decision under Annex I Part I point (2)(a) asks whether the vulnerability is known and exploitable under practical operational conditions at placement on the market. Article 14 reporting asks whether the manufacturer becomes aware of an actively exploited vulnerability, which Article 3(42) defines by reliable evidence of malicious exploitation in a system without permission.
When can a launch vulnerability also trigger CRA Article 14 reporting?
Article 14 is triggered when the manufacturer becomes aware of an actively exploited vulnerability contained in the product with digital elements, not merely because a vulnerability is known, severe, or unpatched.
If the launch triage finds reliable evidence that a malicious actor has exploited the vulnerability in a system without permission, Article 14 reporting may apply. The CRA then requires an early warning within 24 hours of awareness, a vulnerability notification within 72 hours of awareness, and a final report no later than 14 days after a corrective or mitigating measure is available.
Section 5.2 distinguishes malicious exploitation from good-faith testing, lab testing, and bug-bounty discovery without evidence of prior malicious exploitation.
What evidence should a CRA launch gate keep for known exploitable vulnerability decisions?
Keep evidence that connects the vulnerability finding to the specific CRA launch conclusion.
Useful records include the source of the finding, affected product identifiers and versions, SBOM or component mapping, vulnerable code-path analysis, operational-environment assumptions, access prerequisites, compensating controls, severity and impact analysis, fix or mitigation status, secure-by-default configuration evidence, test results, the risk-assessment update, the release approval or block decision, and any Article 14 or voluntary-reporting assessment. The record should be usable by someone checking why the product was or was not placed on the market.
Article 13(3)-(4) requires documented and updated risk assessment; Article 13(7) requires systematic documentation of cybersecurity aspects, including known vulnerabilities and third-party information; Annex VII requires risk assessment and test-report documentation.
Sections 4.1.8 and 4.2.2 support keeping technical documentation, risk-assessment updates, and case-specific exploitability factors for vulnerability conclusions.
Can unfinished alpha, beta, or release-candidate software be made available for testing if it is not yet CRA compliant?
Yes, but only within the CRA testing exception.
Article 4(3) allows unfinished software to be made available for the limited time required for testing if it has a visible sign clearly stating that it does not comply with the CRA and will not be available on the market for purposes other than testing. Recital 37 and the Commission FAQ add that manufacturers should still release it only following a risk assessment, comply with product security requirements to the extent possible, and implement vulnerability handling to the extent possible.
Section 1.6 explains the unfinished-software exception and confirms that risk assessment and vulnerability handling still matter to the extent possible.
For products manufactured in series, can later units be placed on the market without already available relevant patches?
No. CRA compliance is not only a product-type abstraction.
Recital 38 says the essential cybersecurity requirements apply to each individual product with digital elements when it is placed on the market, whether manufactured individually or in series. It gives the example that each individual product should have received all security patches or updates available to address relevant security issues when it is placed on the market.
Recital 38 explains how essential cybersecurity requirements apply to individual products in series and specifically mentions available patches and updates at placement on the market.
Does the CRA apply in full to products placed on the market before 11 December 2027?
No.
Article 69(2) says products with digital elements placed on the market before 11 December 2027 are subject to the CRA requirements only if, from that date, they are subject to a substantial modification.
Is there any CRA obligation that still applies to pre-11 December 2027 products even if they are not substantially modified?
Yes.
Article 69(3) creates a specific derogation for reporting. It says Article 14 applies to all in-scope products that were placed on the market before 11 December 2027, and Article 71(2) says Article 14 starts to apply on 11 September 2026.
If a product was already placed on the market before 11 December 2027, can it continue to be sold or otherwise made available after that date?
Yes.
The Commission FAQ explains that individual products placed on the market before 11 December 2027 do not need to be brought into CRA conformity simply because they remain in the distribution chain after that date.
Sections 1.4, 7.2, and 7.5 explain that individual products already placed on the market are not brought into full CRA conformity merely by later distribution.
Do products have to reach the final user before 11 December 2027 in order to count as CRA legacy products?
No.
The Commission FAQ gives a direct example: units already placed on the market before 11 December 2027 do not need to be brought into CRA compliance even if they have not yet reached the final user. The legal question is whether the individual product was placed on the market, not whether it was already sold to the final customer or put into service.
If a manufacturer designed a product type before the CRA applies, can it keep placing newly manufactured units of that type on the market after 11 December 2027?
No, not unless those newly placed units comply with the CRA.
The Commission FAQ stresses that Union harmonisation legislation, including the CRA, applies to individual products, not to abstract product types or models. So a product is not grandfathered just because an earlier unit of the same type was placed on the market before 11 December 2027.
What happens if a pre-11 December 2027 product is substantially modified after that date?
Then the CRA starts to apply to that product.
Article 69(2) makes substantial modification the trigger. The CRA definition in Article 3(30) covers changes made after placing on the market that affect compliance with the essential cybersecurity requirements in Annex I Part I or change the intended purpose for which the product was assessed.
If a legacy product receives a bug-fix or security update after 11 December 2027, does that automatically bring the product into the CRA?
No.
The Commission FAQ gives a direct example: a smart TV placed on the market before 11 December 2027 does not become subject to full CRA requirements merely because it receives a later bug-fix update. Recital 39 of the CRA also says that a security update designed to decrease cybersecurity risk, without modifying intended purpose, is not considered a substantial modification.
What is an example of a post-2027 change that would bring a legacy product into the CRA?
The Commission FAQ gives an example where a smart TV placed on the market before 11 December 2027 later receives an update enabling smart-home control. The FAQ treats that as a substantial modification.
That result is consistent with recital 39, which says feature updates that modify original intended functions or the type or performance of the product and increase cybersecurity risk should be treated as substantial modifications.
Do maintenance, repair, or refurbishment of Legacy Products automatically count as substantial modifications under the CRA?
No.
Recital 42 says refurbishment, maintenance, and repair do not necessarily lead to a substantial modification. That will depend on whether the intended purpose and functionalities change and whether the level of risk remains unaffected.