Search every question across sub-FAQs

The person who carries out the substantial modification and makes the product available on the market is treated as the manufacturer for CRA purposes.

That can be the original manufacturer, but it can also be an importer, distributor, or another natural or legal person. Article 21 covers importers and distributors, and Article 22 covers other persons that substantially modify products and make them available on the market.

That depends on the impact of the modification.

Article 22(2) says the person carrying out the substantial modification is subject to Articles 13 and 14 for the part of the product affected by the substantial modification or, if the substantial modification has an impact on the cybersecurity of the product as a whole, for the entire product.

No, not on that basis alone.

The Commission FAQ says distributors are not required to bring into compliance products that were already placed on the market before 11 December 2027, unless they themselves carry out a substantial modification.

Often yes.

Article 2(6) excludes spare parts made available on the market to replace identical components in products with digital elements where the spare parts are manufactured according to the same specifications as the components they are intended to replace. Recital 29 adds that this exemption is meant to cover spare parts used to repair legacy products made available before the CRA's date of application.

Not automatically.

Inference from the CRA text: Article 2(6) only answers whether the identical spare-parts exemption applies. Whether installing a non-identical replacement part becomes a substantial modification is a separate question that still turns on Article 3(30), meaning whether the change affects Annex I Part I compliance or changes the intended purpose for which the product was assessed.

They start on 11 September 2026.

That is the date Article 14 begins to apply under Article 71(2). The Commission FAQ confirms that, from that date, Article 14 applies even to in-scope products that had been placed on the market before 11 December 2027.

No.

The Commission FAQ says that, for products placed on the market before 11 December 2027, manufacturers are required to comply with the Article 14 reporting obligations, but those products are not otherwise brought into the full CRA regime unless they are substantially modified. Article 69(3) is a derogation specifically for Article 14.

No.

The Commission FAQ says Union harmonisation legislation, including the CRA, applies to individual products, not abstract product types. It also says only individual products that have been placed on the market before 11 December 2027 escape the full CRA regime. So manufacturing, warehousing, or holding stock before that date is not enough by itself if the unit is first placed on the market on or after 11 December 2027.

No, not necessarily.

The draft guidance says a product designed before the CRA's date of application can still be placed on the market after the CRA starts applying, provided the manufacturer can demonstrate current compliance through the cybersecurity risk assessment and technical documentation. Where it is not possible to show how the original design phase took the risk assessment into account, the manufacturer may document a current risk assessment and explain how the existing design mitigates the identified risks. The guidance expressly says the manufacturer is not required to recreate historical design or test documentation just for that purpose.

It applies from 11 September 2026 and, according to the Commission FAQ, upon becoming aware following that date.

Article 71(2) brings Article 14 into application on 11 September 2026. The Commission FAQ then says that, for pre-11 December 2027 products, the obligation to notify applies upon becoming aware following the entry into application of the reporting requirements.

The Commission FAQ still expects notification under Article 14 and user information where applicable, but not the full vulnerability-handling regime solely because of Article 69(3).

The FAQ gives examples such as missing tooling, unavailable build environments, incompatible dependencies, or departed staff. In that situation, for products placed on the market before 11 December 2027, the manufacturer is still required to notify the vulnerability or incident and Article 14(8) may still require informing impacted users. But the FAQ also says those products are not required, on that basis alone, to comply with other CRA obligations such as vulnerability handling.

Yes.

The Commission FAQ's legacy-product example includes an explicit note that firmware referred to in those examples may still fall in scope when placed on the market separately. That reflects the CRA's product-by-product approach: a legacy hardware unit can stay outside the full CRA regime unless substantially modified, while separately marketed software or firmware may still be assessed on its own placement on the market.

Keep records that prove the individual product's status, not only the model name.

Useful records include the first placing-on-the-market date for the affected units, batch or serial identifiers, supply-chain handover records, distributor stock records, the evidence used to decide whether an update, repair, refurbishment, or replacement part was a substantial modification, Article 14 notifications and user communications from 11 September 2026 onward, and economic-operator traceability records. If a legacy-era design is first placed on the market after 11 December 2027, keep the current cybersecurity risk assessment and technical documentation showing CRA conformity instead of relying on the old design date.

A CRA manufacturer is the natural or legal person that develops or manufactures a product with digital elements, or has that product designed, developed, or manufactured, and markets it under its own name or trademark.

That means a brand owner can be the manufacturer even when engineering, assembly, testing, hosting, or component work is outsourced. The Blue Guide position is consistent with this: subcontracting does not remove the manufacturer's overall responsibility for the product.

Article 13 has two anchor duties. When placing the product on the market, the manufacturer must ensure the product is designed, developed, and produced in accordance with the essential cybersecurity requirements in Annex I Part I. When placing the product on the market and during the support period, the manufacturer must ensure that vulnerabilities, including vulnerabilities in components, are handled effectively in accordance with Annex I Part II.

Article 13 then adds the operating obligations needed to prove and maintain that position: risk assessment, component due diligence, technical documentation, conformity assessment, EU declaration of conformity, CE marking, production controls, identification and contact information, user instructions, support-period disclosure, corrective action, authority cooperation, and cessation notices.

Yes. The manufacturer must assess cybersecurity risks associated with the product with digital elements and use the outcome during planning, design, development, production, delivery, and maintenance. The assessment is not just a launch checklist; it is the basis for deciding how the product satisfies Annex I and how risks are minimized, incidents are prevented, and incident impact is reduced.

The Commission CRA FAQ says the CRA does not prescribe a single mandatory methodology. The important control is that the method supports identification, evaluation, treatment, and documentation of relevant risks so market surveillance authorities can verify the result.

Article 13(3) requires the risk assessment to consider at least the product's intended purpose, reasonably foreseeable use, conditions of use such as the operational environment or assets to be protected, and the length of time the product is expected to be in use.

The assessment must indicate whether and how Annex I Part I point (2) applies, how those requirements are implemented, and how the manufacturer applies Annex I Part I point (1) and Annex I Part II. The Commission FAQ also explains that the assessment covers the entire product with digital elements, including in-scope remote data processing and supporting functions that form part of the product.

No. For Annex I Part I product properties, the manufacturer determines relevance based on the cybersecurity risk assessment. If a particular essential cybersecurity requirement is not applicable, Article 13(4) requires a clear justification in the technical documentation.

That is not permission to ignore risk. The manufacturer still has to explain the non-applicability position and address any resulting risk through design, mitigation, limits on intended use, warnings, or user information where needed. Annex I Part II vulnerability-handling requirements apply throughout the support period.

The manufacturer must exercise due diligence when integrating components sourced from third parties so those components do not compromise the cybersecurity of the product with digital elements. This includes free and open-source software components where they are integrated into the manufacturer's product.

If the manufacturer identifies a vulnerability in an integrated component, Article 13(6) requires it to report the vulnerability to the person or entity manufacturing or maintaining that component. Where the manufacturer develops a software or hardware modification to address the vulnerability, it must share the relevant code or documentation with the component manufacturer or maintainer where appropriate.

During the support period, the manufacturer must handle vulnerabilities in accordance with Annex I Part II. In practical evidence terms, that means keeping procedures for coordinated vulnerability disclosure, vulnerability intake from internal and external sources, vulnerability assessment, remediation or mitigation decisions, security-update development and distribution, user notification where needed, and records showing why the response matched the risk.

The CRA does not require a dedicated patch for every vulnerability. The Commission FAQ explains that the manufacturer must assess the relevance and risk of the vulnerability and put an appropriate remedy in place without delay. Depending on the risk, that remedy may be a patch, another mitigation, revised instructions, or a different corrective measure.