Search every question across sub-FAQs

Article 13(8) says the support period must reflect the time during which the product is expected to be in use. The manufacturer must take into account reasonable user expectations, the nature of the product including its intended purpose, and relevant Union law determining product lifetime. The support period must be at least five years unless the product is expected to be in use for less than five years.

The manufacturer must include in the technical documentation the information taken into account to determine the support period. Article 13(19) also requires the manufacturer to clearly and understandably specify the end date of the support period, at least month and year, at the time of purchase in an easily accessible manner and, where applicable, on the product, packaging, or by digital means.

Each security update made available during the support period must remain available for at least 10 years after it is issued or for the remainder of the support period, whichever is longer.

For evidence controls, keep the update identifier, affected product versions, vulnerability or risk addressed, release date, distribution channel, integrity mechanism, user notification, and archive or availability proof. Those records help connect Article 13(9), Annex I Part II, and user-instruction obligations.

Before placing the product on the market, the manufacturer must draw up technical documentation, carry out the applicable conformity assessment procedure or have it carried out, draw up the EU declaration of conformity once conformity is demonstrated, and affix the CE marking.

The manufacturer must keep the technical documentation and EU declaration of conformity for at least 10 years after placing the product on the market or for the support period, whichever is longer. Annex VII points the evidence set toward the product description, design and development information, production and vulnerability-handling information, the cybersecurity risk assessment, applied standards or specifications, conformity assessment material, and support-period determination.

CE marking is the manufacturer's visible declaration that the product satisfies the applicable Union harmonisation requirements requiring that marking and that the relevant conformity assessment procedure has been completed. Under the CRA, the manufacturer affixes the CE marking only after the applicable conformity assessment route has demonstrated conformity.

The CRA does not make CE marking a separate cybersecurity test result. It sits at the end of the manufacturer's evidence chain: risk assessment, Annex I implementation, vulnerability-handling procedures, technical documentation, conformity assessment, EU declaration of conformity, and continuing support-period controls.

The manufacturer must ensure product identification is available through a type, batch, serial number, or other identifying element. It must also provide its name, trade name or trademark, postal address, and email address or other digital contact details, and where applicable a website.

Article 13 also requires a single point of contact so users can communicate directly and rapidly with the manufacturer, including for vulnerability reporting. The product must be accompanied by Annex II information and instructions in a language easily understood by users and market surveillance authorities, with enough clarity to allow secure installation, operation, and use.

Article 14 requires manufacturers to notify actively exploited vulnerabilities and severe incidents having an impact on the security of the product with digital elements. The CRA reporting clock starts when the manufacturer becomes aware.

The staged deadlines are an early warning within 24 hours and a fuller notification within 72 hours. The final report deadline differs: for an actively exploited vulnerability, it is no later than 14 days after a corrective or mitigating measure is available; for a severe incident, it is within one month after the incident notification. Article 14 also requires impacted users, and where appropriate all users, to be informed about the vulnerability or incident and risk-mitigation or corrective measures users can deploy.

From market placement and during the support period, the manufacturer must immediately take the corrective measures necessary to bring the product or the manufacturer's processes into conformity, or withdraw or recall the product as appropriate.

The evidence record should show the trigger, affected product versions or batches, risk assessment update, corrective or mitigating measure, user and authority communications, disposition decision, and verification that the product or process was brought back into conformity.

On reasoned request, the manufacturer must provide all information and documentation necessary to demonstrate conformity, in paper or electronic form and in a language easily understood by the market surveillance authority. It must also cooperate with measures taken to eliminate cybersecurity risks posed by the product.

A useful CRA manufacturer evidence pack includes the product scope and role analysis, cybersecurity risk assessment and updates, Annex I applicability and implementation matrix, component due-diligence records, vulnerability-handling policy and cases, support-period rationale, technical documentation, conformity-assessment outputs, EU declaration of conformity, CE-marking evidence, user instructions, support-period disclosure, update availability records, Article 14 reporting records, and corrective-action records.

No for the core Article 13 duties. Article 18(2) says the obligations in Article 13(1) to (11), Article 13(12) first subparagraph, and Article 13(14) cannot form part of the authorised representative's mandate.

Authorised representatives, suppliers, hosted-service providers, subcontractors, distributors, and component maintainers can support the evidence chain, but the manufacturer still needs control over the product, documentation, conformity assessment, vulnerability handling, support-period decisions, and authority cooperation.

Treat product changes, dependency changes, vulnerability findings, support-period changes, new market placements, conformity-assessment changes, and user-instruction changes as evidence events. Each event should update the relevant CRA record rather than remain only in engineering tickets.

The minimum useful record is the affected product and version, manufacturer role, Article 13 or Annex I control affected, risk-assessment impact, component impact, conformity-assessment impact, user-information impact, support-period impact, release or remediation decision, source evidence, approver, and retained artifact location.

Member States do, through their designated market surveillance authorities.

The CRA requires each Member State to designate one or more market surveillance authorities, and it makes the general Union market-surveillance framework in Regulation (EU) 2019/1020 applicable to products within the CRA's scope.

No.

The CRA uses the existing Union market-surveillance framework rather than creating a completely standalone enforcement system. Article 52(1) expressly makes Regulation (EU) 2019/1020 applicable to products with digital elements covered by the CRA.

For those products, the market-surveillance authorities designated under the AI Act are responsible for the CRA market-surveillance activities.

They still have to cooperate, as appropriate, with the market-surveillance authorities designated under the CRA and, for Article 14 reporting supervision, with the CSIRTs designated as coordinators and ENISA.

Yes.

The authorities designated under Article 52 are also responsible for market-surveillance activities relating to the obligations imposed on open-source software stewards under Article 24. If a steward is non-compliant, the authority must require appropriate corrective action.

Yes.

The CRA requires cooperation, where relevant, with national cybersecurity certification authorities, CSIRTs designated as coordinators, ENISA, market-surveillance authorities under other Union product laws, and authorities supervising Union data-protection law.

Yes.

The CRA requires authorities to inform consumers where to submit complaints indicating possible non-compliance and where and how to access mechanisms for reporting vulnerabilities, incidents, and cyber threats affecting products with digital elements. Because the CRA applies the Union market-surveillance framework in Regulation (EU) 2019/1020, the Blue Guide also states that complaints must be followed up appropriately and that consumer complaints, media reports, incidents, and similar information can feed the authorities' risk-based choice of online and offline checks.

But a complaint or report does not by itself establish infringement. Any corrective or restrictive measure still has to rest on the legal findings required under the CRA procedures.

Yes.

The CRA expressly allows market-surveillance authorities to provide guidance and advice to economic operators on implementation, with support from the Commission and, where appropriate, CSIRTs and ENISA.

A national authority can open the Article 54 procedure where it has sufficient reason to consider that a product with digital elements, including its vulnerability handling, presents a significant cybersecurity risk.

The evaluation concerns compliance with all CRA requirements, not just one suspected defect.

Yes.

When determining the significance of a cybersecurity risk, authorities must also consider non-technical risk factors, in particular those identified through Union-level coordinated security risk assessments of critical supply chains under NIS 2.

They must cooperate with the market-surveillance authority as necessary.

The CRA also allows authorities to request technical support from a CSIRT designated as coordinator or from ENISA when implementing or enforcing the Regulation and when evaluating compliance under Article 54.