If a manufacturer designed a product type before the CRA applies, can it keep placing newly manufactured units of that type on the market after 11 December 2027?
No, not unless those newly placed units comply with the CRA.
The Commission FAQ stresses that Union harmonisation legislation, including the CRA, applies to individual products, not to abstract product types or models. So a product is not grandfathered just because an earlier unit of the same type was placed on the market before 11 December 2027.
What happens if a pre-11 December 2027 product is substantially modified after that date?
Then the CRA starts to apply to that product.
Article 69(2) makes substantial modification the trigger. The CRA definition in Article 3(30) covers changes made after placing on the market that affect compliance with the essential cybersecurity requirements in Annex I Part I or change the intended purpose for which the product was assessed.
If a legacy product receives a bug-fix or security update after 11 December 2027, does that automatically bring the product into the CRA?
No.
The Commission FAQ gives a direct example: a smart TV placed on the market before 11 December 2027 does not become subject to full CRA requirements merely because it receives a later bug-fix update. Recital 39 of the CRA also says that a security update designed to decrease cybersecurity risk, without modifying intended purpose, is not considered a substantial modification.
What is an example of a post-2027 change that would bring a legacy product into the CRA?
The Commission FAQ gives an example where a smart TV placed on the market before 11 December 2027 later receives an update enabling smart-home control. The FAQ treats that as a substantial modification.
That result is consistent with recital 39, which says feature updates that modify original intended functions or the type or performance of the product and increase cybersecurity risk should be treated as substantial modifications.
Do maintenance, repair, or refurbishment of legacy products automatically count as substantial modifications under the CRA?
No.
Recital 42 says refurbishment, maintenance, and repair do not necessarily lead to a substantial modification. That will depend on whether the intended purpose and functionalities change and whether the level of risk remains unaffected.
If a legacy product becomes substantially modified, who is treated as the manufacturer of the modified product?
The person who carries out the substantial modification and makes the product available on the market is treated as the manufacturer for CRA purposes.
That can be the original manufacturer, but it can also be an importer, distributor, or another natural or legal person. Article 21 covers importers and distributors, and Article 22 covers other persons that substantially modify products and make them available on the market.
If a legacy product is substantially modified, does the CRA apply only to the changed feature or to the product more broadly?
That depends on the impact of the modification.
Article 22(2) says the person carrying out the substantial modification is subject to Articles 13 and 14 for the part of the product affected by the substantial modification or, if the substantial modification has an impact on the cybersecurity of the product as a whole, for the entire product.
If a distributor is selling pre-11 December 2027 stock after the CRA applies, does the distributor have to bring that stock into compliance?
No, not on that basis alone.
The Commission FAQ says distributors are not required to bring into compliance products that were already placed on the market before 11 December 2027, unless they themselves carry out a substantial modification.
Do identical spare parts for legacy products fall outside the CRA?
Often yes.
Article 2(6) excludes spare parts made available on the market to replace identical components in products with digital elements where the spare parts are manufactured according to the same specifications as the components they are intended to replace. Recital 29 adds that this exemption is meant to cover spare parts used to repair legacy products made available before the CRA's date of application.
If the replacement part is not identical, is it automatically a substantial modification of the old product?
Not automatically.
Inference from the CRA text: Article 2(6) only answers whether the identical spare-parts exemption applies. Whether installing a non-identical replacement part becomes a substantial modification is a separate question that still turns on Article 3(30), meaning whether the change affects Annex I Part I compliance or changes the intended purpose for which the product was assessed.
For CRA legacy products placed on the market before 11 December 2027, when do the reporting obligations start in practice?
They start on 11 September 2026.
That is the date Article 14 begins to apply under Article 71(2). The Commission FAQ confirms that, from that date, Article 14 applies even to in-scope products that had been placed on the market before 11 December 2027.
For those legacy products, do the early reporting rules mean the manufacturer must also bring the whole product into full CRA conformity?
No.
The Commission FAQ says that, for products placed on the market before 11 December 2027, manufacturers are required to comply with the Article 14 reporting obligations, but those products are not otherwise brought into the full CRA regime unless they are substantially modified. Article 69(3) is a derogation specifically for Article 14.
If units were already manufactured before 11 December 2027 but were not first placed on the market until after that date, are they legacy products?
No.
The Commission FAQ says Union harmonisation legislation, including the CRA, applies to individual products, not abstract product types. It also says only individual products that have been placed on the market before 11 December 2027 escape the full CRA regime. So manufacturing, warehousing, or holding stock before that date is not enough by itself if the unit is first placed on the market on or after 11 December 2027.
If a legacy-era product was designed before the CRA applies but is first placed on the market after 11 December 2027, does the manufacturer have to recreate historical design and test files?
No, not necessarily.
The draft guidance says a product designed before the CRA's date of application can still be placed on the market after the CRA starts applying, provided the manufacturer can demonstrate current compliance through the cybersecurity risk assessment and technical documentation. Where it is not possible to show how the original design phase took the risk assessment into account, the manufacturer may document a current risk assessment and explain how the existing design mitigates the identified risks. The guidance expressly says the manufacturer is not required to recreate historical design or test documentation just for that purpose.
For legacy products covered only by the Article 14 derogation, when does the reporting obligation arise in time?
It applies from 11 September 2026 and, according to the Commission FAQ, upon becoming aware following that date.
Article 71(2) brings Article 14 into application on 11 September 2026. The Commission FAQ then says that, for pre-11 December 2027 products, the obligation to notify applies upon becoming aware following the entry into application of the reporting requirements.
If a legacy product is old enough that the manufacturer can no longer realistically investigate or patch it, what still has to be done under the CRA?
The Commission FAQ still expects notification under Article 14 and user information where applicable, but not the full vulnerability-handling regime solely because of Article 69(3).
The FAQ gives examples such as missing tooling, unavailable build environments, incompatible dependencies, or departed staff. In that situation, for products placed on the market before 11 December 2027, the manufacturer is still required to notify the vulnerability or incident and Article 14(8) may still require informing impacted users. But the FAQ also says those products are not required, on that basis alone, to comply with other CRA obligations such as vulnerability handling.
If legacy hardware remains outside full CRA application, can its firmware or software still fall under the CRA when placed on the market separately?
Yes.
The Commission FAQ's legacy-product example includes an explicit note that firmware referred to in those examples may still fall in scope when placed on the market separately. That reflects the CRA's product-by-product approach: a legacy hardware unit can stay outside the full CRA regime unless substantially modified, while separately marketed software or firmware may still be assessed on its own placement on the market.
Under the CRA, the manufacturer is the natural or legal person who develops or manufactures a product with digital elements, or has it designed, developed, or manufactured, and markets it under its own name or trademark, whether for payment, monetisation, or free of charge.
What are the manufacturer's core duties under the CRA?
The manufacturer has two central duties.
First, when placing a product with digital elements on the market, it must ensure that the product has been designed, developed, and produced in accordance with the essential cybersecurity requirements in Annex I Part I. Second, when placing the product on the market and for the support period, it must ensure that vulnerabilities of the product, including its components, are handled effectively in accordance with Annex I Part II.
Do the manufacturer's CRA duties stop once the product is launched?
No.
Article 13 requires the manufacturer to take the cybersecurity risk assessment into account during planning, design, development, production, delivery, and maintenance. The CRA therefore covers both pre-market design and post-market vulnerability handling.