Search every question across CRA sub-FAQs

Yes.

The manufacturer must undertake a cybersecurity risk assessment for the product and use it to minimise cybersecurity risks, prevent incidents, and minimise their impact, including in relation to users' health and safety.

No.

The CRA does not mandate a single methodology. The manufacturer may choose its approach, but it still has to identify the relevant risks, document how those risks were treated, and be able to demonstrate compliance to market surveillance authorities.

At minimum, it must analyse cybersecurity risks based on the intended purpose, reasonably foreseeable use, the conditions of use such as the operational environment or assets to be protected, and the length of time the product is expected to be in use.

It must also indicate whether and how Annex I Part I point (2) applies, how those requirements are implemented, and how the manufacturer applies Annex I Part I point (1) and Annex I Part II. The Commission FAQ also states that the risk assessment needs to cover the entire product with digital elements, including remote data processing when in scope and supporting functions that form part of the product.

Yes.

The CRA says the risk assessment must be documented and updated as appropriate during the support period. The manufacturer must also systematically document relevant cybersecurity aspects, including vulnerabilities it becomes aware of and relevant information provided by third parties, and update the risk assessment where applicable.

No.

The manufacturer must determine, on the basis of the cybersecurity risk assessment, which Annex I Part I requirements are relevant to the product. Where certain essential cybersecurity requirements are not applicable, the manufacturer must include a clear justification in the technical documentation. By contrast, the vulnerability-handling requirements in Annex I Part II apply throughout the support period.

No.

Article 13(4) allows justified non-applicability, but recital 55 and the Commission FAQ make clear that the manufacturer still has to assess the resulting risks and address them by other means where needed, for example through limits on intended use or user information.

Yes.

The manufacturer must exercise due diligence when integrating third-party components so those components do not compromise the cybersecurity of the product. This expressly includes free and open-source software components that were not made available on the market in the course of a commercial activity.

No.

The Commission FAQ says manufacturers can integrate components that do not bear the CE marking, but they still have to exercise due diligence to ensure those components do not compromise the cybersecurity of the finished product.

The manufacturer must report the vulnerability to the person or entity manufacturing or maintaining that component and must address and remediate the vulnerability in accordance with Annex I Part II. If the manufacturer developed a software or hardware modification to address the vulnerability, it must share the relevant code or documentation with the component manufacturer or maintainer where appropriate.

The support period must reflect the length of time during which the product is expected to be in use.

Article 13(8) says the manufacturer must take into account, in particular, reasonable user expectations, the nature of the product including its intended purpose, and relevant Union law determining product lifetime. It may also take into account the support periods of similar products, the availability of the operating environment, the support periods of core third-party components, and relevant ADCO or Commission guidance.

Yes, in most cases.

Article 13(8) says the support period must be at least five years, unless the product is expected to be in use for less than five years, in which case the support period corresponds to that expected use time. Where the product is reasonably expected to be in use for longer than five years, the support period should be longer.

It must ensure effective vulnerability handling for the product, including its components, in line with Annex I Part II.

That includes addressing and remediating vulnerabilities without delay in relation to the risks posed, applying regular tests and reviews, maintaining coordinated vulnerability disclosure arrangements, facilitating vulnerability reporting, and securely distributing updates.

No.

The Commission FAQ says the CRA does not require a dedicated patch for every vulnerability. The manufacturer must assess the relevance and risk of the vulnerability and ensure that an appropriate remedy is put in place without delay. Depending on the risk, that remedy might be a patch, a mitigation, updated instructions, or another corrective measure.

Not in that sense.

The Commission FAQ says the manufacturer's duty is to make security updates available and to provide the mechanisms required by the CRA, including automatic installation where applicable, user notification, and secure distribution. But the CRA does not make the manufacturer responsible where a user does not install available updates, for example after opting out.

Yes.

Each security update made available during the support period must remain available for at least 10 years after issuance or for the remainder of the support period, whichever is longer.

In some cases, yes.

Where the manufacturer has placed subsequent substantially modified versions of a software product on the market, it may ensure compliance with Annex I Part II point (2) only for the latest version it placed on the market, provided that users of earlier versions have access to that latest version free of charge and without additional hardware or software adjustment costs.

Yes.

The CRA allows public software archives that improve access to historical versions. If the manufacturer does this, users must be clearly informed in an easily accessible manner about the risks associated with using unsupported software.

Before placing the product on the market, the manufacturer must draw up the technical documentation, carry out the applicable conformity assessment procedure or have it carried out, draw up the EU declaration of conformity once conformity is demonstrated, and affix the CE marking.

For at least 10 years after placing the product on the market or for the support period, whichever is longer.

Yes.

The manufacturer must ensure that procedures are in place so products that are part of a series of production remain in conformity. It must adequately take into account changes in development, production, design, product characteristics, and relevant harmonised standards, certification schemes, or common specifications.