Search every question across CRA sub-FAQs

For software products, the CE marking must be affixed either to the EU declaration of conformity or on the website accompanying the software product.

If the website option is used, the relevant section must be easily and directly accessible to consumers.

It must be visible, legible and indelible.

The height may be below 5 mm only where the nature of the product justifies that and the mark still remains visible and legible. The CRA FAQ adds that reduced size cannot be justified by aesthetics alone and that the mark should not be placed where it is not easily visible in the product's intended use.

Not as a purely electronic-only substitute.

The Blue Guide says electronic labelling only is not allowed. At the same time, it notes that some on-product technological solutions, such as certain LCD displays, can be acceptable where they still satisfy the visibility, legibility and indelibility requirements. For software, the CRA separately allows the CE marking on the accompanying website or EU declaration of conformity.

Yes, but only within limits.

Under the CRA, the CE marking may be followed by a pictogram or other mark indicating a special cybersecurity risk or use if such markings are set out in implementing acts. More generally, the Blue Guide allows additional markings only where they serve a different function, do not create confusion with the CE marking, and do not reduce its visibility or legibility.

Under the CRA, only where the conformity assessment procedure is based on full quality assurance under module H.

That is different from module B+C. Under module B+C, the manufacturer affixes the CE marking after obtaining the EU-type certificate, but Article 30(4) does not require the notified body's identification number to follow the CE marking for that route.

Yes.

The Blue Guide explains that the CE marking and, where relevant, the notified body's identification number do not need to be affixed within the Union. They may also be affixed in a third country, for example where the product is manufactured there.

No.

The CRA recital on open-source software stewards says they should not be permitted to affix the CE marking to the products with digital elements whose development they support, because that light-touch steward regime does not make them subject to the same obligations as manufacturers.

No.

The Blue Guide says CE-marked components or parts do not automatically guarantee that the finished product complies. The manufacturer of the finished product must still verify the finished product as such. The CRA FAQ makes the same practical point from the component-due-diligence angle: CE-marked components can support the manufacturer's compliance work, but the CRA does not require manufacturers to integrate only CE-marked components.

The same CE marking indicates that the product also meets those other applicable Union harmonisation acts.

That is also why the CRA requires a single EU declaration of conformity when multiple applicable Union acts apply to the same product.

Importers must ensure before placing the product on the market that the product bears the CE marking and is accompanied by the EU declaration of conformity and the required user information. Distributors must verify before making the product available that the product bears the CE marking and that the specified manufacturer and importer obligations have been met.

So CE marking is not only a manufacturer-side issue. Other economic operators are expected to check for it as part of their own CRA duties.

Yes, if it is not yet being made available on the market.

The CRA allows the presentation or use of a non-compliant product, including a prototype, at trade fairs, exhibitions, demonstrations or similar events, provided that it carries a visible sign clearly stating that it does not comply and will not be made available on the market until it does.

Yes, but only within the CRA's specific testing exception.

Article 4(3) allows unfinished software to be made available for a limited period required for testing purposes if it carries a visible sign stating that it does not comply with the CRA and is not available for purposes other than testing. Recital 37 and the Commission FAQ explain that this covers alpha, beta and release candidate software, that manufacturers should perform a risk assessment and comply to the extent possible with the relevant security and vulnerability-handling requirements, and that they should not force users to upgrade to testing versions. Article 4(4) excludes certain safety components from this exception.

No.

CE marking comes after conformity assessment, but the manufacturer still has continuing obligations under the CRA, including vulnerability handling, support-period duties, corrective actions, and keeping the technical documentation and declaration of conformity available for the required period.

Missing or improper CE marking is treated as formal non-compliance under the CRA.

Market surveillance authorities must require the relevant manufacturer to end the non-compliance. If the problem persists, Member States must take appropriate measures to restrict or prohibit the product from being made available on the market or to ensure recall or withdrawal. In addition, non-compliance with Article 30(1) to (4) can trigger administrative fines under Article 64(3).

The manufacturer must exercise due diligence so that third-party components do not compromise the cybersecurity of the finished product.

This obligation sits inside Article 13 and supports the manufacturer's broader duty to ensure that the product is designed, developed and produced in accordance with the CRA's essential cybersecurity requirements.

No.

The CRA expressly says the obligation also covers free and open-source software components that were not made available on the market in the course of a commercial activity. The Commission's FAQ also confirms that manufacturers may integrate components that are outside the CRA, pre-date CRA application, or have not been placed on the market, but they still have to ensure those components do not compromise the finished product.

No.

The CRA materials make this a risk-based obligation. The appropriate level of due diligence depends on the nature and level of cybersecurity risk associated with the component, and the product's cybersecurity risk assessment also informs how much checking is appropriate.

The CRA materials give a non-exhaustive set of examples. Depending on the component and the level of risk, due diligence can include:

- checking whether the component already bears the CE marking

- checking whether the component manufacturer has demonstrated conformity with the CRA

- verifying that the component receives regular security updates, for example by checking its update history

- checking the European vulnerability database or other publicly accessible vulnerability databases for applicable vulnerabilities

- carrying out additional security testing

- performing software composition analysis

- reviewing the component's SBOM when available

- checking the component's support period

- verifying that the component's intended purpose fits the integrating manufacturer's use

- assessing the security posture of the component manufacturer

The Commission's FAQ gives examples such as fuzz testing, penetration testing, firmware analysis, side-channel analysis, red-team exercises, network traffic analysis, and sensor spoofing.

Those are examples, not a mandatory checklist. The right testing depth still depends on the component's role and risk.

No.

The CRA does not require manufacturers to integrate only CE-marked components. Components that were not placed on the market, were placed on the market before the CRA applies, or fall outside the CRA can still be integrated, provided the integrating manufacturer exercises due diligence so they do not compromise the finished product.