If a product is developed during the Transition Period but first placed on the market on or after 11 December 2027, does it have to comply with the CRA?
Yes.
The CRA turns on placement on the market of the individual product, not on the date the project started. The Commission FAQ makes this explicit by explaining that individual products first placed on the market on or after 11 December 2027 must comply, even if the product type or earlier units existed before then.
Can a manufacturer continue placing non-CRA-compliant products on the market during the Transition Period before 11 December 2027?
Yes, subject to any other applicable Union legislation.
The CRA's main product-compliance obligations do not apply until 11 December 2027. The transition problem is not whether the product must already bear CRA CE evidence before that date, but how the manufacturer prepares so that products first placed on the market on or after that date will comply.
During the Transition Period, can a manufacturer integrate components that do not yet bear CRA CE marking?
Yes.
The Commission FAQ says this directly. During the Transition Period, manufacturers may integrate third-party components that do not yet bear CRA CE marking, because those component manufacturers may not yet be under the CRA's full application date. The integrating manufacturer must still exercise due diligence through other means so the component does not compromise the cybersecurity of the finished product.
Does the Transition Period mean manufacturers can ignore due diligence on components until 11 December 2027?
No.
Article 13(5) is part of the manufacturer obligations that apply from 11 December 2027, but the Commission FAQ's transition guidance is clear about the practical point: manufacturers preparing products for post-application placement should expect to exercise due diligence even where CRA CE marking is not yet available on integrated components.
During the Transition Period, can a manufacturer integrate important or critical components that do not follow harmonised standards?
Yes.
The Commission FAQ says manufacturers are free to integrate components, including important or critical products with digital elements, even where those components were not designed in accordance with harmonised standards. Harmonised standards are a route to presumption of conformity, not a mandatory condition for integration.
That point matters during the transition because the absence of harmonised standards, or the fact that a component does not follow them, does not by itself block integration. The manufacturer still has to assess and manage the resulting risks.
What happens to existing EU type-examination certificates or approval decisions issued under other Union legislation for cybersecurity requirements?
Article 69(1) says those certificates and approval decisions remain valid until 11 June 2028, unless they expire earlier or the other Union legislation says otherwise.
The March 2026 draft guidance explains that this can include certificates or approval decisions issued under legislation such as the RED cybersecurity delegated act or the Machinery Regulation, but only for the cybersecurity risks actually covered by those instruments.
Does a valid pre-existing certificate under another EU law prove full CRA compliance until 11 June 2028?
No.
The March 2026 draft guidance says those certificates or approval decisions remain relevant only for the cybersecurity risks they actually cover. Manufacturers still have to assess and address any remaining CRA-relevant risks that fall outside the scope of the earlier certificate.
How does the CRA transition interact with the RED cybersecurity delegated regulation?
The Commission FAQ says the Commission aims to repeal Delegated Regulation (EU) 2022/30 with effect from 11 December 2027. That means the timing of placing on the market matters:
- products placed on the market between 1 August 2025 and 10 December 2027 can remain subject to the RED cybersecurity essential requirements made applicable by that delegated regulation
- products first placed on the market on 11 December 2027 or later are subject to the CRA instead
The FAQ also says repealing the RED delegated regulation from 11 December 2027 does not affect market-surveillance treatment of radio equipment that was placed on the market during the earlier RED window.
If a product was placed on the market before 11 December 2027, does the manufacturer have to retrofit it for full CRA compliance on that date?
No, unless the product is substantially modified from that date.
Article 69(2) preserves the pre-existing status of products already placed on the market, while Article 69(3) separately keeps Article 14 reporting obligations applicable.
Can pre-11 December 2027 products still be reported under the CRA even before the rest of the CRA applies?
Yes.
This is the specific consequence of the phased dates. Article 14 starts on 11 September 2026, and Article 69(3) extends it to in-scope products already placed on the market before 11 December 2027.
Article 69(3) extends Article 14 to in-scope products already placed on the market before 11 December 2027, and Article 71(2) sets the Article 14 start date.
Are distributors required to bring into compliance products that were already placed on the market before 11 December 2027?
No.
The Commission FAQ says distributors are not required to bring such products into CRA compliance merely because the general application date has passed. The key transition point is still whether the individual product was placed on the market before 11 December 2027. The main exception remains reporting under Article 14, and a separate trigger exists if someone substantially modifies the product after that date.
Does the Transition Period create a grace period for products first placed on the market after 11 December 2027?
No.
Once 11 December 2027 arrives, products first placed on the market on or after that date must comply with the CRA as applicable. The Transition Period helps manufacturers prepare, but it does not create an extra post-application grace period for newly placed products.
What is the practical CRA transition question for manufacturers developing now?
The practical transition question is not whether the CRA already applies to the product today, but when the individual product will first be placed on the market and what evidence will be needed by that date.
The CRA phased dates and the Commission FAQ together point to a simple planning structure:
- be ready for Article 14 reporting from 11 September 2026
- be ready for full CRA compliance for products first placed on the market from 11 December 2027
- treat existing third-party certificates only as partial evidence for the risks they actually cover, and only within their validity window
If units are only sitting in the manufacturer's or importer's stock on 11 December 2027, are they already grandfathered under the CRA transition?
No.
The Blue Guide says products in the stocks of the manufacturer or importer are not yet placed on the market if they have not yet been supplied for distribution, consumption, or use on the Union market. The Commission FAQ then applies that logic specifically to the CRA transition: only individual products actually placed on the market before 11 December 2027 avoid the CRA's full application, while later-placed units of the same type must comply.
So manufacturing a unit before 11 December 2027 is not enough by itself. If that unit is first placed on the market on or after 11 December 2027, it must comply with the CRA as applicable.
Section 2.3 explains that products in manufacturer or importer stock are not placed on the market until supplied for distribution, consumption, or use.
If goods are still in transit, in a free zone, or in customs warehousing on 11 December 2027, are they treated as already placed on the market?
No.
The Blue Guide says products introduced from a third country but still in transit, in free zones, in warehouses, in temporary storage, or under other special customs procedures are not yet placed on the Union market. The CRA transition therefore does not turn on the shipment date or on the fact that the goods have already entered the customs territory. The relevant question is when they are first made available on the Union market.
If those goods are only released for free circulation and first supplied on the Union market on or after 11 December 2027, the CRA timing is assessed at that later moment.
For standalone software supplied digitally, is the relevant transition date the first EU offering or each later download?
For standalone software supplied digitally, the relevant date is the first offering for distribution or use on the EU market.
The draft Commission guidance says a standalone software version is placed on the market when its manufacturing phase is complete and that version is first supplied for distribution or use on the EU market in the course of a commercial activity. Later downloads or remote access to the same version are instances of making that software available, not new placements on the market. The same is true for later iterations that do not qualify as substantial modifications.
That means a standalone software version first offered before 11 December 2027 is not newly placed on the market again merely because users download that unchanged or non-substantially modified version after that date. But if a later iteration is a substantial modification, that later version is treated as newly placed on the market and must comply accordingly.
Does signing a contract before 11 December 2027 let a product be placed later without CRA compliance?
No.
The CRA transition does not grandfather products merely because the commercial contract, procurement cycle, or development project started before 11 December 2027. The legal trigger remains when the individual product is first placed on the market. The draft Commission guidance expressly notes that some complex systems may involve contracts signed before the CRA applies, but the manufacturer must still ensure before placement on the market that the conformity assessment has been carried out, the EU declaration of conformity has been drawn up, and the CE marking affixed.
The same draft guidance also explains that long design cycles and existing technical constraints do not remove complex systems from the CRA. Instead, those constraints belong in the cybersecurity risk assessment and technical documentation, with alternative or compensatory mitigations where a specific requirement cannot be fulfilled through state-of-the-art measures.
Can products already lawfully placed on the market before 11 December 2027 continue to be sold or put into service after that date?
Yes, unless they are substantially modified from that date.
Article 69(2) preserves the status of products already placed on the market before 11 December 2027. The March 2026 draft guidance states that products placed on the market before that date remain subject to the Union legislation applicable at the time of their placing on the market and, if they were compliant then, they can continue to be sold and put into operation unless they are substantially modified on or after 11 December 2027.
The main CRA transition exception is Article 14 reporting, which still applies to in-scope products already placed on the market before 11 December 2027.
Footnote 25 to point 223 states that compliant products placed before 11 December 2027 can be sold and put into operation unless substantially modified.
Must each CRA security update remain available after it is issued?
Yes.
The CRA requires each security update that was made available during the support period to remain available after issuance for at least 10 years or for the remainder of the support period, whichever is longer.
Is CRA update availability the same thing as the support period?
No.
The support period is the period during which the manufacturer must handle vulnerabilities effectively. Update availability is a separate rule that keeps already-issued security updates accessible for a minimum period after issuance.