Search every question across CRA sub-FAQs

It means the manufacturer has to assess the product as a whole, including RDPS when it is in scope.

The Commission FAQ says the cybersecurity risk assessment needs to cover the entire product with digital elements, including remote data processing where relevant and any supporting functions that may form part of the product. The draft guidance adds that the conformity assessment should focus on the parts of the system where the relevant product data is stored or processed, not the whole surrounding environment.

The draft guidance says the technical documentation should indicate whether the product has RDPS or relies on third-party cloud solutions, and should describe them.

If the same RDPS supports several products, it still needs to be declared in each product's documentation, even though the underlying documentation may be reused.

The draft guidance says that, as relevant, the manufacturer may re-use certain evidence in support of its conformity assessment and/or due diligence for third-party cloud services.

The listed examples are:

- CE marking of components, if those components are still within their support period

- evidence of fulfilment of obligations under Commission Implementing Regulation (EU) 2024/2690

- evidence of fulfilment of obligations under DORA

- statements of conformity or certificates under a European cybersecurity certification scheme

- evidence of conformity with ISO/IEC 27017:2015 or ISO/IEC 27001:2022

They also matter later.

The draft guidance says RDPS must be taken into account not only for the initial conformity analysis but also for lifecycle obligations, including reporting of actively exploited vulnerabilities and severe incidents under Article 14.

No, not just because the product relies on connectivity.

The draft guidance's cellular-network example says a network is only a communication channel in that scenario, not remote data processing whose absence would prevent the product from performing its function in the Article 3(2) sense. It also says such a network should not be treated like a third-party component where no provider software is integrated into the product.

Yes, as one support tool.

The draft guidance says the manufacturer should combine product-level security controls with verification of the provider's own security measures. It adds that security guarantees in SLAs can help, including assurances about vulnerability handling, and says manufacturers are encouraged to ensure third-party providers keep them adequately informed about changes to their solutions.

Not automatically.

The draft guidance says major changes in third-party cloud solutions should not by themselves qualify as substantial modification of the product where those solutions are not under the manufacturer's responsibility. The manufacturer still needs to manage the resulting risks through risk assessment and due diligence.

No.

The CRA says those operations do not necessarily lead to a substantial modification. The real question is whether the change affects compliance with the essential cybersecurity requirements or changes the intended purpose for which the product was assessed. Recital 42 also makes clear that a manufacturer-led "upgrade" can still become substantial if it changes the product's design and development in a way that affects intended purpose or compliance.

Case by case.

The draft guidance says refurbishment, maintenance, or repair that physically changes a product does not automatically become a substantial modification. The assessment should ask whether the physical change affects compliance with Annex I Part I or changes the intended purpose covered by the cybersecurity risk assessment.

No.

The draft guidance says replacing defective or worn parts with parts that perform better does not in itself trigger substantial modification. It only does so if the change affects compliance with the essential requirements or changes the intended purpose in a way not covered by the original risk assessment.

Yes.

Article 2(6) excludes spare parts made available to replace identical components, where they are manufactured according to the same specifications as the components they replace.

Yes.

Recital 29 and the draft guidance both say the exemption covers spare parts for legacy products placed on the market before the CRA applies, as well as spare parts for products that have already gone through CRA conformity assessment.

Then the spare part is itself subject to the CRA as a product in its own right.

The draft guidance says compliance must then be assessed in light of that spare part's intended purpose, including its role in ensuring compatibility or interoperability with the existing product.

No.

The draft guidance says the repair does not in itself amount to a substantial modification, provided the repaired product's intended purpose and cybersecurity risk profile remain unchanged.

The manufacturer must reflect those constraints in the cybersecurity risk assessment and implement appropriate alternative or compensatory risk-mitigation measures.

The draft guidance also says the technical documentation and user information should transparently describe the constraints, the associated risks, and the measures taken.

Yes, often.

The CRA says security updates that are designed to reduce cybersecurity risk and that do not modify the intended purpose are generally not substantial modifications. The Commission FAQ gives the example of a bug-fix update for a pre-CRA smart TV that does not bring the product into CRA compliance because it does not substantially modify it.

When it changes the intended purpose or introduces new or increased cybersecurity risks not covered by the original risk assessment.

The CRA recital and the draft guidance both make clear that the label "security update" is not decisive by itself. A software change can still qualify as substantial modification if it materially changes the product's trust model, dependencies, data flows, or risk profile.

The modified product is treated as a new product for CRA purposes.

That means the act of making the substantially modified product available on the market becomes a new placing on the market. The person carrying out the substantial modification may become the manufacturer under Article 21 or Article 22. Under Article 22(2), the CRA obligations apply to the affected part of the product, or to the whole product if the modification impacts the cybersecurity of the product as a whole.

No.

The draft guidance says existing documentation and tests may be reused for aspects not impacted by the substantial modification. The conformity assessment should focus on the substantially modified parts.

For those products, the CRA generally applies only if, from 11 December 2027 onward, they are substantially modified.

The Commission FAQ says a non-substantial bug-fix update on a legacy product does not trigger CRA compliance for that product. But Article 14 reporting obligations apply more broadly even to products placed on the market before 11 December 2027.