Search every question across CRA sub-FAQs

No, not unless they carry out a substantial modification.

The Commission FAQ says distributors are not required to bring products placed on the market before 11 December 2027 into CRA compliance merely because they continue making them available after that date. That changes only if they themselves carry out a substantial modification.

It exempts the spare part itself.

Whether the repair amounts to a substantial modification is a separate question. The draft guidance's spare-part examples show that an identical-specification replacement usually does not amount to a substantial modification, but that conclusion still rests on the repair analysis rather than on Article 2(6) alone.

No.

For the Article 2(6) exemption, the part must replace an identical component and be manufactured according to the same specifications. The draft guidance's Example 34 shows the opposite case: a replacement module may preserve the same function, communication protocols, and security mechanisms, yet still fall outside the exemption if it is based on a different chipset or updated firmware.

No.

The Blue Guide says repaired products that are not considered new products do not need to undergo conformity assessment again, whether the original product was placed on the market before or after the legislation entered into force. It says that remains true even if the product was temporarily exported to a third country for the repair operation. Under the CRA, the key issue remains whether the repair is substantial.

Not automatically.

The draft guidance says the manufacturer must document the constraints, assess the associated risks, and implement compensatory measures. It also says such constraints should be periodically reassessed during the support period, and where they can be reduced or lifted over time, the product should be updated so it can move towards state-of-the-art cybersecurity.

From 11 September 2026, Article 14 requires manufacturers to notify two things:

- any actively exploited vulnerability contained in the product with digital elements

- any severe incident having an impact on the security of the product with digital elements

Those notifications must be made simultaneously to the relevant CSIRT designated as coordinator and to ENISA via the single reporting platform.

Article 3(42) defines it as a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner.

That means the reporting trigger is not just that a flaw exists. The Commission FAQ says a vulnerability found in good-faith testing, a lab, or a bug-bounty context is not subject to mandatory notification unless there is reliable evidence of malicious exploitation.

Article 14(5) says an incident is severe where either:

- it negatively affects, or is capable of negatively affecting, the product's ability to protect the availability, authenticity, integrity, or confidentiality of sensitive or important data or functions

- it has led, or is capable of leading, to the introduction or execution of malicious code in the product or in the user's network and information systems

Recital 68 adds that this can include incidents affecting the manufacturer's development, production, or maintenance processes in a way that increases risk for users.

For an actively exploited vulnerability, the manufacturer must submit:

- an early warning without undue delay and in any event within 24 hours of becoming aware

- a vulnerability notification without undue delay and in any event within 72 hours of becoming aware

- a final report no later than 14 days after a corrective or mitigating measure is available

For a severe incident, the manufacturer must submit:

- an early warning without undue delay and in any event within 24 hours of becoming aware

- an incident notification without undue delay and in any event within 72 hours of becoming aware

- a final report within one month after submission of the incident notification

The CRA stages the information.

For an actively exploited vulnerability:

- the early warning identifies the vulnerability and, where applicable, the Member States where the product is known to have been made available

- the 72-hour notification adds general information about the product, the exploit and vulnerability, corrective or mitigating measures already taken, measures users can take, and, where applicable, the sensitivity of the information

- the final report adds the vulnerability description, severity and impact, information about the malicious actor where available, and details of the security update or other corrective measures

For a severe incident:

- the early warning includes at least whether the incident is suspected of being caused by unlawful or malicious acts and, where applicable, the relevant Member States

- the 72-hour notification adds general information about the nature of the incident, an initial assessment, corrective or mitigating measures already taken, measures users can take, and, where applicable, the sensitivity of the information

- the final report adds the detailed description, severity and impact, the likely threat type or root cause, and the applied and ongoing mitigation measures

It starts when the manufacturer becomes aware of the actively exploited vulnerability or severe incident.

The March 2026 draft guidance says a manufacturer is to be regarded as aware when, after an initial assessment, it has a reasonable degree of certainty that a vulnerability is being actively exploited or that a severe incident has occurred and has compromised the security of the product.

No.

The Commission FAQ says the CRA does not prescribe how a manufacturer must become aware. It gives examples such as customer reports, partner reports, threat intelligence, researchers, telemetry, honeypots, and internal monitoring, but it also says those examples do not create a legal duty to use all of them.

No.

They are subject to mandatory reporting only when the manufacturer has reliable evidence that a malicious actor has exploited them. If a zero-day is discovered without evidence of malicious exploitation, the manufacturer can still report it voluntarily under Article 15.

Yes, if that vulnerability is actively exploited in the finished product.

The Commission FAQ says the finished-product manufacturer must notify any actively exploited vulnerability contained in its product, even if the weakness originates in an integrated component. If the component manufacturer also placed that component on the market, it may have its own notification obligation as well.

Then it is not an actively exploited vulnerability for that finished product, so Article 14 mandatory reporting is not triggered on that basis.

The Commission FAQ says voluntary reporting under Article 15 may still be appropriate, and Article 13(6) still requires reporting upstream to the person or entity manufacturing or maintaining the component.

The notification is submitted via the single reporting platform using the electronic notification end-point of the relevant CSIRT designated as coordinator. It is simultaneously accessible to ENISA.

If the manufacturer has a main establishment in the Union, the report goes to the CSIRT of that Member State.

For CRA reporting, the main establishment is the Member State where decisions related to the cybersecurity of the manufacturer's products are predominantly taken. If that cannot be determined, it is the Member State with the establishment having the highest number of employees in the Union.

Article 14(7) provides a fallback order.

The manufacturer reports to the CSIRT of the Member State determined, in order, by:

- the authorised representative acting for the highest number of the manufacturer's products

- the importer placing on the market the highest number of those products

- the distributor making available the highest number of those products

- the Member State where the highest number of users are located

If the last fallback is used, the manufacturer may keep reporting later events to that same CSIRT.

Yes.

Article 14(6) says the CSIRT initially receiving the notification may request an intermediate report on relevant status updates.