Does the support period of integrated components matter under the Cyber Resilience Act?
Yes. The support period of third-party integrated components that provide core functions is one factor a manufacturer may take into account when determining the support period for its own product.
The support-period evidence should therefore identify core-function dependencies, their support status, and what the manufacturer will do if a supported product depends on an integrated component whose own support ends. The Commission FAQ explains that if a product with an active support period contains a vulnerability in an unsupported component, the manufacturer may need to switch out the component, develop a patch autonomously, or use another adequate mitigation.
Article 13(8) allows manufacturers to consider support periods of third-party integrated components providing core functions when setting the product support period.
Does CRA component due diligence require proving that every component is vulnerability-free?
No. The CRA requires a risk-based due-diligence process that prevents integrated components from compromising the finished product. It does not create a requirement to prove that every component has no vulnerabilities in every possible context.
A defensible record should instead show the component's role, known vulnerabilities checked, risk relevance to the product, mitigations applied, remaining risk accepted, and the process for monitoring new vulnerabilities during the support period.
What decides which CRA conformity assessment route a manufacturer has to use?
The starting point is the product's classification under the CRA.
Manufacturers first need to determine whether the product is in the default category, an important product of class I, an important product of class II, or a critical product. That depends on the product's core functionality, not simply on the fact that it includes components that are themselves important or critical products.
Which CRA conformity assessment route applies to products in the default category?
Products in the default category can always use module A.
They may also use module B+C or module H if the manufacturer chooses, because Article 32(1) makes those routes generally available. The key point is that the CRA does not require third-party conformity assessment for default-category products.
When can an important CRA class I product use module A?
An important product of class I can use module A if, in assessing compliance, the manufacturer has applied relevant harmonised standards, common specifications, or European cybersecurity certification schemes at assurance level at least substantial.
If those instruments have not been applied, have been applied only in part, or do not exist, Article 32(2) requires the relevant essential cybersecurity requirements to be covered through module B+C or module H instead.
What if a harmonised standard covers the core functionality of an important class I product, but not every cybersecurity risk of the full product?
The draft Commission guidance takes the view that the manufacturer may still use internal control if the harmonised standard covers the product's core functionality.
But that does not mean the whole product automatically benefits from a full presumption of conformity. The guidance explains that the manufacturer still has to address additional risks presented by broader product scope or additional functions, and the presumption of conformity extends only to the parts covered by the standard.
Which CRA conformity assessment routes apply to critical products with digital elements?
Critical products listed in Annex IV must use:
- a European cybersecurity certification scheme where Article 8(1) requires one, or
- if the conditions in Article 8(1) are not met, one of the class II routes in Article 32(3)
So critical products do not automatically have to use the same third-party route in every case. The legal answer depends first on whether a certification scheme has been made mandatory under Article 8(1).
Does integrating an important or critical component automatically force the finished product into the corresponding route?
No.
The CRA and the Commission FAQ both say that integrating an important or critical product into another product does not by itself make the finished product subject to the conformity assessment regime for that component category. The decisive factor is the core functionality of the finished product as a whole.
Does the CRA provide a special route for free and open-source software in Annex III categories?
Yes.
Manufacturers of products qualifying as free and open-source software that fall under Annex III categories may use any of the Article 32(1) procedures, including module A, provided that the technical documentation is made available to the public at the time of placing the product on the market.
Can a manufacturer choose a stricter CRA conformity assessment route than the minimum route required by law?
Yes.
The CRA sets minimum route requirements for certain product categories, but the manufacturer can still choose a more demanding route. For example, a default-category product may still go through module B+C or module H, and a class I product that could rely on module A may still opt for third-party assessment.
Under this route, the manufacturer verifies that the product complies with the CRA, draws up the technical documentation, performs the necessary testing or equivalent verification, and declares compliance on its sole responsibility. No notified body participates.
Module B+C combines notified-body examination of the design and development phase with manufacturer responsibility for conformity to the approved type in production.
The notified body examines the design, technical documentation, supporting evidence and specimens under module B. The manufacturer then ensures under module C that the manufactured units conform to the approved type and remains responsible for production conformity.
Under this route, the manufacturer operates an approved quality system covering design, development, production, final inspection and testing, and a notified body assesses and surveils that system. This is why module H can be attractive for manufacturers with larger product portfolios or products subject to frequent updates.
Do CRA conformity assessment routes assess only the product, or also the manufacturer's processes?
They assess both.
Article 32 requires conformity assessment of the product with digital elements and the processes put in place by the manufacturer. That is why the Annex VIII procedures also cover vulnerability handling processes and, depending on the route, production controls or quality-system controls.
How do high-risk AI systems affect CRA route selection?
As a rule, Article 12 says the relevant conformity assessment procedure under the AI Act applies to products that are both CRA products and high-risk AI systems, for the cybersecurity requirements addressed by the CRA.
But the CRA creates an important derogation. Important and critical CRA products that are also high-risk AI systems, and that would otherwise only be subject to AI Act internal control, must still follow the CRA conformity assessment procedures for the CRA cybersecurity requirements.
Can existing certificates issued under other EU product laws still be used during the CRA transition?
Yes, but only within limits.
Article 69(1) says EU-type examination certificates and approval decisions issued regarding cybersecurity requirements under other Union harmonisation legislation remain valid until 11 June 2028 unless they expire earlier or the other legislation says otherwise. The draft Commission guidance adds that manufacturers may rely on those certificates only for the cybersecurity risks and corresponding requirements they actually cover, and that even if the other legislation gives a longer validity period, reliance for CRA purposes does not continue beyond 11 June 2028.
Do products designed before 11 December 2027 still need a CRA conformity assessment if new units are placed on the market later?
Yes.
The CRA applies to individual products placed on the market from 11 December 2027 onward, not only to newly designed product types. The draft Commission guidance explains, however, that for products designed before the CRA applied, the manufacturer can demonstrate compliance through a current cybersecurity risk assessment and technical documentation and is not automatically expected to recreate historical design-phase evidence that would not improve the product's security.
Article 13(12) and Article 69(2) tie conformity assessment and technical documentation to products placed on the market after the CRA application point.
Can an important product of class I rely on a harmonised standard before its reference is published in the Official Journal?
No.
For CRA presumption of conformity and for the Article 32(2) route logic, a harmonised standard counts only once its reference has been published in the Official Journal of the European Union. The Commission FAQ also says that after the European standardisation organisations adopt a harmonised standard, the Commission still has to assess it before publication in the Official Journal. Until then, a manufacturer may still refer to it in its technical documentation as part of the technical solution it relies on, but it does not have the legal effect of a published harmonised standard under Article 27.
Article 27, Article 32(2), and Annex VII point 5 support the need for OJ-published references before standards affect CRA presumption and route evidence.