Search every question across CRA sub-FAQs

The CRA does not apply to:

- products to which Regulation (EU) 2017/745 on medical devices applies

- products to which Regulation (EU) 2017/746 on in vitro diagnostic medical devices applies

- products to which Regulation (EU) 2019/2144 on vehicle type approval applies

- products certified in accordance with Regulation (EU) 2018/1139 on civil aviation

- equipment within the scope of Directive 2014/90/EU on marine equipment

Yes.

The Commission FAQ says Delegated Regulation (EU) 2025/1535 also excludes products with digital elements falling within the scope of Regulation (EU) No 168/2013 on two- or three-wheel vehicles and quadricycles, except L1e category vehicles designed to pedal.

Yes.

Article 2(5) allows the Commission to adopt delegated acts limiting or excluding the CRA for products covered by other Union rules that address all or some of the same risks, where the regulatory framework remains coherent and the sectoral rules achieve the same or a higher level of protection.

Yes.

The CRA excludes spare parts made available to replace identical components in products with digital elements where those spare parts are manufactured according to the same specifications as the components they replace.

Yes.

The CRA does not prevent Member States from setting additional cybersecurity requirements for procurement or use for specific purposes, including national security or defence procurement or use, as long as those requirements are consistent with Union law and are necessary and proportionate.

Yes.

The draft guidance says it does not matter whether the code is uncompiled, compiled, or interpreted. If a manufacturer provides computer code to customers as part of a commercial activity, that code is placed on the market for CRA purposes even if the customer still has to adapt or compile it before use.

No.

The draft guidance says public sharing of free and open-source computer code in repositories is not by itself placing that code on the market. It also says unfinished code shared during design and development, and sample or demo code provided in tutorials or training materials, is not considered placed on the market.

Yes.

The Commission FAQ gives the example of an offline text editor or calculator that does not itself initiate communications but runs on a host operating system that does. In that situation, the software can still be indirectly connected within the CRA meaning.

Not by itself.

The draft guidance says a data connection requires digital information to be deliberately encoded and capable of being decoded as data at the destination. Signals used only to power or trigger a function do not create a CRA data connection. The Commission FAQ's electric-toothbrush example illustrates the same boundary.

Yes.

The draft guidance says systems composed of multiple hardware and software elements that operate together to perform a certain function can be a single product with digital elements where that system is placed on the market as a single product. Their complexity, long lifecycle, or reliance on older components does not exclude them from scope by itself.

The CRA requires products with digital elements to be made available on the market with a secure-by-default configuration, based on the manufacturer's cybersecurity risk assessment and in light of the product's intended purpose and reasonably foreseeable use.

This is not a generic slogan. It is a concrete Annex I requirement.

No.

The default configuration has to be determined through the risk assessment for the specific product. What is secure by default for one product category may not be secure by default for another.

No.

The CRA ties the default configuration to the product's intended purpose, reasonably foreseeable use, and the manufacturer's cybersecurity risk assessment. So the legal test is not whether the product is maximally locked down in the abstract, but whether its default configuration is secure for the way the product is meant and reasonably expected to be used.

That depends on the product, but the CRA and Commission materials point toward defaults that reduce cybersecurity risk at first use.

The Commission FAQ gives examples such as insecure or deprecated cryptographic algorithms being disabled by default, certificate validation being enabled by default, or network interfaces being disabled by default until needed.

Yes.

Annex I Part I, point (2)(b) expressly includes the possibility to reset the product to its original state.

Where applicable, yes.

Annex I Part I, point (2)(c) says vulnerabilities must be addressable through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe and enabled as a default setting. That default setting must come with a clear and easy-to-use opt-out mechanism and the option to postpone updates temporarily.

Yes.

The CRA requires a clear and easy-to-use opt-out mechanism and an option to postpone updates temporarily. Annex II also requires instructions on how the default automatic-installation setting can be turned off.

No.

Recital 56 says the automatic-update expectations do not apply to products primarily intended to be integrated as components into other products. It also says they do not apply to products for which users would not reasonably expect automatic updates, including products intended for use in professional ICT networks and especially in critical and industrial environments where automatic updates could interfere with operations.

Yes.

Recital 56 says that irrespective of whether a product is designed to receive automatic updates, the manufacturer should inform users about vulnerabilities and make security updates available without delay.

Not automatically, but the manufacturer is not responsible under the CRA for the user's refusal to install updates.

The Commission FAQ says the manufacturer is not responsible if the user does not install security updates, including where the user opts out. But the manufacturer still must design the product and its processes so updates can be distributed, notified, and installed as required.