Search every question across CRA sub-FAQs

No.

The Commission FAQ states this directly. The manufacturer must make the update available through the required mechanisms and keep users informed, but is not responsible under the CRA if the user does not install the update.

Yes, in exceptional cases.

Article 13(21) requires corrective measures to bring the product or the manufacturer's processes into conformity, or withdrawal or recall as appropriate. The Commission FAQ explains that this may become necessary where a serious vulnerability cannot be adequately remediated.

Yes.

Recital 56 states this expressly. Even where a product is not designed to receive automatic updates, the manufacturer should still inform users about vulnerabilities and make security updates available without delay.

Not always.

Article 13(10) allows the manufacturer, under specific conditions, to ensure compliance with the remediation obligation only for the latest substantially modified version it has placed on the market. That is allowed only if users of the earlier versions can access that latest version free of charge and without additional costs to adjust their hardware or software environment.

No.

Recital 40 says the manufacturer may limit remediation to the latest substantially modified version only under the Article 13(10) conditions, but other vulnerability-handling obligations still continue for all subsequent substantially modified versions placed on the market. The same recital also says minor security or functionality updates that do not amount to a substantial modification may be provided only for the latest version or sub-version that has not been substantially modified.

The CRA does not let the manufacturer stop there.

Recital 40 says that where a hardware product is not compatible with the latest version of the operating system it was originally delivered with, the manufacturer should continue to provide security updates at least for the latest compatible version for the support period.

No.

Recital 39 and the March 2026 draft guidance say security updates are generally not substantial modifications when they only reduce cybersecurity risk, do not change the product's intended purpose, and do not introduce new cybersecurity risks. But a security-driven change can still be substantial if it changes the intended purpose beyond what was originally foreseen or introduces new interfaces, dependencies, data flows, or other risks that were not covered in the original risk assessment.

No.

The March 2026 draft guidance says later functionality updates are not substantial modifications just because they add or activate features. If the original risk assessment already foresaw those later functions, already assessed their risks, and already accounted for the needed mitigation measures, the later rollout should not be treated as a substantial modification.

Yes.

Recital 39 and the March 2026 draft guidance both make clear that the scale of the feature is not the legal test. Even a limited update can be substantial if it modifies the original intended functions or type or performance of the product in a way that increases cybersecurity risk, or if it introduces new or increased risks that were not covered in the original risk assessment.

No.

Recital 39 says that when assessing whether a feature update is a substantial modification, it is not relevant whether the feature update is provided separately or in combination with a security update. What matters is the effect on intended purpose and cybersecurity risk, not the packaging of the release.

The March 2026 draft guidance says this should be interpreted practically and proportionately.

Reasonable operational effort does not itself count as additional costs. The guidance gives examples such as personnel time, routine testing, configuration adjustments, and upgrades of underlying software dependencies that are necessary to address end-of-life components or known vulnerabilities. By contrast, additional costs mean burdens going beyond normal software maintenance, such as mandatory purchases of new hardware, infrastructure replacement, or fundamental changes to the operating environment.

No.

The March 2026 draft guidance says that regardless of whether a software update qualifies as a substantial modification, manufacturers remain responsible for the security of the update and of the product during the support period. It also says the cybersecurity risk assessment and technical documentation must remain accurate, complete, and continuously up to date. That aligns with Articles 13(7) and 31(2).

A substantial modification is a change made to a product with digital elements after it has been placed on the market that either affects compliance with the essential cybersecurity requirements in Annex I Part I or changes the intended purpose for which the product was assessed.

Because it changes who is treated as the manufacturer, whether a new conformity assessment may be needed, whether a modified product is treated as newly placed on the market, and whether pre-11 December 2027 products fall into the CRA after that date.

No.

The assessment is case by case. Repairs, maintenance, refurbishment, and ordinary updates do not necessarily amount to substantial modification.

The key question is whether the update changes the product's intended purpose or introduces new or increased cybersecurity risks that were not foreseen and addressed in the original risk assessment, so that compliance with the essential requirements is affected.

Yes.

The draft guidance says that where new functionality changes the product's intended purpose or introduces risks not covered in the original risk assessment, the update will generally qualify as a substantial modification.

Yes.

The draft guidance says that where the original risk assessment already covered the later functionality and its risks, and the appropriate mitigation measures were already built in, a later update implementing those foreseen functions should not be treated as a substantial modification.

Yes.

The draft guidance says the scale of the feature is not the legal test. Even a limited change can be substantial if it introduces new risks or affects compliance with the essential requirements.

No.

The CRA recitals and the draft guidance both point the other way. A security update that only reduces cybersecurity risk and does not change intended purpose or introduce new risks is generally not a substantial modification.