Search every question across sub-FAQs

No, not merely because they continue making those individual products available after that date. The Commission FAQ says products already placed on the market before 11 December 2027 are not subject to CRA requirements, except reporting obligations, unless they are substantially modified.

A distributor's position changes if the distributor carries out a substantial modification or places the product on the market under its own name or trademark. In those cases, Article 21 can make the distributor responsible as a manufacturer for CRA purposes.

The changed product is treated as a new product for the CRA analysis when it is made available on the market after the substantial modification. Compliance must be reassessed for the affected part, or for the whole product if the modification affects cybersecurity of the product as a whole.

If an importer or distributor carries out the substantial modification, Article 21 treats it as a manufacturer. If another person carries out the substantial modification and makes the product available on the market, Article 22 treats that person as a manufacturer for CRA purposes.

Not necessarily. The assessment should focus on the parts, risks, and requirements affected by the substantial modification.

Existing documentation, test evidence, and conformity work may still be relevant for unchanged aspects, but the modified product must have enough current technical documentation and assessment evidence to demonstrate CRA conformity for the affected scope.

No. The Blue Guide says repaired products that are not considered new products do not need conformity assessment again, including where the product was temporarily exported to a third country for repair.

For CRA purposes, the relevant question remains whether the repair is a substantial modification because it changes intended purpose, compliance with essential cybersecurity requirements, or the cybersecurity risk profile.

Repair planning should not be separated from the support-period duties. Manufacturers must determine a support period that reflects expected use, and vulnerability handling and security updates must continue during that period according to the CRA requirements.

Where legacy compatibility limits the best available security design, the manufacturer should document the constraint, explain residual risks to users where required, and reassess whether security can be improved during the support period instead of treating the constraint as permanent without review.

Keep enough evidence to show which question was answered: spare-part exclusion, repair substantial-modification analysis, or both. Useful records include the replaced component's specifications, the replacement part's specifications, the intended purpose before and after repair, affected interfaces and data flows, cybersecurity risk-assessment updates, and any compensatory controls.

For non-identical parts or compatibility-limited designs, the file should also record why identical replacement was not used, what risks remain, what user information was updated, and who made the product available on the market after the change.