Search every question across CRA sub-FAQs

No.

The Commission FAQ says the Article 13(1) obligation to deliver products without known exploitable vulnerabilities applies at the moment of placement on the market. Once the product has already been placed on the market, the manufacturer is not expected to fix newly discovered vulnerabilities before the product reaches the final user. But the manufacturer still has vulnerability-handling obligations during the support period and may need to provide a security update as soon as the product is put into operation by its user.

Usually per combined product, not by a separate software-delivery date.

The draft guidance says that where software is necessary for the hardware to perform its intended functions, the hardware and that software together constitute the product placed on the market. The key question is not how or when the software is delivered, but whether it is necessary for the product's intended functions.

Yes, if it is necessary to operate, configure, control, or meaningfully use the device.

The draft guidance expressly says necessary software remains part of the same product even if it is obtained later through an app store, a download link, or another digital channel after the hardware has already been placed on the market.

No.

The draft guidance says the special rule for standalone software supplied digitally applies only to standalone software. It does not apply where software is supplied on physical media or where software forms part of a combined hardware-software product.

Current Commission draft guidance says a standalone software product supplied digitally should be considered placed on the market when:

- its manufacturing phase is complete, and

- that software is first supplied for distribution or use on the EU market in the course of a commercial activity

Current Commission draft guidance says no.

The draft says all copies of the same unchanged version are considered placed on the market at the same time, namely when that version is first offered on the EU market. Later downloads or remote access to that unchanged version are later instances of making it available.

No.

The draft guidance says iterations that do not qualify as substantial modifications do not require a new conformity assessment and do not modify the software's placement date.

Yes.

Where a modification qualifies as a substantial modification, the modified product is treated as a new product for CRA purposes. That means a new placing-on-the-market event and a new support-period determination for that substantially modified version.

Current Commission draft guidance says yes.

The draft guidance says each substantially modified version placed on the market must have a declared support period that complies with Article 13(8).

Sometimes, but only within the conditions of Article 13(10).

If the manufacturer has placed subsequent substantially modified versions of a software product on the market, it may comply with the remediation obligation in Annex I, Part II, point (2) only for the latest placed version, provided that users of earlier versions can access the latest version:

- free of charge

- without additional costs to adjust their hardware or software environment

This does not remove the manufacturer's other vulnerability-handling obligations for the support period.

Not automatically.

Recital 40 says that where a hardware product is not compatible with the latest version of the operating system it was originally delivered with, the manufacturer must continue to provide security updates at least for the latest compatible version for the support period.

Yes, but only where the product is expected to be in use for less than five years.

This is an exception, not a business preference. The Commission materials give examples such as a contact-tracing application for a pandemic and some software that is no longer available and no longer in use once a subscription expires.

No.

The Commission FAQ and the draft guidance both say five years is only a safeguard. It is not the default for products reasonably expected to be used longer. The Commission materials specifically mention longer-lived hardware components, network devices, software such as operating systems or video-editing tools, and industrial systems.

No.

The support period of integrated core components is only one factor the manufacturer may take into account. It does not automatically cap the manufacturer's support obligation for the finished product.

The finished-product manufacturer still remains responsible for the finished product.

The Commission FAQ says the finished product must comply in its entirety during its own support period. If an integrated component is no longer supported and a vulnerability cannot be adequately handled by mitigations, the manufacturer of the finished product may need to switch out the component, develop a patch itself, disable compromised functions, or otherwise remediate by other means.

It covers the product in its entirety, including integrated components.

The CRA and the Commission FAQ are explicit on this point. The manufacturer must handle vulnerabilities affecting the whole product, including vulnerabilities found in integrated third-party components.

Partly, but not completely.

The Commission FAQ says the finished-product manufacturer may benefit from the component manufacturer's own CRA obligations, for example where the component manufacturer develops a security update. But the finished-product manufacturer still remains responsible for its own product's compliance and vulnerability handling.

No.

The Commission FAQ says that even where the component maker is not subject to CRA vulnerability-handling obligations, the integrating manufacturer must still ensure its own product complies in its entirety and must remediate vulnerabilities by other means if necessary.

The manufacturer must clearly and understandably specify the end date of the support period, at least month and year, at the time of purchase, in an easily accessible manner. Where appropriate, this may also be shown on the product, the packaging, or by digital means.

Where technically feasible, the manufacturer must also notify users when the product has reached the end of its support period.

Yes.

The CRA requires the manufacturer to include in the technical documentation the information taken into account to determine the support period. Annex VII expressly requires this information.