Search every question across CRA sub-FAQs

It can deviate from the secure-by-default requirement only within the tailor-made carve-out.

That means the deviation must be tied to the particular-purpose, particular-business-user, and explicit-contractual-terms conditions. It does not remove the manufacturer's broader obligation to place a compliant product on the market under the CRA.

The Commission FAQ says the manufacturer is expected to include in the technical documentation all relevant data or details showing compliance with the applicable essential requirements, including appropriate evidence that the product is tailor-made.

That means the documentation should support the particular-purpose, particular-business-user, and explicit-contractual-deviation elements.

Yes.

The CRA does not create a general Annex II exemption for tailor-made products. Manufacturers still need to comply with Article 13(18) and provide the required information and instructions to the user, unless a specific CRA provision says otherwise.

No.

The tailor-made carve-out does not remove the CRA's general vulnerability-handling regime. It only allows deviation from the free-of-charge element of Annex I Part II point (8) where the tailor-made conditions are met. The manufacturer still remains subject to the broader CRA obligations, including handling vulnerabilities during the support period.

Yes.

Annex I Part II point (8) still requires security updates to be disseminated without delay and accompanied by advisory messages with the relevant information, including potential action users should take. The tailor-made exception changes the free-of-charge requirement where otherwise agreed, but it does not remove those other parts of point (8).

No.

Inference from the CRA text and the Commission FAQ: the material requires more than the existence of a commercial contract. The product must be fitted to a particular purpose for a particular business user, and the parties must explicitly agree a different set of contractual terms. The FAQ's negative examples show that ordinary multi-customer business products with only minor customisation do not become tailor-made on that basis alone.

No, not on that fact alone.

Inference from the Commission FAQ: where the product remains fundamentally the same product for every customer, the tailor-made exception does not apply merely because each customer has its own configuration, plugin set, API use, or minor pre-sale customisation. The CRA materials point the other way unless the product is genuinely fitted to a particular purpose for a particular business user under explicit different contractual terms.

CRA technical documentation is the evidence package that shows how the manufacturer ensured that the product and the manufacturer's processes comply with the applicable essential cybersecurity requirements.

It must contain all relevant data or details of the means used by the manufacturer to ensure compliance and must at least contain the elements listed in Annex VII.

It must be drawn up before the product is placed on the market.

It must then be continuously updated, where appropriate, at least during the support period.

The Commission FAQ adds that it has to be available when the product is placed on the market, regardless of where it is physically stored.

Annex VII requires, as applicable:

- a general description of the product, including intended purpose, compliance-relevant software versions, hardware images or illustrations where relevant, and user information and instructions

- a description of design, development, production, and vulnerability handling processes

- the cybersecurity risk assessment and applicability of Annex I Part I requirements

- the information used to determine the support period

- the list of harmonised standards, common specifications, or certification schemes applied, and descriptions of alternative solutions where they were not applied

- test reports

- a copy of the EU declaration of conformity

- where applicable, the software bill of materials

Yes.

Article 13(4) requires the manufacturer to include the cybersecurity risk assessment in the technical documentation when placing the product on the market. The same provision also requires a clear justification where certain essential cybersecurity requirements are not applicable to the product.

Yes.

Annex VII expressly requires:

- versions of software affecting compliance with essential cybersecurity requirements

- relevant information taken into account to determine the support period under Article 13(8)

Those are not optional extras. They are part of the minimum CRA documentation set where applicable.

The technical documentation must identify the harmonised standards, common specifications, and relevant certification schemes used in full or in part.

Where they were not applied, the documentation must describe the solutions adopted to meet the essential requirements and list any other relevant technical specifications used. If they were applied only in part, the documentation must specify which parts were applied.

Yes, where Article 12 applies.

For CRA products that are also subject to other Union legal acts requiring technical documentation, Article 31(3) allows a single set of technical documentation containing both the CRA information and the information required by those other acts.

Yes.

The Commission FAQ says technical documentation may form part of the quality-system documentation where the manufacturer uses a quality-system-based conformity assessment route such as module H.

Article 31(4) says the technical documentation and correspondence relating to a conformity assessment procedure must be drawn up in an official language of the Member State in which the notified body is established or in a language acceptable to that body.

The Commission FAQ adds that the technical documentation can be written in any language, but if a market surveillance authority requests it, it needs to be provided in a language easily understood by that authority.

No, as a rule it does not.

The Commission FAQ states that there is no general obligation to make the technical documentation available to customers or the public. The specific CRA exception is Article 32(5), where a manufacturer of qualifying free and open-source software in an Annex III category relies on the CRA's special Article 32(5) rule and therefore has to make the technical documentation public at the time of placing on the market.

Manufacturers must, on reasoned request, provide authorities with the information and documentation necessary to demonstrate conformity. Article 53 goes further and says authorities may be granted access to the data needed to assess design, development, production, and vulnerability handling, including related internal documentation.

For SBOMs, the CRA does not require public release, but Annex VII and Annex I make them part of the documentation framework and market surveillance authorities may request them where necessary to check compliance.

Yes.

Article 31(2) requires continuous updating where appropriate, at least during the support period. The March 2026 draft guidance adds that technical documentation must remain accurate, complete, and up to date even where updates do not amount to substantial modifications.

For substantial modifications, the draft guidance, relying on the Blue Guide, says the documentation has to be updated to the extent the modification affects the applicable requirements, and unchanged aspects do not need to be retested or redocumented.

Not necessarily.

The March 2026 draft guidance says that for products designed before the CRA's application date, the obligation to provide evidence in the conformity assessment should not be read as requiring the manufacturer to recreate original design and development test evidence where that would not improve the product's security. The manufacturer still has to demonstrate current compliance through the cybersecurity risk assessment and technical documentation.