Search every question across CRA sub-FAQs

Yes.

Article 33(5) says microenterprises and small enterprises may provide the Annex VII elements using a simplified format once the Commission specifies that form by implementing act. Notified bodies must accept that form for conformity assessment purposes.

No.

The CRA prescribes what the technical documentation must contain, mainly through Annex VII, but it does not impose one mandatory template or filing structure. What matters is that the file contains the required content and is clear enough to let a notified body or market surveillance authority assess conformity.

In practice, that means the manufacturer has flexibility in how the file is organised, but not in whether the required elements are actually present and kept up to date.

Yes.

The Commission FAQ says that where a product has been redesigned or reassessed, the technical documentation must reflect all versions of the product, describe the changes made, explain how the versions can be identified, and include information on the relevant conformity assessment.

That matters in practice because the CRA documentation is meant to remain usable throughout the product's life. A manufacturer cannot keep only the newest file if that makes it impossible to tell which documentation applies to which version placed on the market.

Not automatically.

The March 2026 draft guidance allows a single set of technical documentation where the variants share the same architecture, security-relevant design, intended purpose, and cybersecurity risks, and where all relevant risks and essential requirements are adequately covered. If differences between variants affect cybersecurity properties, those differences must be reflected in the technical documentation and, where necessary, the conformity assessment.

Yes, but each product still needs its own declaration of that reliance.

The March 2026 draft guidance says manufacturers should indicate in the technical documentation that the product has RDPS or relies on relevant third-party cloud solutions, and describe those solutions. If the same RDPS supports several products, the RDPS must be declared in each product's technical documentation, even though the RDPS documentation itself may be reused across product conformity assessments.

No.

The January 2026 Commission FAQ and Article 53 make clear that, where necessary to assess conformity, market surveillance authorities may be granted access to the data needed to assess design, development, production, and vulnerability handling, including related internal documentation of the relevant economic operator. So the non-public character of the technical documentation does not cap authority access at the bare Annex VII file.

Yes, in principle.

Inference from the CRA text and Commission FAQ: the legal requirement is that the technical documentation be drawn up, contain the required Annex VII content, be available when the product is placed on the market, and be provided to authorities on reasoned request. The CRA does not prescribe one storage location or one physical dossier, but the manufacturer remains responsible for being able to assemble and provide a coherent, complete set when needed.

No.

Article 31(4) deals with the language of technical documentation and correspondence relating to a conformity assessment procedure, especially for notified-body interactions. Separately, Article 13(22) requires manufacturers to provide the necessary information and documentation to market-surveillance authorities in a language that can be easily understood by the requesting authority. The Commission FAQ makes the same distinction.

The CRA entered into force on 10 December 2024.

The Regulation itself says it enters into force on the twentieth day following its publication in the Official Journal. The Commission FAQ uses the concrete date 10 December 2024.

The CRA generally applies from 11 December 2027.

But the Regulation also has two earlier phased dates:

- Chapter IV, covering the notification of conformity assessment bodies, applies from 11 June 2026

- Article 14 reporting obligations apply from 11 September 2026

Chapter IV of the CRA starts to apply on 11 June 2026. That chapter covers notifying authorities and conformity assessment bodies, including designation, notification, operation, and oversight of notified bodies.

The Commission FAQ explains that Member States must have their notifying-authority arrangements in place by that date.

Article 14 starts to apply on 11 September 2026. From that date, manufacturers must report actively exploited vulnerabilities and severe incidents having an impact on the security of their products through the CRA reporting system.

That early date also matters for open-source software stewards, because Article 24(3) ties some of their reporting obligations to Article 14. So, from 11 September 2026, the limited steward reporting hooks become relevant as well, even though the rest of the CRA still applies later.

That is the general date of application of the CRA.

From 11 December 2027, the manufacturer obligations, essential cybersecurity requirements, conformity assessment rules, CE marking framework, market surveillance rules, and the rest of the CRA apply, except for the earlier-starting provisions that already applied before that date.

Yes.

The CRA turns on placement on the market of the individual product, not on the date the project started. The Commission FAQ makes this explicit by explaining that individual products first placed on the market on or after 11 December 2027 must comply, even if the product type or earlier units existed before then.

Yes, subject to any other applicable Union legislation.

The CRA's main product-compliance obligations do not apply until 11 December 2027. The transition problem is not whether the product must already bear CRA CE evidence before that date, but how the manufacturer prepares so that products first placed on the market on or after that date will comply.

Yes.

The Commission FAQ says this directly. During the transition period, manufacturers may integrate third-party components that do not yet bear CRA CE marking, because those component manufacturers may not yet be under the CRA's full application date. The integrating manufacturer must still exercise due diligence through other means so the component does not compromise the cybersecurity of the finished product.

No.

Article 13(5) is part of the manufacturer obligations that apply from 11 December 2027, but the Commission FAQ's transition guidance is clear about the practical point: manufacturers preparing products for post-application placement should expect to exercise due diligence even where CRA CE marking is not yet available on integrated components.

Yes.

The Commission FAQ says manufacturers are free to integrate components, including important or critical products with digital elements, even where those components were not designed in accordance with harmonised standards. Harmonised standards are a route to presumption of conformity, not a mandatory condition for integration.

That point matters during the transition because the absence of harmonised standards, or the fact that a component does not follow them, does not by itself block integration. The manufacturer still has to assess and manage the resulting risks.

Article 69(1) says those certificates and approval decisions remain valid until 11 June 2028, unless they expire earlier or the other Union legislation says otherwise.

The March 2026 draft guidance explains that this can include certificates or approval decisions issued under legislation such as the RED cybersecurity delegated act or the Machinery Regulation, but only for the cybersecurity risks actually covered by those instruments.

No.

The March 2026 draft guidance says those certificates or approval decisions remain relevant only for the cybersecurity risks they actually cover. Manufacturers still have to assess and address any remaining CRA-relevant risks that fall outside the scope of the earlier certificate.