Search every question across CRA sub-FAQs

The Commission FAQ says the Commission aims to repeal Delegated Regulation (EU) 2022/30 with effect from 11 December 2027. That means the timing of placing on the market matters:

- products placed on the market between 1 August 2025 and 10 December 2027 can remain subject to the RED cybersecurity essential requirements made applicable by that delegated regulation

- products first placed on the market on 11 December 2027 or later are subject to the CRA instead

The FAQ also says repealing the RED delegated regulation from 11 December 2027 does not affect market-surveillance treatment of radio equipment that was placed on the market during the earlier RED window.

No, unless the product is substantially modified from that date.

Article 69(2) preserves the pre-existing status of products already placed on the market, while Article 69(3) separately keeps Article 14 reporting obligations applicable.

Yes.

This is the specific consequence of the phased dates. Article 14 starts on 11 September 2026, and Article 69(3) extends it to in-scope products already placed on the market before 11 December 2027.

No.

The Commission FAQ says distributors are not required to bring such products into CRA compliance merely because the general application date has passed. The key transition point is still whether the individual product was placed on the market before 11 December 2027. The main exception remains reporting under Article 14, and a separate trigger exists if someone substantially modifies the product after that date.

No.

Once 11 December 2027 arrives, products first placed on the market on or after that date must comply with the CRA as applicable. The transition period helps manufacturers prepare, but it does not create an extra post-application grace period for newly placed products.

The practical transition question is not whether the CRA already applies to the product today, but when the individual product will first be placed on the market and what evidence will be needed by that date.

The CRA phased dates and the Commission FAQ together point to a simple planning structure:

- be ready for Article 14 reporting from 11 September 2026

- be ready for full CRA compliance for products first placed on the market from 11 December 2027

- treat existing third-party certificates only as partial evidence for the risks they actually cover, and only within their validity window

No.

The Blue Guide says products in the stocks of the manufacturer or importer are not yet placed on the market if they have not yet been supplied for distribution, consumption, or use on the Union market. The Commission FAQ then applies that logic specifically to the CRA transition: only individual products actually placed on the market before 11 December 2027 avoid the CRA's full application, while later-placed units of the same type must comply.

So manufacturing a unit before 11 December 2027 is not enough by itself. If that unit is first placed on the market on or after 11 December 2027, it must comply with the CRA as applicable.

No.

The Blue Guide says products introduced from a third country but still in transit, in free zones, in warehouses, in temporary storage, or under other special customs procedures are not yet placed on the Union market. The CRA transition therefore does not turn on the shipment date or on the fact that the goods have already entered the customs territory. The relevant question is when they are first made available on the Union market.

If those goods are only released for free circulation and first supplied on the Union market on or after 11 December 2027, the CRA timing is assessed at that later moment.

For standalone software supplied digitally, the relevant date is the first offering for distribution or use on the EU market.

The March 2026 draft guidance says a standalone software version is placed on the market when its manufacturing phase is complete and that version is first supplied for distribution or use on the EU market in the course of a commercial activity. Later downloads or remote access to the same version are instances of making that software available, not new placements on the market. The same is true for later iterations that do not qualify as substantial modifications.

That means a standalone software version first offered before 11 December 2027 is not newly placed on the market again merely because users download that unchanged or non-substantially modified version after that date. But if a later iteration is a substantial modification, that later version is treated as newly placed on the market and must comply accordingly.

No.

The CRA transition does not grandfather products merely because the commercial contract, procurement cycle, or development project started before 11 December 2027. The legal trigger remains when the individual product is first placed on the market. The March 2026 draft guidance expressly notes that some complex systems may involve contracts signed before the CRA applies, but the manufacturer must still ensure before placement on the market that the conformity assessment has been carried out, the EU declaration of conformity has been drawn up, and the CE marking affixed.

The same draft guidance also explains that products designed before the CRA applies may still be placed on the market after 11 December 2027 without redesign, but only if the manufacturer can demonstrate compliance through the cybersecurity risk assessment and technical documentation.

Yes, unless they are substantially modified from that date.

Article 69(2) preserves the status of products already placed on the market before 11 December 2027. The March 2026 draft guidance states that products placed on the market before that date remain subject to the Union legislation applicable at the time of their placing on the market and, if they were compliant then, they can continue to be sold and put into operation unless they are substantially modified on or after 11 December 2027.

The main CRA exception is Article 14 reporting, which still applies to in-scope products already placed on the market before 11 December 2027.

Yes.

The CRA requires each security update that was made available during the support period to remain available after issuance for at least 10 years or for the remainder of the support period, whichever is longer.

No.

The support period is the period during which the manufacturer must handle vulnerabilities effectively. Update availability is a separate rule that keeps already-issued security updates accessible for a minimum period after issuance.

Yes.

Article 13(9) applies to each security update that has been made available to users during the support period.

No.

Article 13(9) is framed at the level of each security update made available during the support period, not only the latest one.

Yes.

A product might have a shorter support period, but a security update issued during that period may still need to remain available for at least 10 years after issuance if that is longer.

Not necessarily.

The obligation to handle vulnerabilities runs through the support period. Article 13(9) separately preserves access to security updates that were already issued during that period.

No.

The CRA says manufacturers may maintain public software archives. That means archives are allowed, not required.

The CRA allows archives that enhance user access to historical versions. The Commission FAQ explains this as historical versions of products with digital elements that are no longer made available on the market.

Users must be clearly informed, in an easily accessible manner, about the risks associated with using unsupported software.