Search every question across CRA sub-FAQs

Yes, where technically feasible in light of the nature of the product.

Article 13(19) says manufacturers must display a notification to users informing them that the product has reached the end of its support period where this is technically feasible.

Users must be given the manufacturer's name, trade name or trademark, and postal address and email address or other digital contact details and, where applicable, website.

That information must appear on the product, packaging, or accompanying document and must also be included in the Annex II information and instructions.

The single point of contact is the channel through which users can communicate directly and rapidly with the manufacturer, including to report vulnerabilities.

It must be easily identifiable, must let users choose their preferred means of communication, and must not limit communication to automated tools. Annex II also requires users to be told where the manufacturer's coordinated vulnerability disclosure policy can be found.

Yes.

Annex II requires the intended purpose of the product, including the security environment provided by the manufacturer, as well as the product's essential functionalities and information about its security properties.

Yes.

Annex II requires information about any known or foreseeable circumstance related to intended use or reasonably foreseeable misuse that may lead to significant cybersecurity risks. The Commission FAQ gives examples such as deployment on insecure networks or use outside the expected professional setting.

Yes.

The Commission FAQ says that where the risk assessment relies on assumptions or requirements needed for secure installation, integration, or operation, those assumptions must be communicated through the information and instructions to the user. This includes deployment conditions such as use on a secure network or use by trained professional users.

Yes.

The Commission FAQ, relying on the Blue Guide, says manufacturers must consider reasonably foreseeable use and the expected audience for installation and operation. If non-professional or low-skilled users are a foreseeable audience, the instructions must be adapted accordingly.

Users must receive information on how security-relevant updates can be installed. Where the product has a default setting enabling automatic installation of security updates, Annex II also requires instructions on how that setting can be turned off.

Yes.

Annex II requires information on secure decommissioning of the product, including how user data can be securely removed.

Then the manufacturer must provide the information necessary for the integrator to comply with the essential cybersecurity requirements and the documentation requirements in Annex VII.

No, not generally.

The CRA requires the manufacturer to prepare and retain technical documentation for authorities, but the Commission FAQ says there is no general obligation to make the technical documentation available to customers or to the public.

Yes, either in full or in simplified form.

If the manufacturer provides a simplified EU declaration of conformity, it must contain the exact internet address where the full declaration can be accessed. Annex II also requires the internet address to be included where applicable.

Yes.

Annex II requires the type of technical security support offered by the manufacturer and the end date of the support period during which users can expect vulnerabilities to be handled and receive security updates.

Yes.

If the manufacturer decides to make the SBOM available to the user, Annex II requires information on where the SBOM can be accessed.

For at least 10 years after placing the product on the market or for the support period, whichever is longer.

Yes.

After becoming aware of an actively exploited vulnerability or a severe incident having an impact on the security of the product, the manufacturer must inform the impacted users and, where appropriate, all users, of that vulnerability or incident and of any corrective or mitigating measures users can take.

The CRA adds that this information should, where appropriate, be provided in a structured, machine-readable format that is easily automatically processable.

Yes.

Annex I Part II point (8) requires available security updates to be disseminated without delay and, unless the tailor-made exception applies, free of charge. It also requires those updates to be accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.

So the CRA's transparency duties are not limited to giving users access to the update package itself. They also include the user-facing information needed to understand and apply the update safely.

Yes.

Article 13(23) says that if a manufacturer ceases operations and, as a result, cannot comply with the CRA, it must inform the relevant market surveillance authorities before the cessation takes effect and must also inform users of the relevant products, by any available means and to the extent possible.

That is a specific CRA transparency duty aimed at letting users understand that the manufacturer may no longer be able to maintain compliance or provide the expected support.

Yes.

The March 2026 draft guidance says that each version of a software product placed on the market has to have its own declared support period complying with Article 13(8). That matters for transparency because Article 13(19) requires the end date of the support period to be clearly specified at the time of purchase. So for substantially modified software versions, the support-period information must track the specific version being placed on the market, not just a generic family-wide date.

No.

The March 2026 draft guidance says the Article 14(8) duty to inform users is risk-based and proportionate. It does not mean the information must always be made public or disclosed indiscriminately. Where appropriate, manufacturers may limit detailed disclosure to the relevant affected users or customers, especially for products used in sensitive or essential environments where wider public disclosure could itself increase cybersecurity risks.