Search every question across CRA sub-FAQs

No.

The CRA requires several specific disclosures, not a blanket publication of all security analysis. Users may need to be informed about significant cybersecurity risks under Annex II point 5, about actively exploited vulnerabilities or severe incidents under Article 14(8), and about fixed vulnerabilities once a security update is available under Annex I Part II point (4). But the Commission FAQ also says there is no general obligation to make the technical documentation available to customers or to the public.

Yes, where those circumstances may lead to significant cybersecurity risks.

The Commission FAQ explains that even where a function or capability sits outside the intended purpose, the information and instructions may need to mention it if reasonably foreseeable misuse could create significant cybersecurity risks. The same logic applies where manufacturers allow users to alter configurations, remove security functionality, or downgrade security measures for legacy compatibility. In those cases, the risks should be treated in the risk assessment and explicitly reflected in user information where Annex II point 5 is engaged.

No fixed format is required by the Regulation text itself.

Article 30(6) allows the Commission to adopt implementing acts laying down technical specifications for labels, pictograms, or other marks related to product security and support periods. But the CRA text itself does not already prescribe one mandatory standard label or scoring format that manufacturers must use in Annex II information.

Annex I Part II requires manufacturers to:

- identify and document vulnerabilities and components, including a software bill of materials

- address and remediate vulnerabilities without delay, including through security updates

- apply effective and regular security tests and reviews

- disclose information about fixed vulnerabilities once a security update is available, subject to a limited justified delay option

- enforce a coordinated vulnerability disclosure policy

- facilitate vulnerability reporting, including for third-party components in the product

- provide secure update-distribution mechanisms and, where applicable, automatic security updates

- disseminate security updates without delay and, unless the tailor-made exception applies, free of charge

No.

The Commission FAQ says the CRA does not require a patch for every vulnerability. The manufacturer must assess the risk the vulnerability poses and ensure that remedies are put in place without delay. Depending on the risk, the right remedy may be an immediate patch, a mitigation, configuration guidance, an advisory, documentation changes, or another appropriate measure.

The CRA does not define one universal deadline for remediation under Annex I Part II point (2). The Commission FAQ treats it as risk-based. High-risk vulnerabilities may require immediate patching, while lower-risk issues may be handled through other timely remedies.

What matters is that the manufacturer assesses the vulnerability promptly and takes an appropriate remediation or mitigation path without unjustified delay.

Where technically feasible, yes.

The CRA says new security updates must be provided separately from functionality updates where technically feasible. Recital 57 explains that this is meant to avoid forcing users to install feature changes just to receive security fixes.

Yes, where separation is not technically feasible.

The Commission FAQ gives examples where a security fix necessarily changes functionality, such as replacing an unsafe parser with a safer one that changes product behaviour, or disabling a vulnerable interface. In those cases, the CRA does not require artificial separation.

No.

Manufacturers must ensure, when placing the product on the market and for the support period, that vulnerabilities of the product, including its components, are handled effectively and in accordance with Annex I Part II.

Yes.

The CRA and the Commission FAQ both state that the vulnerability-handling obligations apply to the product in its entirety, including integrated components.

The manufacturer must report the vulnerability to the person or entity manufacturing or maintaining the component, address and remediate the vulnerability in its own product, and share the relevant code or documentation if it developed a hardware or software modification to fix the component vulnerability.

Sometimes, but not completely.

If the component is itself subject to CRA obligations, the integrating manufacturer can rely in part on the component manufacturer's vulnerability-handling work. But the integrating manufacturer still has to fulfil the CRA obligations for its own product, including keeping users informed and ensuring the overall product remains compliant.

If the component is not subject to CRA vulnerability-handling obligations, the integrating manufacturer must still handle the issue in its own product, including by other means if necessary.

That does not remove the product manufacturer's CRA duty.

The Commission FAQ says that if a product still has an active support period and a vulnerability in an integrated component can no longer be addressed through the component's own support path, the manufacturer of the product must remediate the issue by other means, such as switching out the component or developing a patch autonomously.

Not always.

Article 13(10) allows the manufacturer, under specific conditions, to ensure compliance with the remediation obligation only for the latest substantially modified version it has placed on the market. That is allowed only if users of earlier versions can access the latest version free of charge and without additional costs to adjust their hardware or software environment.

No.

Recital 40 says that where a hardware product is not compatible with the latest version of the operating system it was originally delivered with, the manufacturer should continue to provide security updates at least for the latest compatible version for the support period.

No, but the manufacturer is responsible for making the update path work properly.

The CRA requires mechanisms for secure distribution, automatic security updates where applicable, notification to users, and dissemination without delay. The Commission FAQ says the manufacturer is not responsible under the CRA if a user does not install updates, for example because the user opted out.

Yes, unless the tailor-made exception applies.

Annex I Part II point (8) requires that security updates addressing identified security issues be disseminated without delay and free of charge, unless otherwise agreed between the manufacturer and a business user in relation to a tailor-made product.

Yes.

Article 13(9) says each security update made available during the support period must remain available for at least 10 years after it is issued or for the remainder of the support period, whichever is longer.

Yes.

Article 13(11) says manufacturers may maintain public software archives enhancing user access to historical versions. If they do, users must be clearly informed in an easily accessible manner about the risks associated with using unsupported software.

Yes.

Annex I Part II point (3) requires effective and regular tests and reviews of the security of the product. Article 13(7) also requires the manufacturer to systematically document relevant cybersecurity aspects and, where applicable, update the cybersecurity risk assessment.