Search every question across CRA sub-FAQs

The draft Commission guidance gives a positive example for operating systems.

A software product that provides an abstraction layer over hardware, manages the execution of software components, handles process and memory management, input-output control, scheduling, resource allocation, and exposes system services and APIs so that applications can reliably run on the platform is treated in the guidance as having the core functionality of an operating system.

The CRA requires manufacturers to carry out a cybersecurity risk assessment for each product with digital elements and to use the outcome of that assessment throughout the product lifecycle.

It is the basis for deciding how the manufacturer will plan, design, develop, produce, deliver and maintain the product so that it meets the CRA's essential cybersecurity requirements.

No.

The CRA risk assessment obligation applies to all products with digital elements in scope. Whether a product is in the default category or is classified as important or critical does not remove or replace the need for a comprehensive cybersecurity risk assessment.

Across the full lifecycle covered by Article 13(2).

The CRA says the manufacturer must take the outcome of the cybersecurity risk assessment into account during the planning, design, development, production, delivery and maintenance phases of the product.

Yes.

The Commission FAQ says the manufacturer's cybersecurity risk assessment must cover the entire product with digital elements. That includes remote data processing when it is in scope, as well as supporting functions that form part of the product.

No.

The CRA does not prescribe a single methodology. Manufacturers may choose the method they use, but it must allow them to identify, assess, treat and document the relevant cybersecurity risks in a way that supports compliance with the CRA.

Yes.

The Commission FAQ says manufacturers should use a threat-modelling approach that reflects the threats and resulting risks associated with the product's intended purpose and reasonably foreseeable use. That means the assessment may differ for the same type of product depending on where and how it is expected to be used, for example in a residential environment or in critical infrastructure.

The CRA requires the assessment to analyse the cybersecurity risks associated with the product based on:

- the product's intended purpose

- its reasonably foreseeable use

- the conditions of use

- the time the product is expected to be in use

The Commission FAQ adds that the conditions of use can include the operational environment and the assets to be protected.

Yes.

The CRA definition of reasonably foreseeable use covers use that is likely to result from reasonably foreseeable human behaviour or technical operations or interactions. The Commission FAQ also explains that manufacturers must take reasonably foreseeable misuse into account and communicate significant resulting risks to users where relevant.

Yes.

Article 13(3) requires the cybersecurity risk assessment to indicate whether and, if so, how the security requirements relating to product properties in Annex I, Part I, point (2) apply to the product and how they are implemented. It must also indicate how the manufacturer applies Annex I, Part I, point (1) and the vulnerability-handling requirements in Annex I, Part II.

The manufacturer can conclude that a specific requirement is not applicable, but it must justify that conclusion clearly in the technical documentation.

That is not a shortcut around the risk assessment. The Commission FAQ and the draft guidance make clear that if relevant risks still exist, the manufacturer must address them through other appropriate measures and explain the resulting limitations, assumptions or conditions of use.

No, not as a substitute for product security.

The March 2026 draft guidance says cybersecurity risks must be addressed through product-level measures. Information and instructions can support secure installation, deployment and use, but they do not cure a design shortcoming if the product itself does not achieve the required level of cybersecurity.

No.

The March 2026 draft guidance says residual cybersecurity risk must be assessed against the CRA's regulatory threshold, not only against the manufacturer's internal risk tolerance, cost targets or commercial preferences.

No.

Harmonised standards, common specifications or certification schemes can support compliance, but they do not replace the manufacturer's duty to identify and assess the relevant cybersecurity risks for the specific product.

Yes, if it still shows compliance with each legal instrument separately.

The Commission FAQ says manufacturers may carry out a single risk assessment covering the needs of different legislation or separate assessments. What matters is that they remain able to demonstrate compliance with each applicable instrument. The CRA also gives an express example for certain products covered by other Union legal acts.

It must be included in the technical documentation when the product is placed on the market, and it must then be updated as appropriate during the support period.

After placement on the market, the manufacturer must also systematically document relevant cybersecurity aspects concerning the product, including vulnerabilities it becomes aware of and relevant information provided by third parties, and update the risk assessment where applicable.

The CRA does not publish a closed list, but the legal text and Commission materials clearly point to updates when relevant cybersecurity aspects change.

That includes, for example:

- newly identified vulnerabilities

- evidence from tests or reviews

- relevant information received from third parties

- changes in dependencies, product variants or operating assumptions that affect cybersecurity

- changes in intended purpose, reasonably foreseeable use or deployment environment

The technical documentation must include the risk assessment itself and enough supporting information to show how the product complies with the CRA.

Depending on the product, that can include:

- the product's intended purpose

- system architecture and the relationship between hardware and software elements

- relevant information used to determine the support period

- vulnerability-handling processes

- coordinated vulnerability disclosure information

- technical solutions for secure update distribution

- software bills of materials where applicable

- the standards, specifications or other technical solutions used to meet the essential requirements

Yes.

The risk assessment is not limited to threats originating entirely inside the product. The draft guidance explains that manufacturers also need to consider cybersecurity risks arising from external networks, remote services, third-party solutions and other dependencies that can affect the product.

The CRA still regulates the product's response to those risks. It does not turn the manufacturer into the controller of the entire outside environment.

Yes.

Article 13(2) says the manufacturer must use the risk assessment to minimise cybersecurity risks, prevent incidents and minimise their impact, including in relation to the health and safety of users.