Search every question across sub-FAQs

It is the general product-level requirement to ensure an appropriate level of cybersecurity based on the risks.

The Commission's March 2026 draft guidance explains that this point is meant to catch additional cybersecurity risks identified by the risk assessment that are not otherwise adequately addressed by the other specific Part I requirements. In most cases, complying with the other applicable Part I requirements will also satisfy point (1), but if additional relevant risks remain, the manufacturer still has to address them at product level.

No.

The CRA does not require a product to be free from all vulnerabilities. For placement on the market, the relevant product requirement is that, on the basis of the cybersecurity risk assessment and where applicable, the product is made available without known exploitable vulnerabilities. After placement on the market, the manufacturer must address and remediate relevant vulnerabilities without delay in line with Part II of Annex I.

No.

The Commission's March 2026 draft guidance says residual cybersecurity risk is assessed against the CRA's regulatory threshold, not against the manufacturer's internal risk tolerance, commercial strategy or cost preferences. If identified risks are not adequately addressed, the product cannot simply be placed on the market anyway.

No.

The CRA requires manufacturers to place a compliant product on the market. Information and instructions can support secure installation, operation, integration and deployment, but they do not replace product design and vulnerability-handling duties. The Commission's March 2026 draft guidance says instructions cannot be used to compensate for product-design shortcomings or to justify leaving incompatible risks untreated.

Part I, point (2) is a structured set of product-security outcomes that the manufacturer must apply where relevant on the basis of the cybersecurity risk assessment.

It covers, among other things:

- no known exploitable vulnerabilities at placement on the market

- secure-by-default configuration

- the ability to address vulnerabilities through security updates

- protection from unauthorised access

- confidentiality and integrity protection

- data minimisation

- protection of essential and basic functions, including after incidents

- attack-surface reduction

- exploitation-mitigation techniques

- security-related logging and monitoring

- secure removal and transfer of data and settings

They apply to the whole product.

The Commission FAQ says the cybersecurity risk assessment must cover the entire product with digital elements, including remote data processing when it is in scope and supporting functions that form part of the product. The draft guidance likewise explains that risks from external services, networks and other dependencies may need to be addressed through product-level measures so that the product as a whole complies.

The CRA recognises that this can happen, but it is not a free pass.

If a requirement is not applicable because of the nature of the product, the manufacturer must clearly justify that in the technical documentation. Recital 55 and the Commission FAQ give interoperability as an example. If cybersecurity risks still arise in relation to that inapplicable requirement, the manufacturer must address those risks by other appropriate means.

No.

Harmonised standards are voluntary and do not replace the manufacturer's own duty to assess risks and demonstrate compliance. They can support conformity, but manufacturers may also use other technical means if they document how the applicable essential requirements are met.

Annex I sets the substantive cybersecurity outcomes and processes that the product and manufacturer must meet. Annex II requires the manufacturer to give users the information they need to install, operate, update, integrate and decommission the product securely.

That includes, among other things, the intended purpose, security properties, significant cybersecurity-risk circumstances, support-period information, update information, secure decommissioning information, and information needed by downstream integrators.

The CRA does not prescribe one evidence format, but it does require the manufacturer to document how the applicable essential requirements are met.

That means the manufacturer needs to show in the cybersecurity risk assessment and technical documentation:

- which Part I requirements are applicable

- how they are implemented

- how Part I point (1) and Part II are applied

- what technical means, standards, specifications or other solutions are used

- what testing, review or other evidence supports those conclusions

No.

The Essential Cybersecurity Requirements in Annex I apply horizontally to all products with digital elements that are in scope. The important or critical classification affects the conformity-assessment route, not whether the Annex I requirements apply in the first place.

Yes.

Recital 38 makes clear that the Essential Cybersecurity Requirements, including the vulnerability-handling requirements, apply to each individual product with digital elements when it is placed on the market, whether the product is manufactured as an individual unit or in series. The recital gives a practical example: each individual product placed on the market should already have received all security patches or updates available to address relevant security issues at that time.

No.

The Commission's March 2026 draft guidance says the CRA does not allow the manufacturer to transfer cybersecurity risk or responsibility to users or third parties. Information and instructions can support secure deployment, operation or integration, and can inform users about residual risks, but the obligation to place a secure product on the market and demonstrate conformity with the Essential Cybersecurity Requirements remains with the manufacturer.

No.

The Commission's March 2026 draft guidance says that where identified risks cannot be adequately addressed through appropriate measures, compliance may require changes to the product's design, functionality or intended purpose. Cost or commercial feasibility alone is not a sufficient reason to leave such risks untreated, and warnings cannot justify placing a product on the market where the remaining risks are incompatible with the Essential Cybersecurity Requirements.

The CRA allows justified constraints, but not an automatic downgrade.

Where a product must interoperate with existing systems that only support an older or less secure approach, the manufacturer may rely on that approach only if it is necessary for interoperability, the associated risks are identified and documented, and other appropriate mitigation measures are implemented. The Commission's March 2026 draft guidance adds that if it is technically feasible to support both the secure and the less secure option, the secure option is expected to be implemented and enabled by default, while the less secure option should be used only where interoperability requires it.

Yes. The CRA defines a product with digital elements as a software or hardware product and its remote data processing solutions, including software or hardware components placed on the market separately.

For a combined product, the practical question is whether the software is part of the product concept: for example, firmware, an operating system, a driver, a required companion app or a configuration tool that the hardware needs in order to perform its intended functions.

The delivery channel is not decisive by itself. Software can still sit inside the same CRA product boundary when it is supplied for use with the hardware and is necessary for the product to work as intended.

A printer driver, a laptop operating system or an app that enables a connected device function should therefore be analysed by function and intended use, not only by the download path.

Software is more likely to be analysed as standalone when it is supplied as a product in its own right and is not necessary for a particular hardware product to perform one of its intended functions.

That does not take it outside the CRA. The Commission FAQ lists standalone downloadable software, mobile apps and programs downloaded from websites as examples of products with digital elements.

Yes. The CRA definition of software is not limited to compiled binaries; it refers to computer code. The grounding notes for the draft guidance treat source code, machine code, compiled code and interpreted code as part of the software analysis.

The boundary question is not only format. Teams should also ask whether the code is supplied for distribution or use on the Union market in the course of a commercial activity, or whether it is merely sample, tutorial, demo or unfinished development material.

No. Article 4(3) allows unfinished non-compliant software to be made available for testing only under limited conditions: it must be available only for the testing period and carry a visible sign that it does not comply and will not be available for purposes other than testing.

The Commission FAQ gives alpha versions, beta versions and release candidates as examples. That means a test release should be labelled, time-limited and separated from a normal product release.