Search every question across CRA sub-FAQs

Yes.

The Commission FAQ says manufacturers should inform users and integrators about assumptions and requirements relevant to secure installation, operation and use. That follows from the CRA's focus on intended purpose, reasonably foreseeable use, conditions of use and the user information required by Annex II.

Yes, but only if the constraint is identified and justified in the risk assessment and the associated risks are mitigated by other appropriate measures.

The draft guidance explains that some products need to interoperate with existing systems or dependencies that limit which security measures can be applied. In those cases, manufacturers still need to assess the resulting risks, document the constraint, implement compensatory measures where needed, and reassess the position over time.

Yes.

The March 2026 draft guidance says a manufacturer may place a product designed before the CRA's application date on the market without redesign if it carries out a current cybersecurity risk assessment and can show that the existing design already addresses the relevant risks.

The manufacturer is not required to recreate historical design evidence that does not add security value, but it still must document a current assessment and demonstrate compliance with the CRA before placement on the market.

Yes, but only where those assumptions are reasonable for the product's intended purpose and reasonably foreseeable use, and are communicated clearly.

The Commission FAQ says the conditions of use considered in the risk assessment may include supervision, assistance, or other measures normally present in certain professional settings. But the manufacturer cannot ignore other reasonably foreseeable user groups. If the product is likely to be used by consumers or low-skilled users, the risk assessment and the accompanying instructions must reflect that too. Where secure deployment depends on assumptions such as a trusted environment or secure network, the manufacturer should make that clear and warn about significant resulting risks under reasonably foreseeable misuse.

Yes.

The CRA requires the manufacturer to take into account the length of time the product is expected to be in use, and to keep the risk assessment updated as appropriate during the support period. The Commission FAQ adds that the manufacturer should prepare the product so that vulnerabilities, including vulnerabilities in components, can be handled effectively throughout that period, and may consider reasonable projections about changes in the threat landscape. Where certain risks are addressed partly through user information and instructions, those materials should be updated too.

Not necessarily.

The March 2026 draft guidance explains that Annex I, Part I, point (1) works as a catch-all for additional cybersecurity risks that are not otherwise adequately addressed through the other applicable product-property requirements. If the risk assessment shows that all relevant cybersecurity risks are already treated through adequate measures implementing the other applicable requirements in Annex I, Part I, point (1) is deemed fulfilled. But if additional risks remain, the manufacturer still has to implement appropriate product-level measures to address them.

Yes, but only where the variants genuinely share the same cybersecurity profile.

The March 2026 draft guidance says a manufacturer may rely on a single cybersecurity risk assessment, a single set of technical documentation, and a single conformity assessment where the relevant variants share the same architecture, security-relevant design, intended purpose, and cybersecurity risks. Differences such as housing, colour, form factor, or other non-security-relevant characteristics do not by themselves require separate treatment. But differences that affect communication interfaces, software stacks, update mechanisms, remote connectivity, or other cybersecurity-relevant properties must be reflected in the risk assessment and documentation, and the file must be updated when a new variant changes those properties.

It is the document in which the manufacturer states that fulfilment of the applicable CRA essential cybersecurity requirements has been demonstrated and assumes responsibility for the product's compliance.

No.

Under the CRA, the manufacturer must first complete the relevant conformity assessment with a positive result and then draw up the EU declaration of conformity before placing the product on the market. The product must also be accompanied by either the full declaration or the simplified declaration.

Two formats are allowed:

- the full EU declaration of conformity using the Annex V structure

- the simplified EU declaration of conformity using the Annex VI wording and an internet address where the full text can be accessed

Annex V requires at least:

- the product name, type and identifying information

- the manufacturer or authorised representative name and address

- a statement of sole responsibility

- identification of the product that is the object of the declaration

- a statement of conformity with the relevant Union harmonisation legislation

- references to relevant harmonised standards, common specifications or cybersecurity certification used

- where applicable, the notified body's name and number, the conformity assessment procedure performed, and the certificate identification

- any additional information, plus place, date, name, function and signature details

The simplified declaration must follow the Annex VI wording. It states that the named product type is in compliance with Regulation (EU) 2024/2847 and must include the exact internet address where the full text of the EU declaration of conformity is available.

Both the full and simplified declaration must be made available in the language or languages required by the Member State in which the product is placed on the market or made available on the market.

Under the CRA, the manufacturer draws up the EU declaration of conformity. By doing so, the manufacturer assumes responsibility for the product's compliance.

Even where a notified body has been involved in the conformity assessment, the declaration remains the manufacturer's document. An authorised representative may keep it and provide it to authorities if the mandate allows that, but the CRA does not shift the manufacturer's underlying responsibility.

Yes.

Importers must ensure that the product is accompanied by the declaration required by Article 13(20), and they must keep a copy of the full EU declaration of conformity at the disposal of market surveillance authorities for at least 10 years after placement on the market or for the support period, whichever is longer. Distributors must verify that the manufacturer and importer have complied with the relevant documentation obligations before making the product available on the market.

Not necessarily.

Where more than one Union legal act requires an EU declaration of conformity, the CRA requires a single EU declaration of conformity covering all those acts. The Commission FAQ and the Blue Guide add that, for administrative reasons, this single declaration may be organised as a dossier containing the relevant individual declarations.

No, not necessarily.

The declaration has to identify the product sufficiently for traceability, but the Commission FAQ says it is not necessary for the declaration to include the unique identifier of each unit. In practice, the same version of a declaration can apply to many products manufactured in series, provided the declaration still correctly identifies the products covered by it.

It must be updated whenever one of its relevant elements changes.

That can include, for example:

- a new product version or other change that affects the conformity basis

- a substantial modification that leads to a new conformity assessment

- changes in the applicable Union legislation cited

- changes in the harmonised standards, common specifications or certificate references relied on

- changes in the manufacturer or authorised representative details stated in the declaration

In those cases, the person who becomes the manufacturer for CRA purposes must take over the corresponding conformity obligations, including the declaration of conformity.

That means a new declaration may be required for the modified product, even where some existing tests or technical documentation can still be reused for unaffected aspects.

Manufacturers must keep the EU declaration of conformity at the disposal of market surveillance authorities for at least 10 years after the product has been placed on the market or for the support period, whichever is longer.

Where applicable, the authorised representative must be able to keep it under its mandate, and importers must also keep a copy for the same period.