EU Cyber Resilience Act FAQ Known Exploitable Vulnerabilities at Launch

No.

The CRA does not require a product to be free from all vulnerabilities. It requires that, on the basis of the cybersecurity risk assessment and where applicable, the product be made available on the market without known exploitable vulnerabilities.

The CRA defines an exploitable vulnerability as a vulnerability that has the potential to be effectively used by an adversary under practical operational conditions.

That means the issue is not just whether a weakness exists in the abstract, but whether it can actually be used against the product in the conditions in which the product is expected to operate.

The CRA does not define "known" separately in Article 3, but the draft Commission guidance gives a practical interpretation.

It says an exploitable vulnerability should be regarded as known when it is listed in relevant publicly accessible vulnerability databases, such as the European vulnerability database under NIS2 or other prominent databases such as the CVE List. It may also be known through non-public information, such as coordinated disclosure by a security researcher or the manufacturer's own internal testing and analysis, and through prominent reporting in reliable media outlets. At the same time, the manufacturer still has to verify whether the reported vulnerability is real and actually applicable to its own product.

No.

The Commission FAQ says not all vulnerabilities are exploitable under practical operational conditions. Whether a vulnerability is exploitable has to be assessed case by case, taking into account the product's actual operational and technical conditions.

Potentially yes.

The Commission FAQ explains that some vulnerabilities are only exploitable in theoretical conditions, such as a lab or simulation, or only under conditions that would not occur in the product's operational environment. In those cases, the manufacturer may conclude on the basis of the risk assessment that the issue is not an exploitable vulnerability for CRA purposes.

Yes.

The Commission FAQ says exploitability has to be assessed case by case and expressly lists existing compensating controls as one of the relevant factors. So a weakness is not assessed in isolation; the manufacturer may take account of controls already in place when determining whether the product would still be placed on the market with a known exploitable vulnerability.

Yes.

The Commission FAQ states that the obligation to make the product available on the market without known exploitable vulnerabilities applies at the moment of placement on the market. After that point, the manufacturer remains subject to the separate vulnerability-handling obligations that apply during the support period.

The Commission FAQ says the manufacturer is not expected to fix that newly discovered vulnerability before the product reaches the final user, because the Annex I Part I launch-time obligation already applied at placement on the market.

But the manufacturer still has to comply with the vulnerability-handling obligations during the support period. Depending on the risk, that can mean providing a security update or other remedy without delay once the product is in use.

No, not if the vulnerability is already known and exploitable at placement on the market.

Inference from the CRA text and the Commission FAQ: Annex I Part I point (2)(a) sets a launch-time condition, and section 4.2.3 of the FAQ makes clear that the later vulnerability-handling obligations are a separate regime that applies after placement on the market. So a post-launch patch plan does not cure a product that was already being placed on the market with a known exploitable vulnerability.

Yes.

The manufacturer's responsibilities apply to the product as a whole, including integrated components. The CRA requires due diligence when integrating third-party components, and both the CRA text and the Commission FAQ make clear that vulnerability handling applies to the product in its entirety, including all integrated components.

No.

The launch-time rule is about known exploitable vulnerabilities. The separate concept of an actively exploited vulnerability appears in Article 14 reporting and uses a different definition. A vulnerability can therefore be relevant to launch compliance even if there is no reliable evidence yet that it has already been exploited by a malicious actor.

No.

The Commission FAQ discusses zero-days only in the context of Article 14 reporting and explains that they become reportable when there is reliable evidence of malicious exploitation. The CRA does not create a separate launch-time carve-out for vulnerabilities merely because no patch is yet available. The relevant launch question remains whether the vulnerability is known and exploitable when the product is placed on the market.

Yes.

The CRA requires appropriate policies and procedures to process and remediate potential vulnerabilities reported from internal or external sources. It also requires a coordinated vulnerability disclosure policy, measures to facilitate sharing information about potential vulnerabilities, and a single point of contact for vulnerability reporting. Those obligations are broader than launch alone, but they are also part of how a manufacturer can know whether the product is being placed on the market with a known exploitable vulnerability.

The CRA requires corrective action without delay.

Article 13(21) says that, from placing on the market and for the support period, manufacturers who know or have reason to believe that the product is not in conformity with Annex I must immediately take the corrective measures necessary to bring it into conformity, or withdraw or recall it, as appropriate.

No.

The draft guidance says that the mere fact a vulnerability is reported as exploitable does not by itself prove that it is exploitable in practice or applicable to the specific product concerned. The manufacturer still needs to investigate the veracity of the report and its applicability to its own product, including the actual operational conditions and any relevant mitigations. A limited period may therefore elapse between the first report and confirmation, but the guidance stresses prompt investigation and reaction.

The manufacturer has to make a risk-based launch decision.

The draft guidance says that late-stage discoveries can happen during the final stages of development, including shortly before the product enters the distribution chain. In that situation, the manufacturer must determine, on the basis of the cybersecurity risk assessment, whether the product can still be securely placed on the market in compliance with the CRA or whether the vulnerability needs to be fixed before launch. The guidance says that decision should take into account the vulnerability's severity, exploitability, potential impact, and the risks arising for the product once in use.

Yes, under the CRA's specific testing exception.

Article 4(3) says Member States must not prevent the making available on the market of unfinished software that does not comply with the CRA, provided that it is made available only for the limited period required for testing, carries a visible sign stating that it does not comply, and is not made available for purposes other than testing. Recital 37 and the Commission FAQ add that the manufacturer should still perform a risk assessment, comply to the extent possible with the product-property security requirements, and implement vulnerability handling to the extent possible. Article 4(4) adds an important limit: this exception does not apply to safety components covered by Union harmonisation legislation other than the CRA.

No.

Recital 38 says the essential cybersecurity requirements apply to each individual product when placed on the market, not just to the product type in the abstract. It gives the example that, for a product type, each individual product should have received all security patches or updates available to address relevant security issues when it is placed on the market.