FAQEUCyber Resilience Act

EU Cyber Resilience Act FAQ Legacy Products

Understand what the Cyber Resilience Act does and does not require for products placed on the market before 11 December 2027, including Article 14 reporting and substantial modification triggers.

Built for legal, product, support, compliance, and lifecycle-management teams handling older EU product stock, updates, spare parts, and evidence records.

Back to main artifactReview sources
Author
Sorena AI
Published
Mar 10, 2026
Updated
Mar 10, 2026
Questions
22

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Mar 10, 2026
Updated Mar 10, 2026
Overview

The Cyber Resilience Act does not use a blanket grandfathering rule for every old design. The key question is whether the individual product with digital elements was placed on the market before 11 December 2027, whether it is later substantially modified, and whether Article 14 reporting applies from 11 September 2026. This FAQ also covers distributor stock, bug-fix and feature updates, spare parts, separately marketed firmware or software, and records that help prove the legacy treatment.

Search this module

Find a question or answer quickly

22 of 22 questions
Question 1

Does the CRA apply in full to products placed on the market before 11 December 2027?

No.

Article 69(2) says products with digital elements placed on the market before 11 December 2027 are subject to the CRA requirements only if, from that date, they are subject to a substantial modification.

Citations
Cyber Resilience Act

Article 69(2) is the transition rule for products already placed on the market before 11 December 2027.

Recommended next step

Review CRA legacy-product evidence

Use Research Copilot to check whether older product units, update plans, distributor stock, and Article 14 reporting records are supported by cited CRA sources.

Research workflow
Open Research Copilot

Check a legacy-product question against CRA sources and export a cited evidence summary.

Explore next step
Talk to Sorena
Talk through implementation

Review legacy stock, update, reporting, and traceability gaps with the Sorena team.

Explore next step
Question 2

Is there any CRA obligation that still applies to pre-11 December 2027 products even if they are not substantially modified?

Yes.

Article 69(3) creates a specific derogation for reporting. It says Article 14 applies to all in-scope products that were placed on the market before 11 December 2027, and Article 71(2) says Article 14 starts to apply on 11 September 2026.

Citations
Cyber Resilience Act

Article 69(3) extends Article 14 to pre-11 December 2027 in-scope products, while Article 71(2) sets the Article 14 application date.

Question 3

If a product was already placed on the market before 11 December 2027, can it continue to be sold or otherwise made available after that date?

Yes.

The Commission FAQ explains that individual products placed on the market before 11 December 2027 do not need to be brought into CRA conformity simply because they remain in the distribution chain after that date.

Citations
Blue Guide 2022

Sections 2.2 and 2.3 distinguish placing on the market from later making available in the distribution chain.

Question 4

Do products have to reach the final user before 11 December 2027 in order to count as CRA legacy products?

No.

The Commission FAQ gives a direct example: units already placed on the market before 11 December 2027 do not need to be brought into CRA compliance even if they have not yet reached the final user. The legal question is whether the individual product was placed on the market, not whether it was already sold to the final customer or put into service.

Citations
Blue Guide 2022

Blue Guide sections 2.3 and 2.6 explain the distribution-chain and final-user concepts used to separate placement from later delivery.

Question 5

If a manufacturer designed a product type before the CRA applies, can it keep placing newly manufactured units of that type on the market after 11 December 2027?

No, not unless those newly placed units comply with the CRA.

The Commission FAQ stresses that Union harmonisation legislation, including the CRA, applies to individual products, not to abstract product types or models. So a product is not grandfathered just because an earlier unit of the same type was placed on the market before 11 December 2027.

Citations
Blue Guide 2022

Blue Guide sections 2.2 and 2.3 support the individual-product placement analysis used for later manufactured units.

Question 6

What happens if a pre-11 December 2027 product is substantially modified after that date?

Then the CRA starts to apply to that product.

Article 69(2) makes substantial modification the trigger. The CRA definition in Article 3(30) covers changes made after placing on the market that affect compliance with the essential cybersecurity requirements in Annex I Part I or change the intended purpose for which the product was assessed.

Citations
Cyber Resilience Act

Article 69(2) uses substantial modification as the transition trigger; Article 3(30) and recital 41 explain the concept.

Question 7

If a legacy product receives a bug-fix or security update after 11 December 2027, does that automatically bring the product into the CRA?

No.

The Commission FAQ gives a direct example: a smart TV placed on the market before 11 December 2027 does not become subject to full CRA requirements merely because it receives a later bug-fix update. Recital 39 of the CRA also says that a security update designed to decrease cybersecurity risk, without modifying intended purpose, is not considered a substantial modification.

Citations
Cyber Resilience Act

Recital 39 explains why security updates that reduce risk without changing intended purpose are not substantial modifications.

Question 8

What is an example of a post-2027 change that would bring a legacy product into the CRA?

The Commission FAQ gives an example where a smart TV placed on the market before 11 December 2027 later receives an update enabling smart-home control. The FAQ treats that as a substantial modification.

That result is consistent with recital 39, which says feature updates that modify original intended functions or the type or performance of the product and increase cybersecurity risk should be treated as substantial modifications.

Citations
Cyber Resilience Act

Recital 39 supports the distinction between risk-reducing security updates and feature updates that broaden attack surface.

Question 9

Do maintenance, repair, or refurbishment of Legacy Products automatically count as substantial modifications under the CRA?

No.

Recital 42 says refurbishment, maintenance, and repair do not necessarily lead to a substantial modification. That will depend on whether the intended purpose and functionalities change and whether the level of risk remains unaffected.

Citations
Cyber Resilience Act

Recital 42 explains that repair, maintenance, and refurbishment are not automatically substantial modifications.

Question 10

If a legacy product becomes substantially modified, who is treated as the manufacturer of the modified product?

The person who carries out the substantial modification and makes the product available on the market is treated as the manufacturer for CRA purposes.

That can be the original manufacturer, but it can also be an importer, distributor, or another natural or legal person. Article 21 covers importers and distributors, and Article 22 covers other persons that substantially modify products and make them available on the market.

Citations
Cyber Resilience Act

Articles 21 and 22 identify when importers, distributors, or other persons become manufacturers after substantial modification.

Question 11

If a legacy product is substantially modified, does the CRA apply only to the changed feature or to the product more broadly?

That depends on the impact of the modification.

Article 22(2) says the person carrying out the substantial modification is subject to Articles 13 and 14 for the part of the product affected by the substantial modification or, if the substantial modification has an impact on the cybersecurity of the product as a whole, for the entire product.

Citations
Cyber Resilience Act

Article 22(2) explains whether the modified part or the whole product falls under Articles 13 and 14.

Question 12

If a distributor is selling pre-11 December 2027 stock after the CRA applies, does the distributor have to bring that stock into compliance?

No, not on that basis alone.

The Commission FAQ says distributors are not required to bring into compliance products that were already placed on the market before 11 December 2027, unless they themselves carry out a substantial modification.

Citations
Cyber Resilience Act

Article 21 matters because a distributor that carries out a substantial modification is treated as a manufacturer.

Question 13

Do identical spare parts for CRA legacy products fall outside the CRA?

Often yes.

Article 2(6) excludes spare parts made available on the market to replace identical components in products with digital elements where the spare parts are manufactured according to the same specifications as the components they are intended to replace. Recital 29 adds that this exemption is meant to cover spare parts used to repair legacy products made available before the CRA's date of application.

Citations
Cyber Resilience Act

Article 2(6) defines the identical-spare-part exclusion; recital 29 ties it to repair of legacy products.

Question 14

If the replacement part is not identical, is it automatically a substantial modification of the old product?

Not automatically.

Inference from the CRA text: Article 2(6) only answers whether the identical spare-parts exemption applies. Whether installing a non-identical replacement part becomes a substantial modification is a separate question that still turns on Article 3(30), meaning whether the change affects Annex I Part I compliance or changes the intended purpose for which the product was assessed.

Citations
Question 15

For CRA legacy products placed on the market before 11 December 2027, when do the reporting obligations start in practice?

They start on 11 September 2026.

That is the date Article 14 begins to apply under Article 71(2). The Commission FAQ confirms that, from that date, Article 14 applies even to in-scope products that had been placed on the market before 11 December 2027.

Citations
Cyber Resilience Act

Article 69(3) applies Article 14 to pre-application products; Article 71(2) makes Article 14 applicable from 11 September 2026.

Question 16

For those CRA legacy products, do the early reporting rules mean the manufacturer must also bring the whole product into full CRA conformity?

No.

The Commission FAQ says that, for products placed on the market before 11 December 2027, manufacturers are required to comply with the Article 14 reporting obligations, but those products are not otherwise brought into the full CRA regime unless they are substantially modified. Article 69(3) is a derogation specifically for Article 14.

Citations
Cyber Resilience Act

Article 69(2) preserves the substantial-modification trigger, while Article 69(3) creates only an Article 14 reporting derogation.

Question 17

If units were already manufactured before 11 December 2027 but were not first placed on the market until after that date, are they CRA legacy products?

No.

The Commission FAQ says Union harmonisation legislation, including the CRA, applies to individual products, not abstract product types. It also says only individual products that have been placed on the market before 11 December 2027 escape the full CRA regime. So manufacturing, warehousing, or holding stock before that date is not enough by itself if the unit is first placed on the market on or after 11 December 2027.

Citations
Blue Guide 2022

Blue Guide sections 2.2 and 2.3 explain why manufacturing or warehousing is not the same as first placing on the market.

Question 18

If a legacy-era product was designed before the CRA applies but is first placed on the market after 11 December 2027, does the manufacturer have to recreate historical design and test files?

No, not necessarily.

The draft guidance says a product designed before the CRA's date of application can still be placed on the market after the CRA starts applying, provided the manufacturer can demonstrate current compliance through the cybersecurity risk assessment and technical documentation. Where it is not possible to show how the original design phase took the risk assessment into account, the manufacturer may document a current risk assessment and explain how the existing design mitigates the identified risks. The guidance expressly says the manufacturer is not required to recreate historical design or test documentation just for that purpose.

Citations
Cyber Resilience Act

Article 13 and Annex VII require a current cybersecurity risk assessment and technical documentation for products placed on the market after the CRA applies.

Question 19

For CRA legacy products covered only by the Article 14 derogation, when does the reporting obligation arise in time?

It applies from 11 September 2026 and, according to the Commission FAQ, upon becoming aware following that date.

Article 71(2) brings Article 14 into application on 11 September 2026. The Commission FAQ then says that, for pre-11 December 2027 products, the obligation to notify applies upon becoming aware following the entry into application of the reporting requirements.

Citations
Cyber Resilience Act

Article 69(3) applies Article 14 to pre-application products and Article 71(2) sets the 11 September 2026 start date.

Question 20

If a legacy product is old enough that the manufacturer can no longer realistically investigate or patch it, what still has to be done under the CRA?

The Commission FAQ still expects notification under Article 14 and user information where applicable, but not the full vulnerability-handling regime solely because of Article 69(3).

The FAQ gives examples such as missing tooling, unavailable build environments, incompatible dependencies, or departed staff. In that situation, for products placed on the market before 11 December 2027, the manufacturer is still required to notify the vulnerability or incident and Article 14(8) may still require informing impacted users. But the FAQ also says those products are not required, on that basis alone, to comply with other CRA obligations such as vulnerability handling.

Citations
Cyber Resilience Act

Article 14 creates the reporting and user-information obligation; Articles 69(3) and 71(2) apply it to pre-application products from 11 September 2026.

Question 21

If legacy hardware remains outside full CRA application, can its firmware or software still fall under the CRA when placed on the market separately?

Yes.

The Commission FAQ's legacy-product example includes an explicit note that firmware referred to in those examples may still fall in scope when placed on the market separately. That reflects the CRA's product-by-product approach: a legacy hardware unit can stay outside the full CRA regime unless substantially modified, while separately marketed software or firmware may still be assessed on its own placement on the market.

Citations
Question 22

What records should a manufacturer, importer, or distributor keep to support CRA legacy-product treatment?

Keep records that prove the individual product's status, not only the model name.

Useful records include the first placing-on-the-market date for the affected units, batch or serial identifiers, supply-chain handover records, distributor stock records, the evidence used to decide whether an update, repair, refurbishment, or replacement part was a substantial modification, Article 14 notifications and user communications from 11 September 2026 onward, and economic-operator traceability records. If a legacy-era design is first placed on the market after 11 December 2027, keep the current cybersecurity risk assessment and technical documentation showing CRA conformity instead of relying on the old design date.

Citations
Cyber Resilience Act

Article 23 requires economic operators to identify suppliers and recipients for 10 years; Article 31 and Annex VII describe technical documentation for products placed on the market under the CRA.

Blue Guide 2022

Blue Guide sections on placing on the market and traceability support keeping unit-level evidence for market-surveillance questions.

Primary sources

References and citations

Blue Guide 2022
eur-lex.europa.eu
Referenced sections
  • Blue Guide sections on placing on the market and traceability support keeping unit-level evidence for market-surveillance questions.
"Traceability enables market surveillance authorities"
Cyber Resilience Act
data.europa.eu
Referenced sections
  • Article 23 requires economic operators to identify suppliers and recipients for 10 years; Article 31 and Annex VII describe technical documentation for products placed on the market under the CRA.
"for 10 years after they have supplied the product"
European Commission CRA FAQs (January 2026)
ec.europa.eu
Referenced sections
  • Sections 5.3 and 7.2 support records for Article 14 reporting, old-product investigation limits, and individual-unit legacy treatment.
"applies to individual products, and not product types"
Related guides

Explore more topics

CRA Applicability Test for Products With Digital Elements
Check whether the EU Cyber Resilience Act applies to a hardware, software, firmware, open-source, or connected product before conformity planning.
CRA Article 14 Reporting Obligations for Vulnerabilities and Incidents
Article 14 guide to CRA reports for actively exploited vulnerabilities and severe product-security incidents, including deadlines, CSIRT routing, users, and evidence.
CRA Blue Guide Concepts FAQ | Placing on the Market, Making Available, Distance Sales
CRA FAQ explaining Blue Guide market-access concepts for products with digital elements: placing on the market, making available, imports, CE marking, operator roles, online sales, stock, and testing exceptions.
CRA CE Marking FAQ | Conformity Assessment, EU Declaration, Evidence
Practical CRA CE marking answers for products with digital elements: conformity assessment, EU declaration, technical documentation, standards, software placement, and launch evidence.
CRA Component Due Diligence FAQ | Third-Party Software, FOSS, SBOMs
Cyber Resilience Act FAQ on manufacturer due diligence for integrated components, third-party software, FOSS dependencies, SBOMs, vulnerability handling, and evidence records.
CRA Conformity Assessment and CE Marking
How to choose a Cyber Resilience Act conformity route, prepare technical documentation, issue the EU declaration of conformity, and affix CE marking.
CRA Conformity Assessment Routes FAQ | Module A, Module B+C, Module H, Important and Critical Products
Cyber Resilience Act FAQ on when manufacturers can use module A, when module B+C or module H is required, and how important and critical products affect the route.
CRA Cybersecurity Risk Assessment FAQ | Article 13, Annex I, Updates
CRA FAQ on Article 13 cybersecurity risk assessments, Annex I applicability, intended purpose, foreseeable use, technical documentation, and update evidence.
CRA deadlines and compliance calendar | EU Cyber Resilience Act
Track the Cyber Resilience Act entry into force, staged application dates, Article 14 reporting deadlines, transitional rules, and review dates.
CRA Declaration of Conformity FAQ | Annex V, Simplified Declaration, CE Marking
FAQ on the Cyber Resilience Act EU Declaration of Conformity: Annex V contents, simplified Annex VI wording, CE marking link, technical documentation, retention, updates, and operator duties.
CRA Economic Operators FAQ | Manufacturers, Importers, Distributors, Authorised Representatives
CRA FAQ on economic-operator roles: manufacturers, importers, distributors, authorised representatives, substantial modification, traceability, and evidence controls.
CRA Essential Cybersecurity Requirements FAQ | Annex I Part I and Part II
CRA FAQ on Annex I product cybersecurity requirements, vulnerability handling, secure-by-default design, risk assessment, documentation, lifecycle duties, and user information.
CRA Essential Cybersecurity Requirements in Annex I
A grounded guide to the Cyber Resilience Act Annex I requirements for product security, vulnerability handling, secure-by-design controls, documentation, and evidence.
CRA Hardware and Software Boundaries FAQ | Product Scope, Components, RDPS
FAQ on Cyber Resilience Act hardware and software boundaries: combined products, standalone software, source code, components, remote data processing, SaaS and market-placement changes.
CRA Harmonised Standards FAQ | Presumption of Conformity, Common Specifications
Cyber Resilience Act FAQ on how harmonised standards, common specifications, certification schemes, and OJ publication affect CRA conformity evidence.
CRA Important and Critical Products FAQ | Annex III, Annex IV, Conformity Assessment
FAQ on CRA important and critical products, Annex III and Annex IV classification, core functionality, and conformity assessment consequences.
CRA Integrated Components and Dependencies FAQ | Third-Party Software and SBOM Evidence
Cyber Resilience Act FAQ on integrated components, third-party software, remote data processing, SBOM-style evidence, upstream fixes, FOSS dependencies, and manufacturer responsibility.
CRA Interplay With EU Product Laws FAQ | RED, Machinery, Data Act
Grounded CRA FAQ on overlap with the Radio Equipment Directive, Machinery Regulation, GPSR, Data Act, exclusions, declarations, documentation, and existing certificates.
CRA Known Exploitable Vulnerabilities at Launch FAQ
FAQ for Cyber Resilience Act launch decisions: known exploitable vulnerabilities, CVEs, component flaws, secure-by-default settings, release gates, Article 14 reporting, and evidence.
CRA Manufacturer Obligations FAQ | Article 13, Annex I, CE Marking
FAQ for Cyber Resilience Act manufacturers covering Article 13 duties, risk assessment, Annex I, vulnerability handling, support periods, documentation, conformity assessment, reporting, CE marking, and evidence controls.
CRA Market Surveillance and Enforcement FAQ | Authorities, Corrective Action, Safeguards
Cyber Resilience Act FAQ on market-surveillance authorities, investigations, corrective action, withdrawal, recall, safeguards, sweeps, documentation access, and penalties.
CRA Module B+C FAQ | EU-Type Examination, Conformity to Type, Notified Bodies
CRA Module B+C FAQ explaining EU-type examination, conformity to type, notified-body evidence, production control, CE marking, declarations, and certificate changes.
CRA Module H FAQ | Full Quality Assurance, Notified Body Surveillance, CE Marking
CRA Module H FAQ explaining the full-quality-assurance route, notified-body assessment, quality-system scope, technical documentation, CE marking, declarations, and records.
CRA Notified Bodies FAQ | Scope, Modules B+C and H, Certificates
Practical CRA FAQ on when notified bodies are needed, how CRA bodies are designated, what their notified scope means, and how Module B+C and Module H assessments work.
CRA Open-Source Software FAQ | FOSS Scope, Stewards, Manufacturers
Cyber Resilience Act FAQ for free and open-source software: commercial activity, steward duties, manufacturer due diligence, vulnerability handling, public documentation, and user obligations.
CRA Over-the-Air Updates FAQ
Cyber Resilience Act FAQ on OTA updates, automatic security updates, secure update distribution, support-period evidence, and offline update paths.
CRA penalties and fines FAQ | Article 64 fine caps
FAQ on EU Cyber Resilience Act Article 64 penalties: maximum fine tiers, turnover caps, national enforcement, economic operators, reporting duties, and open-source steward carve-outs.
CRA Penalties and Fines: Article 64 Caps and Enforcement Context
Article 64 of the EU Cyber Resilience Act sets administrative fine ceilings for Annex I, manufacturer, reporting, economic-operator, notified-body, and information-request breaches.
CRA Product Families FAQ | Variants, Shared Assessments, Family Reuse, Conformity Scope
CRA FAQ on product families, variant grouping, shared technical documentation, conformity evidence, and when cybersecurity-relevant differences need separate assessment.
CRA Products with Digital Elements Scope | EU Cyber Resilience Act
Apply the EU Cyber Resilience Act scope test for software, hardware, remote data processing, components, open-source software, exclusions, and economic-operator roles.
CRA Products With Digital Elements Scope FAQ
EU Cyber Resilience Act FAQ on products with digital elements, software, firmware, remote data processing, components, exclusions, market placement, and CRA operator boundaries.
CRA Remote Data Processing Solutions FAQ | Product Scope, Cloud and Backend Boundaries
FAQ on how the EU Cyber Resilience Act treats remote data processing solutions, manufacturer-controlled backends, third-party cloud services, SaaS, risk assessment, documentation, and user information.
CRA Reporting Obligations FAQ | Article 14, CSIRTs, ENISA, User Notices
Cyber Resilience Act FAQ on Article 14 reporting for actively exploited vulnerabilities and severe incidents, including timing, CSIRT routing, ENISA access, user notices, and evidence.
CRA Requirements | Annex I, Manufacturer Duties and CE Evidence
Map Cyber Resilience Act requirements from Annex I to manufacturer duties, vulnerability handling, user information, technical documentation, declaration of conformity, and CE marking evidence.
CRA SBOM and Vulnerability Management Template
Build a CRA-ready SBOM and vulnerability handling record with component inventory, triage, remediation, disclosure, reporting, update, and technical documentation fields.
CRA Secure-by-Default FAQ | Default Configuration and Annex I Controls
Cyber Resilience Act FAQ on secure-by-default configuration, automatic security updates, attack surface reduction, authentication, data minimisation, user information, and tailor-made products.
CRA Security Updates vs Functionality Updates FAQ
Cyber Resilience Act FAQ on classifying security updates, functionality updates, support-period duties, automatic updates, user notices, and substantial-modification review.
CRA Substantial Modification FAQ | Updates, Repairs, Manufacturer Duties
Cyber Resilience Act FAQ on when software updates, repairs, spare parts, and post-market changes become substantial modifications and trigger CRA manufacturer, evidence, and conformity duties.
CRA Support Period FAQ | Expected Product Lifetime, Security Updates, User Information
Practical CRA FAQ on how manufacturers determine support periods, disclose support end dates, keep security updates available, and document support-period evidence.
CRA Tailor-Made Products FAQ | Bespoke Products, Market Placement, Evidence
FAQ on when a bespoke product may be treated as tailor-made under the EU Cyber Resilience Act, what the carve-out changes, and what manufacturers still need to document.
CRA Technical Documentation FAQ | Annex VII Evidence and Technical File
CRA FAQ explaining Annex VII technical documentation, risk assessment evidence, conformity assessment files, vulnerability handling records, product families, RDPS, language, and authority access.
CRA Transition Period FAQ | Entry Into Force, Application Dates, Reporting, Legacy Products
CRA FAQ on the transition period covering entry into force, 2026 reporting, 2027 application, legacy products, stock, customs timing, and software versions.
CRA Update Availability and Software Archives FAQ
FAQ on CRA security-update availability, support-period notices, optional public software archives, historical versions, and Article 13(10) software-version limits.
CRA User Information and Transparency FAQ | Annex II Instructions
Practical CRA FAQ on Annex II user instructions, support-period disclosure, vulnerability contacts, update notices, importer and distributor information.
CRA vs RED Cybersecurity Delegated Act
Compare the EU Cyber Resilience Act with the RED cybersecurity delegated act for connected and radio equipment, including scope, timing, evidence, and transition treatment.
CRA vs UK PSTI Act | Cyber Resilience Act Comparison
Compare grounded EU Cyber Resilience Act duties with UK PSTI planning points, with UK legal details clearly marked for separate source review.
CRA Vulnerability Handling and Disclosure | Article 14 Reporting and Security Updates
How EU Cyber Resilience Act manufacturers should run vulnerability intake, remediation, coordinated disclosure, Article 14 reporting, secure updates, and evidence records.
CRA Vulnerability Handling FAQ | Support Periods, Components, Reporting
Practical CRA FAQ on vulnerability handling: SBOMs, remediation, coordinated disclosure, component issues, security updates, support periods, Article 14 reporting, and user notices.
Cyber Resilience Act Module A FAQ | Internal Production Control
FAQ on when CRA Module A internal production control is available, when it is blocked, and what documentation, testing, standards, and evidence it still requires.
EU CRA Compliance Program for Manufacturers and Economic Operators
Build a Cyber Resilience Act compliance program around product scope, Annex I security requirements, conformity assessment, technical documentation, vulnerability reporting, and market surveillance.
EU Cyber Resilience Act Checklist for Product Security and CE Marking
A CRA checklist for products with digital elements: scope, Annex I security controls, vulnerability handling, Article 14 reporting, technical documentation, conformity assessment, CE marking, and support-period evidence.
EU Cyber Resilience Act Core Functionality FAQ | CRA Product Classification
CRA FAQ on core functionality, product boundaries, remote data processing, integrated components, ancillary functions, and software changes that affect product classification.
EU Cyber Resilience Act FAQ
Direct CRA FAQ answers on scope, economic-operator roles, essential requirements, vulnerability reporting, conformity assessment, CE marking, support periods, and market surveillance.
EU Cyber Resilience Act Repairs and Spare Parts FAQ
CRA FAQ for repairs, spare parts, legacy products, security updates, substantial modification, and responsibility after product changes.
EU Cyber Resilience Act Technical Documentation and Audit File
Build an audit-ready CRA technical file around Article 31 and Annex VII: product scope, risk assessment, vulnerability handling, conformity evidence, testing, and retention.