EU Cyber Resilience Act FAQ Legacy Products

No.

Article 69(2) says products with digital elements placed on the market before 11 December 2027 are subject to the CRA requirements only if, from that date, they are subject to a substantial modification.

Yes.

Article 69(3) creates a specific derogation for reporting. It says Article 14 applies to all in-scope products that were placed on the market before 11 December 2027, and Article 71(2) says Article 14 starts to apply on 11 September 2026.

Yes.

The Commission FAQ explains that individual products placed on the market before 11 December 2027 do not need to be brought into CRA conformity simply because they remain in the distribution chain after that date.

No.

The Commission FAQ gives a direct example: units already placed on the market before 11 December 2027 do not need to be brought into CRA compliance even if they have not yet reached the final user. The legal question is whether the individual product was placed on the market, not whether it was already sold to the final customer or put into service.

No, not unless those newly placed units comply with the CRA.

The Commission FAQ stresses that Union harmonisation legislation, including the CRA, applies to individual products, not to abstract product types or models. So a product is not grandfathered just because an earlier unit of the same type was placed on the market before 11 December 2027.

Then the CRA starts to apply to that product.

Article 69(2) makes substantial modification the trigger. The CRA definition in Article 3(30) covers changes made after placing on the market that affect compliance with the essential cybersecurity requirements in Annex I Part I or change the intended purpose for which the product was assessed.

No.

The Commission FAQ gives a direct example: a smart TV placed on the market before 11 December 2027 does not become subject to full CRA requirements merely because it receives a later bug-fix update. Recital 39 of the CRA also says that a security update designed to decrease cybersecurity risk, without modifying intended purpose, is not considered a substantial modification.

The Commission FAQ gives an example where a smart TV placed on the market before 11 December 2027 later receives an update enabling smart-home control. The FAQ treats that as a substantial modification.

That result is consistent with recital 39, which says feature updates that modify original intended functions or the type or performance of the product and increase cybersecurity risk should be treated as substantial modifications.

No.

Recital 42 says refurbishment, maintenance, and repair do not necessarily lead to a substantial modification. That will depend on whether the intended purpose and functionalities change and whether the level of risk remains unaffected.

The person who carries out the substantial modification and makes the product available on the market is treated as the manufacturer for CRA purposes.

That can be the original manufacturer, but it can also be an importer, distributor, or another natural or legal person. Article 21 covers importers and distributors, and Article 22 covers other persons that substantially modify products and make them available on the market.

That depends on the impact of the modification.

Article 22(2) says the person carrying out the substantial modification is subject to Articles 13 and 14 for the part of the product affected by the substantial modification or, if the substantial modification has an impact on the cybersecurity of the product as a whole, for the entire product.

No, not on that basis alone.

The Commission FAQ says distributors are not required to bring into compliance products that were already placed on the market before 11 December 2027, unless they themselves carry out a substantial modification.

Often yes.

Article 2(6) excludes spare parts made available on the market to replace identical components in products with digital elements where the spare parts are manufactured according to the same specifications as the components they are intended to replace. Recital 29 adds that this exemption is meant to cover spare parts used to repair legacy products made available before the CRA's date of application.

Not automatically.

Inference from the CRA text: Article 2(6) only answers whether the identical spare-parts exemption applies. Whether installing a non-identical replacement part becomes a substantial modification is a separate question that still turns on Article 3(30), meaning whether the change affects Annex I Part I compliance or changes the intended purpose for which the product was assessed.

They start on 11 September 2026.

That is the date Article 14 begins to apply under Article 71(2). The Commission FAQ confirms that, from that date, Article 14 applies even to in-scope products that had been placed on the market before 11 December 2027.

No.

The Commission FAQ says that, for products placed on the market before 11 December 2027, manufacturers are required to comply with the Article 14 reporting obligations, but those products are not otherwise brought into the full CRA regime unless they are substantially modified. Article 69(3) is a derogation specifically for Article 14.

No.

The Commission FAQ says Union harmonisation legislation, including the CRA, applies to individual products, not abstract product types. It also says only individual products that have been placed on the market before 11 December 2027 escape the full CRA regime. So manufacturing, warehousing, or holding stock before that date is not enough by itself if the unit is first placed on the market on or after 11 December 2027.

No, not necessarily.

The draft guidance says a product designed before the CRA's date of application can still be placed on the market after the CRA starts applying, provided the manufacturer can demonstrate current compliance through the cybersecurity risk assessment and technical documentation. Where it is not possible to show how the original design phase took the risk assessment into account, the manufacturer may document a current risk assessment and explain how the existing design mitigates the identified risks. The guidance expressly says the manufacturer is not required to recreate historical design or test documentation just for that purpose.

It applies from 11 September 2026 and, according to the Commission FAQ, upon becoming aware following that date.

Article 71(2) brings Article 14 into application on 11 September 2026. The Commission FAQ then says that, for pre-11 December 2027 products, the obligation to notify applies upon becoming aware following the entry into application of the reporting requirements.

The Commission FAQ still expects notification under Article 14 and user information where applicable, but not the full vulnerability-handling regime solely because of Article 69(3).

The FAQ gives examples such as missing tooling, unavailable build environments, incompatible dependencies, or departed staff. In that situation, for products placed on the market before 11 December 2027, the manufacturer is still required to notify the vulnerability or incident and Article 14(8) may still require informing impacted users. But the FAQ also says those products are not required, on that basis alone, to comply with other CRA obligations such as vulnerability handling.

Yes.

The Commission FAQ's legacy-product example includes an explicit note that firmware referred to in those examples may still fall in scope when placed on the market separately. That reflects the CRA's product-by-product approach: a legacy hardware unit can stay outside the full CRA regime unless substantially modified, while separately marketed software or firmware may still be assessed on its own placement on the market.