EU Cyber Resilience Act FAQ Manufacturer Obligations

Under the CRA, the manufacturer is the natural or legal person who develops or manufactures a product with digital elements, or has it designed, developed, or manufactured, and markets it under its own name or trademark, whether for payment, monetisation, or free of charge.

The manufacturer has two central duties.

First, when placing a product with digital elements on the market, it must ensure that the product has been designed, developed, and produced in accordance with the essential cybersecurity requirements in Annex I Part I. Second, when placing the product on the market and for the support period, it must ensure that vulnerabilities of the product, including its components, are handled effectively in accordance with Annex I Part II.

No.

Article 13 requires the manufacturer to take the cybersecurity risk assessment into account during planning, design, development, production, delivery, and maintenance. The CRA therefore covers both pre-market design and post-market vulnerability handling.

Yes.

The manufacturer must undertake a cybersecurity risk assessment for the product and use it to minimise cybersecurity risks, prevent incidents, and minimise their impact, including in relation to users' health and safety.

No.

The CRA does not mandate a single methodology. The manufacturer may choose its approach, but it still has to identify the relevant risks, document how those risks were treated, and be able to demonstrate compliance to market surveillance authorities.

At minimum, it must analyse cybersecurity risks based on the intended purpose, reasonably foreseeable use, the conditions of use such as the operational environment or assets to be protected, and the length of time the product is expected to be in use.

It must also indicate whether and how Annex I Part I point (2) applies, how those requirements are implemented, and how the manufacturer applies Annex I Part I point (1) and Annex I Part II. The Commission FAQ also states that the risk assessment needs to cover the entire product with digital elements, including remote data processing when in scope and supporting functions that form part of the product.

Yes.

The CRA says the risk assessment must be documented and updated as appropriate during the support period. The manufacturer must also systematically document relevant cybersecurity aspects, including vulnerabilities it becomes aware of and relevant information provided by third parties, and update the risk assessment where applicable.

No.

The manufacturer must determine, on the basis of the cybersecurity risk assessment, which Annex I Part I requirements are relevant to the product. Where certain essential cybersecurity requirements are not applicable, the manufacturer must include a clear justification in the technical documentation. By contrast, the vulnerability-handling requirements in Annex I Part II apply throughout the support period.

No.

Article 13(4) allows justified non-applicability, but recital 55 and the Commission FAQ make clear that the manufacturer still has to assess the resulting risks and address them by other means where needed, for example through limits on intended use or user information.

Yes.

The manufacturer must exercise due diligence when integrating third-party components so those components do not compromise the cybersecurity of the product. This expressly includes free and open-source software components that were not made available on the market in the course of a commercial activity.

No.

The Commission FAQ says manufacturers can integrate components that do not bear the CE marking, but they still have to exercise due diligence to ensure those components do not compromise the cybersecurity of the finished product.

The manufacturer must report the vulnerability to the person or entity manufacturing or maintaining that component and must address and remediate the vulnerability in accordance with Annex I Part II. If the manufacturer developed a software or hardware modification to address the vulnerability, it must share the relevant code or documentation with the component manufacturer or maintainer where appropriate.

The support period must reflect the length of time during which the product is expected to be in use.

Article 13(8) says the manufacturer must take into account, in particular, reasonable user expectations, the nature of the product including its intended purpose, and relevant Union law determining product lifetime. It may also take into account the support periods of similar products, the availability of the operating environment, the support periods of core third-party components, and relevant ADCO or Commission guidance.

Yes, in most cases.

Article 13(8) says the support period must be at least five years, unless the product is expected to be in use for less than five years, in which case the support period corresponds to that expected use time. Where the product is reasonably expected to be in use for longer than five years, the support period should be longer.

It must ensure effective vulnerability handling for the product, including its components, in line with Annex I Part II.

That includes addressing and remediating vulnerabilities without delay in relation to the risks posed, applying regular tests and reviews, maintaining coordinated vulnerability disclosure arrangements, facilitating vulnerability reporting, and securely distributing updates.

No.

The Commission FAQ says the CRA does not require a dedicated patch for every vulnerability. The manufacturer must assess the relevance and risk of the vulnerability and ensure that an appropriate remedy is put in place without delay. Depending on the risk, that remedy might be a patch, a mitigation, updated instructions, or another corrective measure.

Not in that sense.

The Commission FAQ says the manufacturer's duty is to make security updates available and to provide the mechanisms required by the CRA, including automatic installation where applicable, user notification, and secure distribution. But the CRA does not make the manufacturer responsible where a user does not install available updates, for example after opting out.

Yes.

Each security update made available during the support period must remain available for at least 10 years after issuance or for the remainder of the support period, whichever is longer.

In some cases, yes.

Where the manufacturer has placed subsequent substantially modified versions of a software product on the market, it may ensure compliance with Annex I Part II point (2) only for the latest version it placed on the market, provided that users of earlier versions have access to that latest version free of charge and without additional hardware or software adjustment costs.

Yes.

The CRA allows public software archives that improve access to historical versions. If the manufacturer does this, users must be clearly informed in an easily accessible manner about the risks associated with using unsupported software.

Before placing the product on the market, the manufacturer must draw up the technical documentation, carry out the applicable conformity assessment procedure or have it carried out, draw up the EU declaration of conformity once conformity is demonstrated, and affix the CE marking.

For at least 10 years after placing the product on the market or for the support period, whichever is longer.

Yes.

The manufacturer must ensure that procedures are in place so products that are part of a series of production remain in conformity. It must adequately take into account changes in development, production, design, product characteristics, and relevant harmonised standards, certification schemes, or common specifications.

The manufacturer must ensure that the product bears a type, batch, serial number, or other identifying element. It must also indicate its name, trade name or trademark, and postal address and email address or other digital contact details and, where applicable, website, on the product, packaging, or accompanying document.

That same contact information must also be included in the information and instructions to the user.

Yes.

The manufacturer must designate a single point of contact so users can communicate directly and rapidly with it, including for vulnerability reporting. The single point of contact must be easily identifiable, must let users choose their preferred means of communication, and must not limit communication to automated tools.

Yes.

The manufacturer must ensure that the product is accompanied by the Annex II information and instructions, in paper or electronic form, in a language easily understood by users and market surveillance authorities. They must be clear, understandable, intelligible, and legible and must allow secure installation, operation, and use.

Yes.

The manufacturer must clearly and understandably specify the end date of the support period, at least month and year, at the time of purchase in an easily accessible manner and, where applicable, on the product, packaging, or by digital means. Where technically feasible, it must also notify users when the product has reached the end of its support period.

Yes, either in full or in simplified form.

The manufacturer must provide either a copy of the full EU declaration of conformity or a simplified EU declaration of conformity with the product. If the simplified version is used, it must contain the exact internet address where the full declaration can be accessed.

Yes.

Under Article 14, the manufacturer must notify actively exploited vulnerabilities and severe incidents having an impact on the security of the product. The key CRA deadlines are an early warning within 24 hours of becoming aware and a fuller notification within 72 hours. After that, the final report deadline differs: for an actively exploited vulnerability it is no later than 14 days after a corrective or mitigating measure is available, while for a severe incident it is within one month after the incident notification.

Yes.

Article 14(8) requires the manufacturer to inform impacted users, and where appropriate all users, of the vulnerability or incident and any risk-mitigation or corrective measures users can deploy. If the manufacturer does not inform users in a timely manner, the notified CSIRTs may do so where necessary and proportionate.

No.

Article 18(2) says the obligations in Article 13(1) to (11), Article 13(12) first subparagraph, and Article 13(14) cannot form part of the authorised representative's mandate. Those remain the manufacturer's own responsibilities.

From placing on the market and for the support period, the manufacturer must immediately take the corrective measures necessary to bring the product or the manufacturer's processes into conformity, or withdraw or recall the product as appropriate.

The manufacturer must provide, in paper or electronic form and in a language easily understood by the authority, all information and documentation necessary to demonstrate conformity. It must also cooperate with the authority on measures taken to eliminate cybersecurity risks posed by the product.

Before the cessation takes effect, the manufacturer must inform the relevant market surveillance authorities and, by any means available and to the extent possible, the users of the relevant products placed on the market.

Yes.

The Commission FAQ says the manufacturer may carry out a single risk assessment covering different applicable legislation or separate assessments for each instrument. What matters is that the manufacturer remains able to demonstrate compliance with each individual act. For CRA purposes, the assessment still has to cover the entire product with digital elements, including any in-scope remote data processing and supporting functions that form part of the product.

No.

Under the CRA definition, a manufacturer can still be the manufacturer where it has the product designed, developed, or manufactured and places it on the market under its own name or trademark. The Blue Guide adds that where subcontracting takes place, the manufacturer must retain overall control and cannot discharge its responsibilities to an authorised representative, distributor, user, or subcontractor.

Yes.

Article 13(8) expressly requires appropriate policies and procedures, including coordinated vulnerability disclosure policies, to process and remediate potential vulnerabilities reported from internal or external sources. The March 2026 draft guidance repeats that requirement when explaining how manufacturers are expected to organise their handling of potential vulnerabilities.

They must stay accessible, user-friendly, and available online for at least 10 years after the product is placed on the market or for the support period, whichever is longer.

So the CRA does not only require the manufacturer to provide Annex II information once. If those materials are hosted online, the manufacturer has an ongoing availability obligation for the same long-term period that applies to keeping them at the disposal of users and market surveillance authorities.

Yes.

Article 13(8) requires the manufacturer to include in the technical documentation the information taken into account to determine the support period. Annex VII repeats that requirement, so the support-period decision has to be documented, not just decided internally.

Yes.

The Commission FAQ says products already placed on the market can continue to be made available after the support period expires. But if the manufacturer later places additional units of that product on the market, it still has to determine the support period for those newly placed units in accordance with Article 13(8).

Not necessarily.

The March 2026 draft guidance says a product designed before the CRA applies may still be placed on the market without redesign if the manufacturer carries out a current cybersecurity risk assessment and can show through the technical documentation that the existing design already addresses the relevant risks. Where the manufacturer cannot show how the original design phase took the risk assessment into account, the guidance says it is not required to recreate historical design or test documentation that would not improve the product's cybersecurity. But the manufacturer still has to complete the CRA's current obligations before placement on the market, including the conformity assessment, declaration of conformity, and CE marking steps.