FAQEUCyber Resilience Act

EU Cyber Resilience Act FAQ Security Updates vs Functionality Updates

Use this CRA FAQ to classify security updates and functionality updates, decide when separation is required, and understand how update choices affect support-period duties, user notices, automatic updates, and substantial-modification analysis.

Built for product, release, engineering, security, and compliance teams managing update governance for products with digital elements under the EU Cyber Resilience Act.

Back to main artifactReview sources
Author
Sorena AI
Published
Mar 10, 2026
Updated
Mar 10, 2026
Questions
24

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Mar 10, 2026
Updated Mar 10, 2026
Overview

The Cyber Resilience Act treats security updates as part of vulnerability handling, while functionality updates are assessed by their effect on intended purpose, cybersecurity risk, documentation, and conformity. Security fixes must be separated from functionality changes where technically feasible, but the CRA and Commission FAQ allow combined releases where the security remedy itself requires a functional change.

Classification matrix

CRA security updates vs functionality updates

Use this matrix to classify a release without losing the CRA duties that attach to security fixes, vulnerability handling, user notices, support periods, and substantial-modification review.

Review all sources
First framework
Security update

An update whose purpose is to address or mitigate a vulnerability, reduce cybersecurity risk, or keep the product secure during the support period.

Second framework
Functionality update

An update that adds, removes, activates, or changes product features, interfaces, dependencies, performance, or intended use.

Comparison row 1

Scope boundary

Security update

Triggered by a vulnerability or security issue. The CRA requires manufacturers to address and remediate vulnerabilities without delay in relation to the risks posed, including by security updates where appropriate.

Functionality update

Triggered by a functional or product change. The key CRA question is whether the change was already covered by the original intended purpose, cybersecurity risk assessment, and mitigation measures.

Operational implication

Do not classify by release label alone. Start with the reason for the change, then test whether the release also changes intended purpose or introduces new cybersecurity risks.

Comparison row 2

Covered actors

Security update

New security updates must be provided separately from functionality updates where technically feasible, so users do not have to accept unrelated feature changes to receive security fixes.

Functionality update

A functionality change can be bundled with a security update only when strict separation is not technically feasible or the functionality change is itself the way the vulnerability is remediated.

Operational implication

Record the technical feasibility analysis for every bundled release: what was security-driven, what changed functionality, and why separate delivery was or was not feasible.

Comparison row 3

Trigger

Security update

Security updates for identified security issues must be disseminated without delay, free of charge except agreed tailor-made business-user cases, and accompanied by advisory messages with relevant user action.

Functionality update

Functionality updates do not become free security updates just because they ship in the same release, but any user information, technical documentation, and conformity impacts still need to stay accurate.

Operational implication

Keep security advisory text, publication timing, update availability, free-charge treatment, and any user-facing functional release notes distinct enough for users to understand what they are installing.

Comparison row 4

Core obligations

Security update

Where automatic security updates are applicable, they must be enabled by default within an appropriate timeframe, with user notification, a clear opt-out, and temporary postponement.

Functionality update

The CRA does not require automatic installation for every feature update, and recital 56 recognises product contexts where automatic updates are not reasonably expected.

Operational implication

Separate "can be delivered over the air" from "must install automatically." Update UI and instructions should show users available security updates and any opt-out or postponement controls where required.

Comparison row 5

Evidence record

Security update

Article 13(10) can allow remediation for only the latest substantially modified software version, but only if earlier-version users can access it free of charge and without additional hardware or software environment costs.

Functionality update

Minor security or functionality updates that are not substantial modifications may be provided only for the latest version or sub-version that has not been substantially modified, while hardware unable to run the newest software still needs latest-compatible-version security support during the support period.

Operational implication

Before ending security fixes for an older line, verify that users can actually move to the latest substantially modified version without additional environment costs; otherwise keep the support-period analysis open.

Comparison row 6

Timing and deadlines

Security update

A security update is generally not a substantial modification when it only reduces cybersecurity risk and does not change intended purpose or introduce new cybersecurity risks.

Functionality update

A functionality update can be substantial if it changes intended purpose or increases cybersecurity risk outside the original risk assessment, even if the feature looks small.

Operational implication

Keep the risk assessment and technical documentation updated for both categories; non-substantial updates still need accurate documentation and evidence that the product remains secure during the support period.

Comparison row 7

Enforcement

Security update

Security-update failures can trigger immediate corrective action, free update duties, user notices, and in serious cases withdrawal or recall if the vulnerability cannot be remediated.

Functionality update

Functionality changes are handled through the substantial-modification test: if the change alters intended purpose or compliance, the new version may need fresh conformity assessment before it is placed on the market.

Operational implication

Treat vulnerability handling and substantial-modification review as separate checks. A release can satisfy one and still fail the other.

Comparison row 8

Overlap and reuse

Security update

Some releases are both security updates and functionality updates, especially when a functional change is the only practical way to remove the vulnerability.

Functionality update

Other releases are primarily functionality updates that only become security-relevant because the change alters attack surface, dependencies, or the product's intended purpose.

Operational implication

Use the same release notes, but split the analysis: one part for vulnerability remediation, one part for functional impact, and one part for substantial-modification consequences.

Comparison row 9

Practical decision rule

Security update

If the release is only there to reduce risk and does not alter intended purpose, classify it as a security update first and then check whether any bundled feature change needs separate analysis.

Functionality update

If the release adds or changes features, classify the functional effect first and then check whether the change also qualifies as a security update or a substantial modification.

Operational implication

Start with the dominant purpose of the release, then document any secondary CRA consequences instead of forcing everything into one label.

Practical decision rule

How to classify a CRA update release

  • Identify the security driver: vulnerability, exploitable weakness, dependency issue, configuration defect, or other cybersecurity risk.
  • Identify the functionality effect: changed feature, interface, dependency, data flow, performance characteristic, operating environment, or intended use.
  • If the release contains both, document whether separate delivery is technically feasible and whether the functional change is necessary to remediate the vulnerability.
  • Check user obligations separately: advisory message, free security update treatment, automatic-update controls where applicable, opt-out or postponement, and update availability without delay.
  • Check lifecycle obligations separately: support-period coverage, Article 13(10) latest-version conditions, latest-compatible-version support for affected hardware, and updated risk assessment or technical documentation.
Cyber Resilience ActSources 1European Commission CRA FAQs (January 2026)Sources 2Draft Commission guidance on the CRA (March 2026 draft)Sources 3
Search this module

Find a question or answer quickly

24 of 24 questions
Question 1

Does the CRA require manufacturers to patch every vulnerability they discover during the support period?

No.

The CRA requires manufacturers to address and remediate vulnerabilities without delay in relation to the risks posed. The Commission FAQ explains that this does not mean every vulnerability must receive a dedicated patch. The response depends on the risk assessment.

Citations
Cyber Resilience Act

Annex I Part II point (2) requires risk-based vulnerability remediation without delay, including security updates where needed.

Question 2

If not every vulnerability needs a dedicated patch, what other remedies can satisfy the CRA?

The Commission FAQ says remedies can take different forms depending on the risk. These can include immediate patches, advisories on workarounds, configuration guidance, updates to user manuals, later software updates, or other mitigation measures.

Citations
Cyber Resilience Act

Annex I Part II point (2) and Article 13(21) support remediation, corrective measures, withdrawal, or recall depending on risk and conformity.

Question 3

Must security updates be provided separately from functionality updates?

Yes, where technically feasible.

That is the rule in Annex I Part II point (2). Recital 57 explains that the purpose is to avoid forcing users to install functionality changes just to receive the latest security fix.

Citations
Cyber Resilience Act

Annex I Part II point (2) sets the separate-security-update rule where technically feasible; recital 57 explains the user-protection purpose.

CRA update governance

Check the release record before shipping a CRA update

For each release, keep the vulnerability-risk assessment, separation rationale, user advisory text, update-distribution evidence, and substantial-modification assessment together so product and security teams can explain why the update was classified as security, functionality, or both.

Research workflow
Review CRA update evidence

Use Research Copilot to check whether release notes, advisories, risk assessments, and support-period records cite the right CRA provisions.

Explore next step
Talk to Sorena
Discuss a release classification

Walk through security-update separation, automatic-update controls, and substantial-modification questions for a planned release.

Explore next step
Question 4

Why does the CRA push for separation between security and functionality updates?

To improve transparency and to ensure users are not required to install new functionality updates for the sole purpose of receiving the latest security updates.

Citations
Cyber Resilience Act

Recital 57 explains that separation improves transparency and avoids forcing feature updates just to receive security fixes.

Question 5

Can a manufacturer still combine a security update with a functionality change?

Yes, if separation is not technically feasible.

The Commission FAQ gives the example of a vulnerability fix that requires replacing a parser with a safer one that changes some functionality. In that situation, the CRA does not require strict separation.

Citations
Cyber Resilience Act

Annex I Part II point (2) qualifies separation with the words "where technically feasible."

Question 6

Under the CRA, can a functionality change itself be the security fix?

Yes.

The Commission FAQ explains that disabling or changing a vulnerable function can itself be the security update. The key point is whether the change is needed to address the vulnerability.

Citations
Question 7

Must CRA security updates be disseminated without delay?

Yes.

Annex I Part II point (8) requires manufacturers to ensure that available security updates are disseminated without delay.

Citations
Cyber Resilience Act

Annex I Part II point (8) requires available security updates for identified security issues to be disseminated without delay.

Question 8

Must CRA security updates be free of charge?

Yes, unless otherwise agreed between the manufacturer and a business user for a tailor-made product.

Citations
Cyber Resilience Act

Annex I Part II point (8) requires free security updates, except agreed tailor-made business-user arrangements.

Question 9

Must CRA security updates come with user-facing guidance?

Yes.

When security updates are available to address identified security issues, they must be accompanied by advisory messages with the relevant information, including potential action users should take.

Citations
Cyber Resilience Act

Annex I Part II point (8) requires advisory messages with relevant information and potential user actions.

Question 10

Does the CRA require secure update-distribution mechanisms?

Yes.

Manufacturers must provide mechanisms to securely distribute updates so that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner.

Citations
Cyber Resilience Act

Annex I Part II point (7) requires secure mechanisms to distribute updates and fix or mitigate vulnerabilities in a timely manner.

Question 11

Are CRA automatic security updates always required for every product?

No.

The CRA requires products, where applicable, to support automatic security updates with default enablement, an opt-out mechanism, notifications, and the option to postpone. Recital 56 and the Commission FAQ explain that automatic updates are not always applicable, especially for components and for products where users would not reasonably expect automatic updates, including some professional and industrial environments.

Citations
Cyber Resilience Act

Annex I Part I point (2)(c) requires automatic security updates only where applicable; recital 56 explains product categories where users may not expect them.

Question 12

If CRA automatic updates are used, must users still be able to opt out or postpone installation?

Yes.

Annex I Part I point (2)(c) requires a clear and easy-to-use opt-out mechanism and the option to temporarily postpone updates. Recital 56 adds that users should retain the ability to deactivate automatic updates.

Citations
Cyber Resilience Act

Annex I Part I point (2)(c) requires default enablement, notification, opt-out, and temporary postponement where automatic security updates apply.

Question 13

Under the Cyber Resilience Act, is the manufacturer responsible if a user refuses or fails to install a security update?

No.

The Commission FAQ states this directly. The manufacturer must make the update available through the required mechanisms and keep users informed, but is not responsible under the CRA if the user does not install the update.

Citations
Cyber Resilience Act

Annex I Part I point (2)(c) and Annex I Part II points (7)-(8) define the manufacturer's update-availability and notification duties.

Question 14

Under the CRA, if a vulnerability cannot be fixed adequately, can withdrawal or recall become necessary?

Yes, in exceptional cases.

Article 13(21) requires corrective measures to bring the product or the manufacturer's processes into conformity, or withdrawal or recall as appropriate. The Commission FAQ explains that this may become necessary where a serious vulnerability cannot be adequately remediated.

Citations
Cyber Resilience Act

Article 13(21) requires corrective measures, withdrawal, or recall where the product or process is not in conformity.

Question 15

Even when CRA automatic updates are not applicable, must the manufacturer still inform users about vulnerabilities and make security updates available?

Yes.

Recital 56 states this expressly. Even where a product is not designed to receive automatic updates, the manufacturer should still inform users about vulnerabilities and make security updates available without delay.

Citations
Cyber Resilience Act

Recital 56 preserves vulnerability information and security-update availability duties even where automatic updates are not applicable.

Question 16

Under the Cyber Resilience Act, must a manufacturer keep delivering security fixes for every historical version of a software product?

Not always.

Article 13(10) allows the manufacturer, under specific conditions, to ensure compliance with the remediation obligation only for the latest substantially modified version it has placed on the market. That is allowed only if users of the earlier versions can access that latest version free of charge and without additional costs to adjust their hardware or software environment.

Citations
Cyber Resilience Act

Article 13(10) and recital 40 allow remediation for the latest substantially modified software version only when earlier-version users can move free of charge and without additional environment costs.

Question 17

Under the CRA, if earlier versions can move to the latest substantially modified version, does that end all obligations for the older versions?

No.

Recital 40 says the manufacturer may limit remediation to the latest substantially modified version only under the Article 13(10) conditions, but other vulnerability-handling obligations still continue for all subsequent substantially modified versions placed on the market. The same recital also says minor security or functionality updates that do not amount to a substantial modification may be provided only for the latest version or sub-version that has not been substantially modified.

Citations
Cyber Resilience Act

Article 13(10) and Annex I Part II points (5)-(8) distinguish security-update remediation from other vulnerability-handling duties.

Question 18

Under the Cyber Resilience Act, what if a hardware product cannot run the latest software version?

The CRA does not let the manufacturer stop there.

Recital 40 says that where a hardware product is not compatible with the latest version of the operating system it was originally delivered with, the manufacturer should continue to provide security updates at least for the latest compatible version for the support period.

Citations
Cyber Resilience Act

Recital 40 says incompatible hardware should continue receiving security updates for at least the latest compatible operating-system version during the support period.

Question 19

Under the CRA, if a release is labelled a security update, does that automatically mean it is not a substantial modification?

No.

Recital 39 and the March 2026 draft guidance say security updates are generally not substantial modifications when they only reduce cybersecurity risk, do not change the product's intended purpose, and do not introduce new cybersecurity risks. But a security-driven change can still be substantial if it changes the intended purpose beyond what was originally foreseen or introduces new interfaces, dependencies, data flows, or other risks that were not covered in the original risk assessment.

Citations
Cyber Resilience Act

Recital 39 frames substantial modification around intended purpose and cybersecurity-risk effects, not release labels.

Question 20

Under the Cyber Resilience Act, are later functionality updates automatically substantial modifications?

No.

The March 2026 draft guidance says later functionality updates are not substantial modifications just because they add or activate features. If the original risk assessment already foresaw those later functions, already assessed their risks, and already accounted for the needed mitigation measures, the later rollout should not be treated as a substantial modification.

Citations
Question 21

Under the CRA, can a small-looking feature update still become a substantial modification?

Yes.

Recital 39 and the March 2026 draft guidance both make clear that the scale of the feature is not the legal test. Even a limited update can be substantial if it modifies the original intended functions or type or performance of the product in a way that increases cybersecurity risk, or if it introduces new or increased risks that were not covered in the original risk assessment.

Citations
Cyber Resilience Act

Recital 39 makes the effect on intended purpose or cybersecurity risk the relevant test.

Question 22

Under the Cyber Resilience Act, does it matter for substantial-modification analysis whether the feature change was shipped separately or bundled with a security update?

No.

Recital 39 says that when assessing whether a feature update is a substantial modification, it is not relevant whether the feature update is provided separately or in combination with a security update. What matters is the effect on intended purpose and cybersecurity risk, not the packaging of the release.

Citations
Cyber Resilience Act

Recital 39 says the packaging of a feature update with a security update is not the substantial-modification test.

Question 23

When Article 13(10) says users must not incur additional costs to move to the latest version, what does that cover?

The March 2026 draft guidance says this should be interpreted practically and proportionately.

Reasonable operational effort does not itself count as additional costs. The guidance gives examples such as personnel time, routine testing, configuration adjustments, and upgrades of underlying software dependencies that are necessary to address end-of-life components or known vulnerabilities. By contrast, additional costs mean burdens going beyond normal software maintenance, such as mandatory purchases of new hardware, infrastructure replacement, or fundamental changes to the operating environment.

Citations
Cyber Resilience Act

Article 13(10) sets the free-access and no-additional-environment-cost condition for limiting remediation to the latest software version.

Question 24

If an update is not a substantial modification, can the manufacturer leave the CRA documentation unchanged?

No.

The March 2026 draft guidance says that regardless of whether a software update qualifies as a substantial modification, manufacturers remain responsible for the security of the update and of the product during the support period. It also says the cybersecurity risk assessment and technical documentation must remain accurate, complete, and continuously up to date. That aligns with Articles 13(7) and 31(2).

Citations
Cyber Resilience Act

Articles 13(7) and 31(2) require ongoing security, risk-assessment, and technical-documentation maintenance.

Primary sources

References and citations

Cyber Resilience Act
data.europa.eu
Referenced sections
  • Annex I Part I point (2)(c), Annex I Part II points (2), (7), and (8), Article 13(10), and recital 39 support the classification checks.
Related guides

Explore more topics

CRA Applicability Test for Products With Digital Elements
Check whether the EU Cyber Resilience Act applies to a hardware, software, firmware, open-source, or connected product before conformity planning.
CRA Article 14 Reporting Obligations for Vulnerabilities and Incidents
Article 14 guide to CRA reports for actively exploited vulnerabilities and severe product-security incidents, including deadlines, CSIRT routing, users, and evidence.
CRA Blue Guide Concepts FAQ | Placing on the Market, Making Available, Distance Sales
CRA FAQ explaining Blue Guide market-access concepts for products with digital elements: placing on the market, making available, imports, CE marking, operator roles, online sales, stock, and testing exceptions.
CRA CE Marking FAQ | Conformity Assessment, EU Declaration, Evidence
Practical CRA CE marking answers for products with digital elements: conformity assessment, EU declaration, technical documentation, standards, software placement, and launch evidence.
CRA Component Due Diligence FAQ | Third-Party Software, FOSS, SBOMs
Cyber Resilience Act FAQ on manufacturer due diligence for integrated components, third-party software, FOSS dependencies, SBOMs, vulnerability handling, and evidence records.
CRA Conformity Assessment and CE Marking
How to choose a Cyber Resilience Act conformity route, prepare technical documentation, issue the EU declaration of conformity, and affix CE marking.
CRA Conformity Assessment Routes FAQ | Module A, Module B+C, Module H, Important and Critical Products
Cyber Resilience Act FAQ on when manufacturers can use module A, when module B+C or module H is required, and how important and critical products affect the route.
CRA Cybersecurity Risk Assessment FAQ | Article 13, Annex I, Updates
CRA FAQ on Article 13 cybersecurity risk assessments, Annex I applicability, intended purpose, foreseeable use, technical documentation, and update evidence.
CRA deadlines and compliance calendar | EU Cyber Resilience Act
Track the Cyber Resilience Act entry into force, staged application dates, Article 14 reporting deadlines, transitional rules, and review dates.
CRA Declaration of Conformity FAQ | Annex V, Simplified Declaration, CE Marking
FAQ on the Cyber Resilience Act EU Declaration of Conformity: Annex V contents, simplified Annex VI wording, CE marking link, technical documentation, retention, updates, and operator duties.
CRA Economic Operators FAQ | Manufacturers, Importers, Distributors, Authorised Representatives
CRA FAQ on economic-operator roles: manufacturers, importers, distributors, authorised representatives, substantial modification, traceability, and evidence controls.
CRA Essential Cybersecurity Requirements FAQ | Annex I Part I and Part II
CRA FAQ on Annex I product cybersecurity requirements, vulnerability handling, secure-by-default design, risk assessment, documentation, lifecycle duties, and user information.
CRA Essential Cybersecurity Requirements in Annex I
A grounded guide to the Cyber Resilience Act Annex I requirements for product security, vulnerability handling, secure-by-design controls, documentation, and evidence.
CRA Hardware and Software Boundaries FAQ | Product Scope, Components, RDPS
FAQ on Cyber Resilience Act hardware and software boundaries: combined products, standalone software, source code, components, remote data processing, SaaS and market-placement changes.
CRA Harmonised Standards FAQ | Presumption of Conformity, Common Specifications
Cyber Resilience Act FAQ on how harmonised standards, common specifications, certification schemes, and OJ publication affect CRA conformity evidence.
CRA Important and Critical Products FAQ | Annex III, Annex IV, Conformity Assessment
FAQ on CRA important and critical products, Annex III and Annex IV classification, core functionality, and conformity assessment consequences.
CRA Integrated Components and Dependencies FAQ | Third-Party Software and SBOM Evidence
Cyber Resilience Act FAQ on integrated components, third-party software, remote data processing, SBOM-style evidence, upstream fixes, FOSS dependencies, and manufacturer responsibility.
CRA Interplay With EU Product Laws FAQ | RED, Machinery, Data Act
Grounded CRA FAQ on overlap with the Radio Equipment Directive, Machinery Regulation, GPSR, Data Act, exclusions, declarations, documentation, and existing certificates.
CRA Known Exploitable Vulnerabilities at Launch FAQ
FAQ for Cyber Resilience Act launch decisions: known exploitable vulnerabilities, CVEs, component flaws, secure-by-default settings, release gates, Article 14 reporting, and evidence.
CRA Legacy Products FAQ | Pre-11 December 2027 Products
Cyber Resilience Act FAQ on products placed on the market before 11 December 2027, Article 14 reporting, substantial modification, distributor stock, spare parts, and records.
CRA Manufacturer Obligations FAQ | Article 13, Annex I, CE Marking
FAQ for Cyber Resilience Act manufacturers covering Article 13 duties, risk assessment, Annex I, vulnerability handling, support periods, documentation, conformity assessment, reporting, CE marking, and evidence controls.
CRA Market Surveillance and Enforcement FAQ | Authorities, Corrective Action, Safeguards
Cyber Resilience Act FAQ on market-surveillance authorities, investigations, corrective action, withdrawal, recall, safeguards, sweeps, documentation access, and penalties.
CRA Module B+C FAQ | EU-Type Examination, Conformity to Type, Notified Bodies
CRA Module B+C FAQ explaining EU-type examination, conformity to type, notified-body evidence, production control, CE marking, declarations, and certificate changes.
CRA Module H FAQ | Full Quality Assurance, Notified Body Surveillance, CE Marking
CRA Module H FAQ explaining the full-quality-assurance route, notified-body assessment, quality-system scope, technical documentation, CE marking, declarations, and records.
CRA Notified Bodies FAQ | Scope, Modules B+C and H, Certificates
Practical CRA FAQ on when notified bodies are needed, how CRA bodies are designated, what their notified scope means, and how Module B+C and Module H assessments work.
CRA Open-Source Software FAQ | FOSS Scope, Stewards, Manufacturers
Cyber Resilience Act FAQ for free and open-source software: commercial activity, steward duties, manufacturer due diligence, vulnerability handling, public documentation, and user obligations.
CRA Over-the-Air Updates FAQ
Cyber Resilience Act FAQ on OTA updates, automatic security updates, secure update distribution, support-period evidence, and offline update paths.
CRA penalties and fines FAQ | Article 64 fine caps
FAQ on EU Cyber Resilience Act Article 64 penalties: maximum fine tiers, turnover caps, national enforcement, economic operators, reporting duties, and open-source steward carve-outs.
CRA Penalties and Fines: Article 64 Caps and Enforcement Context
Article 64 of the EU Cyber Resilience Act sets administrative fine ceilings for Annex I, manufacturer, reporting, economic-operator, notified-body, and information-request breaches.
CRA Product Families FAQ | Variants, Shared Assessments, Family Reuse, Conformity Scope
CRA FAQ on product families, variant grouping, shared technical documentation, conformity evidence, and when cybersecurity-relevant differences need separate assessment.
CRA Products with Digital Elements Scope | EU Cyber Resilience Act
Apply the EU Cyber Resilience Act scope test for software, hardware, remote data processing, components, open-source software, exclusions, and economic-operator roles.
CRA Products With Digital Elements Scope FAQ
EU Cyber Resilience Act FAQ on products with digital elements, software, firmware, remote data processing, components, exclusions, market placement, and CRA operator boundaries.
CRA Remote Data Processing Solutions FAQ | Product Scope, Cloud and Backend Boundaries
FAQ on how the EU Cyber Resilience Act treats remote data processing solutions, manufacturer-controlled backends, third-party cloud services, SaaS, risk assessment, documentation, and user information.
CRA Reporting Obligations FAQ | Article 14, CSIRTs, ENISA, User Notices
Cyber Resilience Act FAQ on Article 14 reporting for actively exploited vulnerabilities and severe incidents, including timing, CSIRT routing, ENISA access, user notices, and evidence.
CRA Requirements | Annex I, Manufacturer Duties and CE Evidence
Map Cyber Resilience Act requirements from Annex I to manufacturer duties, vulnerability handling, user information, technical documentation, declaration of conformity, and CE marking evidence.
CRA SBOM and Vulnerability Management Template
Build a CRA-ready SBOM and vulnerability handling record with component inventory, triage, remediation, disclosure, reporting, update, and technical documentation fields.
CRA Secure-by-Default FAQ | Default Configuration and Annex I Controls
Cyber Resilience Act FAQ on secure-by-default configuration, automatic security updates, attack surface reduction, authentication, data minimisation, user information, and tailor-made products.
CRA Substantial Modification FAQ | Updates, Repairs, Manufacturer Duties
Cyber Resilience Act FAQ on when software updates, repairs, spare parts, and post-market changes become substantial modifications and trigger CRA manufacturer, evidence, and conformity duties.
CRA Support Period FAQ | Expected Product Lifetime, Security Updates, User Information
Practical CRA FAQ on how manufacturers determine support periods, disclose support end dates, keep security updates available, and document support-period evidence.
CRA Tailor-Made Products FAQ | Bespoke Products, Market Placement, Evidence
FAQ on when a bespoke product may be treated as tailor-made under the EU Cyber Resilience Act, what the carve-out changes, and what manufacturers still need to document.
CRA Technical Documentation FAQ | Annex VII Evidence and Technical File
CRA FAQ explaining Annex VII technical documentation, risk assessment evidence, conformity assessment files, vulnerability handling records, product families, RDPS, language, and authority access.
CRA Transition Period FAQ | Entry Into Force, Application Dates, Reporting, Legacy Products
CRA FAQ on the transition period covering entry into force, 2026 reporting, 2027 application, legacy products, stock, customs timing, and software versions.
CRA Update Availability and Software Archives FAQ
FAQ on CRA security-update availability, support-period notices, optional public software archives, historical versions, and Article 13(10) software-version limits.
CRA User Information and Transparency FAQ | Annex II Instructions
Practical CRA FAQ on Annex II user instructions, support-period disclosure, vulnerability contacts, update notices, importer and distributor information.
CRA vs RED Cybersecurity Delegated Act
Compare the EU Cyber Resilience Act with the RED cybersecurity delegated act for connected and radio equipment, including scope, timing, evidence, and transition treatment.
CRA vs UK PSTI Act | Cyber Resilience Act Comparison
Compare grounded EU Cyber Resilience Act duties with UK PSTI planning points, with UK legal details clearly marked for separate source review.
CRA Vulnerability Handling and Disclosure | Article 14 Reporting and Security Updates
How EU Cyber Resilience Act manufacturers should run vulnerability intake, remediation, coordinated disclosure, Article 14 reporting, secure updates, and evidence records.
CRA Vulnerability Handling FAQ | Support Periods, Components, Reporting
Practical CRA FAQ on vulnerability handling: SBOMs, remediation, coordinated disclosure, component issues, security updates, support periods, Article 14 reporting, and user notices.
Cyber Resilience Act Module A FAQ | Internal Production Control
FAQ on when CRA Module A internal production control is available, when it is blocked, and what documentation, testing, standards, and evidence it still requires.
EU CRA Compliance Program for Manufacturers and Economic Operators
Build a Cyber Resilience Act compliance program around product scope, Annex I security requirements, conformity assessment, technical documentation, vulnerability reporting, and market surveillance.
EU Cyber Resilience Act Checklist for Product Security and CE Marking
A CRA checklist for products with digital elements: scope, Annex I security controls, vulnerability handling, Article 14 reporting, technical documentation, conformity assessment, CE marking, and support-period evidence.
EU Cyber Resilience Act Core Functionality FAQ | CRA Product Classification
CRA FAQ on core functionality, product boundaries, remote data processing, integrated components, ancillary functions, and software changes that affect product classification.
EU Cyber Resilience Act FAQ
Direct CRA FAQ answers on scope, economic-operator roles, essential requirements, vulnerability reporting, conformity assessment, CE marking, support periods, and market surveillance.
EU Cyber Resilience Act Repairs and Spare Parts FAQ
CRA FAQ for repairs, spare parts, legacy products, security updates, substantial modification, and responsibility after product changes.
EU Cyber Resilience Act Technical Documentation and Audit File
Build an audit-ready CRA technical file around Article 31 and Annex VII: product scope, risk assessment, vulnerability handling, conformity evidence, testing, and retention.