EU Cyber Resilience Act FAQ Substantial Modification

A substantial modification is a change made to a product with digital elements after it has been placed on the market that either affects compliance with the essential cybersecurity requirements in Annex I Part I or changes the intended purpose for which the product was assessed.

Because it changes who is treated as the manufacturer, whether a new conformity assessment may be needed, whether a modified product is treated as newly placed on the market, and whether pre-11 December 2027 products fall into the CRA after that date.

No.

The assessment is case by case. Repairs, maintenance, refurbishment, and ordinary updates do not necessarily amount to substantial modification.

The key question is whether the update changes the product's intended purpose or introduces new or increased cybersecurity risks that were not foreseen and addressed in the original risk assessment, so that compliance with the essential requirements is affected.

Yes.

The draft guidance says that where new functionality changes the product's intended purpose or introduces risks not covered in the original risk assessment, the update will generally qualify as a substantial modification.

Yes.

The draft guidance says that where the original risk assessment already covered the later functionality and its risks, and the appropriate mitigation measures were already built in, a later update implementing those foreseen functions should not be treated as a substantial modification.

Yes.

The draft guidance says the scale of the feature is not the legal test. Even a limited change can be substantial if it introduces new risks or affects compliance with the essential requirements.

No.

The CRA recitals and the draft guidance both point the other way. A security update that only reduces cybersecurity risk and does not change intended purpose or introduce new risks is generally not a substantial modification.

Yes.

A security-driven change can still be substantial if it changes the product's intended purpose beyond what was originally foreseen or introduces new cybersecurity risks that were not covered in the original risk assessment.

The March 2026 draft guidance says manufacturers may consider whether the update:

- introduces new threat vectors such as interfaces, communication channels, execution environments, or external dependencies

- enables new attack scenarios

- changes the likelihood of previously identified attack scenarios

- changes the impact of previously identified attack scenarios

Yes.

The draft guidance says a substantially modified product is treated as a new product for CRA purposes. Making that modified product available on the market is therefore a new placing-on-the-market event.

The person carrying out the substantial modification and making the modified product available on the market is treated as the manufacturer for CRA purposes. That can be the original manufacturer, an importer, a distributor, or another third party depending on the case.

Not on that basis.

Article 22(1) applies to a natural or legal person other than the manufacturer, importer or distributor that carries out a substantial modification and makes the modified product available on the market. So the CRA manufacturer trigger for those third parties is tied to both the substantial modification and a new making-available event.

Sometimes.

Article 22 says the person making the substantial modification is subject to the CRA obligations for the part affected by the modification or, if the modification affects the cybersecurity of the product as a whole, for the entire product.

Yes, where the modification affects compliance or changes intended purpose.

The CRA recitals state that in such situations compliance should be verified again and, where applicable, the product should undergo a new conformity assessment.

Not necessarily.

The Blue Guide and the draft guidance both say unchanged parts can rely on existing tests and documentation. The updating work should focus on the parts affected by the substantial modification, but the person placing the modified product on the market remains responsible for the modified product's conformity.

A product placed on the market before 11 December 2027 falls under the CRA after that date only if it undergoes a substantial modification.

No.

The Commission FAQ gives this directly. A post-2027 update that does not qualify as a substantial modification does not pull the legacy product into full CRA compliance.

Yes.

The draft guidance says that regardless of whether an update is substantial, manufacturers remain responsible for the security of updates and for keeping the risk assessment and technical documentation accurate, complete, and updated during the support period.

The legal definition itself is tied to Annex I Part I and intended purpose.

Article 3(30) defines substantial modification by reference to a change that affects compliance with the essential cybersecurity requirements in Annex I Part I, or that changes the intended purpose for which the product was assessed. The draft guidance adds that, regardless of that qualification, the Annex I Part II vulnerability-handling obligations still continue during the support period.

No.

Recital 39 says that when assessing whether a feature update is a substantial modification, it is not relevant whether the feature update is provided separately or in combination with a security update. The legal question is the effect on intended purpose and cybersecurity risk, not the packaging of the release.

No.

The March 2026 draft guidance says later software iterations that do not qualify as substantial modifications do not require a new conformity assessment procedure and do not change the software product's date of placement on the market.

No.

The CRA uses different provisions. Article 21 covers importers and distributors that carry out a substantial modification of a product already placed on the market. Article 22 covers other natural or legal persons, but only where they carry out the substantial modification and make the modified product available on the market.

Yes.

The March 2026 draft guidance says manufacturers that did not apply the CRA when the product was first placed on the market must be able, on request from a market surveillance authority, to demonstrate that later updates do not constitute a substantial modification. The guidance adds that a cybersecurity risk assessment covering the Article 13(2) elements, with documented demonstration of compliance, should make that easier.

Yes.

The draft guidance says that where a later update constitutes a substantial modification, the manufacturer must comply with the CRA in its entirety before placing the substantially modified product on the market, and then for the duration of that product's support period. The Commission FAQ illustrates the same result with the smart-TV example where a later update adds smart-home-control functionality.

No.

The March 2026 draft guidance says replacing defective or worn items with parts that perform better does not in itself trigger a substantial modification. It becomes substantial only if the change affects compliance with the essential requirements or changes the intended purpose that was covered by the original risk assessment.

No.

The March 2026 draft guidance says a non-identical replacement part may itself be a product subject to the CRA, because it does not fall within the identical-spare-parts exemption in Article 2(6). But the repair of the host product still does not in itself amount to a substantial modification if the host product's intended purpose and cybersecurity risk profile remain unchanged.