Use this CRA FAQ to understand the entry-into-force date, phased application dates, Article 14 reporting timing, legacy-product treatment, stock and customs edge cases, and standalone software placement rules.
Built for legal, product, certification, and compliance teams planning around the CRA's 2026 reporting start and 2027 general application date.
Structured answer sets in this page tree.
Cited legal and guidance references.
The CRA entered into force on 10 December 2024, but it does not apply all at once. Chapter IV on conformity assessment bodies applies from 11 June 2026, Article 14 reporting obligations apply from 11 September 2026, and the Regulation generally applies from 11 December 2027. This FAQ explains what those dates mean for new products, already placed products, stock, customs situations, standalone software, certificates under other EU laws, and the RED cybersecurity transition.
The CRA entered into force on 10 December 2024.
The Regulation itself says it enters into force on the twentieth day following its publication in the Official Journal. The Commission FAQ uses the concrete date 10 December 2024.
Article 71(1)
Sections 7.1 and 7.2 state the CRA entered into force on 10 December 2024 and generally applies from 11 December 2027.
Map CRA transition dates to product releases, evidence owners, notification duties, and readiness checkpoints before the main obligations apply.
Start from the CRA transition-period timeline and turn source-linked dates into implementation tasks.
Review CRA deadlines, affected products, evidence gaps, and readiness milestones.
The CRA generally applies from 11 December 2027.
But the Regulation also has two earlier phased dates:
- Chapter IV, covering the notification of conformity assessment bodies, applies from 11 June 2026
- Article 14 reporting obligations apply from 11 September 2026
Article 71(2) sets the general application date and the two earlier application dates for Article 14 and Chapter IV.
Chapter IV of the CRA starts to apply on 11 June 2026. That chapter covers notifying authorities and conformity assessment bodies, including designation, notification, operation, and oversight of notified bodies.
The Commission FAQ explains that Member States must have their notifying-authority arrangements in place by that date.
Article 71(2), Articles 35-51
Section 7.1 confirms the Chapter IV start date and explains the notifying-authority setup timing.
Article 14 starts to apply on 11 September 2026. From that date, manufacturers must report actively exploited vulnerabilities and severe incidents having an impact on the security of their products through the CRA reporting system.
That early date also matters for open-source software stewards, because Article 24(3) ties some of their reporting obligations to Article 14. So, from 11 September 2026, the limited steward reporting hooks become relevant as well, even though the rest of the CRA still applies later.
Article 14, Article 24(3), Article 71(2)
Section 7.1 confirms Article 14 applies earlier than the Regulation's general application date.
That is the general date of application of the CRA.
From 11 December 2027, the manufacturer obligations, essential cybersecurity requirements, conformity assessment rules, CE marking framework, market surveillance rules, and the rest of the CRA apply, except for the earlier-starting provisions that already applied before that date.
Article 71(2)
Section 7.1 explains that the CRA applies from 11 December 2027, with Article 14 and Chapter IV applying earlier.
Yes.
The CRA turns on placement on the market of the individual product, not on the date the project started. The Commission FAQ makes this explicit by explaining that individual products first placed on the market on or after 11 December 2027 must comply, even if the product type or earlier units existed before then.
Article 71(2), Article 69(2)
Section 7.2 applies the transition rule by individual product placement on the market.
Section 2.3 explains that placing on the market happens once for each individual product, not for a product type.
Yes, subject to any other applicable Union legislation.
The CRA's main product-compliance obligations do not apply until 11 December 2027. The transition problem is not whether the product must already bear CRA CE evidence before that date, but how the manufacturer prepares so that products first placed on the market on or after that date will comply.
Article 71(2) means the CRA's main product-compliance obligations generally apply from 11 December 2027.
Yes.
The Commission FAQ says this directly. During the Transition Period, manufacturers may integrate third-party components that do not yet bear CRA CE marking, because those component manufacturers may not yet be under the CRA's full application date. The integrating manufacturer must still exercise due diligence through other means so the component does not compromise the cybersecurity of the finished product.
Section 7.3 addresses integration of components that do not yet bear CRA CE marking during the transition period.
Article 13(5), recital 35
No.
Article 13(5) is part of the manufacturer obligations that apply from 11 December 2027, but the Commission FAQ's transition guidance is clear about the practical point: manufacturers preparing products for post-application placement should expect to exercise due diligence even where CRA CE marking is not yet available on integrated components.
Article 13(5), recital 35
Section 7.3 says the integrating manufacturer still needs other due-diligence measures where CRA CE marking is unavailable.
Yes.
The Commission FAQ says manufacturers are free to integrate components, including important or critical products with digital elements, even where those components were not designed in accordance with harmonised standards. Harmonised standards are a route to presumption of conformity, not a mandatory condition for integration.
That point matters during the transition because the absence of harmonised standards, or the fact that a component does not follow them, does not by itself block integration. The manufacturer still has to assess and manage the resulting risks.
Article 27(1), Article 13(5)
Section 7.4 addresses important or critical components that do not follow harmonised standards during the transition period.
Article 69(1) says those certificates and approval decisions remain valid until 11 June 2028, unless they expire earlier or the other Union legislation says otherwise.
The March 2026 draft guidance explains that this can include certificates or approval decisions issued under legislation such as the RED cybersecurity delegated act or the Machinery Regulation, but only for the cybersecurity risks actually covered by those instruments.
Article 69(1)
Section 7.1 references the Article 69 transitional rule for existing cybersecurity certificates and approvals.
Points 223 and 228-231 explain that earlier certificates can be used only for the cybersecurity risks they actually cover.
No.
The March 2026 draft guidance says those certificates or approval decisions remain relevant only for the cybersecurity risks they actually cover. Manufacturers still have to assess and address any remaining CRA-relevant risks that fall outside the scope of the earlier certificate.
Article 69(1), Article 13(2)
Points 228-232 explain why RED or Machinery certificates do not by themselves prove full CRA compliance.
The Commission FAQ says the Commission aims to repeal Delegated Regulation (EU) 2022/30 with effect from 11 December 2027. That means the timing of placing on the market matters:
- products placed on the market between 1 August 2025 and 10 December 2027 can remain subject to the RED cybersecurity essential requirements made applicable by that delegated regulation
- products first placed on the market on 11 December 2027 or later are subject to the CRA instead
The FAQ also says repealing the RED delegated regulation from 11 December 2027 does not affect market-surveillance treatment of radio equipment that was placed on the market during the earlier RED window.
Section 2.6.1 explains the RED Delegated Regulation timing, the intended repeal date, and market-surveillance effect.
No, unless the product is substantially modified from that date.
Article 69(2) preserves the pre-existing status of products already placed on the market, while Article 69(3) separately keeps Article 14 reporting obligations applicable.
Article 69(2) limits full CRA application for pre-11 December 2027 products unless substantially modified; Article 69(3) preserves Article 14 reporting.
Yes.
This is the specific consequence of the phased dates. Article 14 starts on 11 September 2026, and Article 69(3) extends it to in-scope products already placed on the market before 11 December 2027.
Article 69(3) extends Article 14 to in-scope products already placed on the market before 11 December 2027, and Article 71(2) sets the Article 14 start date.
Section 5.3 answers reporting for products placed on the market before the CRA generally applies.
No.
The Commission FAQ says distributors are not required to bring such products into CRA compliance merely because the general application date has passed. The key transition point is still whether the individual product was placed on the market before 11 December 2027. The main exception remains reporting under Article 14, and a separate trigger exists if someone substantially modifies the product after that date.
Article 21, Article 69(2)-(3)
Section 7.5 addresses distributors and products placed on the market before 11 December 2027.
No.
Once 11 December 2027 arrives, products first placed on the market on or after that date must comply with the CRA as applicable. The Transition Period helps manufacturers prepare, but it does not create an extra post-application grace period for newly placed products.
Article 71(2) provides no additional post-11 December 2027 grace period for products first placed on the market after that date.
Section 7.2 confirms products first placed on the market on or after 11 December 2027 must comply.
The practical transition question is not whether the CRA already applies to the product today, but when the individual product will first be placed on the market and what evidence will be needed by that date.
The CRA phased dates and the Commission FAQ together point to a simple planning structure:
- be ready for Article 14 reporting from 11 September 2026
- be ready for full CRA compliance for products first placed on the market from 11 December 2027
- treat existing third-party certificates only as partial evidence for the risks they actually cover, and only within their validity window
Article 14, Article 69(1), Article 69(3), Article 71(2)
Sections 5.3 and 7.1-7.3 support the reporting, application-date, product-placement, and component-integration planning points.
Points 223 and 228-232 explain how existing certificates can support only the covered cybersecurity risks.
No.
The Blue Guide says products in the stocks of the manufacturer or importer are not yet placed on the market if they have not yet been supplied for distribution, consumption, or use on the Union market. The Commission FAQ then applies that logic specifically to the CRA transition: only individual products actually placed on the market before 11 December 2027 avoid the CRA's full application, while later-placed units of the same type must comply.
So manufacturing a unit before 11 December 2027 is not enough by itself. If that unit is first placed on the market on or after 11 December 2027, it must comply with the CRA as applicable.
Article 69(2), Article 71(2)
Section 7.2 applies the transition rule to individual products, including later units of an existing product type.
Section 2.3 explains that products in manufacturer or importer stock are not placed on the market until supplied for distribution, consumption, or use.
No.
The Blue Guide says products introduced from a third country but still in transit, in free zones, in warehouses, in temporary storage, or under other special customs procedures are not yet placed on the Union market. The CRA transition therefore does not turn on the shipment date or on the fact that the goods have already entered the customs territory. The relevant question is when they are first made available on the Union market.
If those goods are only released for free circulation and first supplied on the Union market on or after 11 December 2027, the CRA timing is assessed at that later moment.
Article 69(2), Article 71(2)
Section 2.3 explains that goods in transit, free zones, warehouses, temporary storage, or special customs procedures are not yet placed on the market.
For standalone software supplied digitally, the relevant date is the first offering for distribution or use on the EU market.
The draft Commission guidance says a standalone software version is placed on the market when its manufacturing phase is complete and that version is first supplied for distribution or use on the EU market in the course of a commercial activity. Later downloads or remote access to the same version are instances of making that software available, not new placements on the market. The same is true for later iterations that do not qualify as substantial modifications.
That means a standalone software version first offered before 11 December 2027 is not newly placed on the market again merely because users download that unchanged or non-substantially modified version after that date. But if a later iteration is a substantial modification, that later version is treated as newly placed on the market and must comply accordingly.
Article 69(2), Article 71(2)
Points 13-16 cover first placement of standalone software supplied digitally; points 107-113 cover substantial modifications as new placements.
No.
The CRA transition does not grandfather products merely because the commercial contract, procurement cycle, or development project started before 11 December 2027. The legal trigger remains when the individual product is first placed on the market. The draft Commission guidance expressly notes that some complex systems may involve contracts signed before the CRA applies, but the manufacturer must still ensure before placement on the market that the conformity assessment has been carried out, the EU declaration of conformity has been drawn up, and the CE marking affixed.
The same draft guidance also explains that long design cycles and existing technical constraints do not remove complex systems from the CRA. Instead, those constraints belong in the cybersecurity risk assessment and technical documentation, with alternative or compensatory mitigations where a specific requirement cannot be fulfilled through state-of-the-art measures.
Article 13(2), Article 13(12), Article 69(2), Article 71(2)
Section 7.2 confirms the relevant trigger is placement on the market, not the project start date.
Points 27-29 address complex systems, earlier contracts, technical constraints, risk assessment, and compensatory mitigations.
Yes, unless they are substantially modified from that date.
Article 69(2) preserves the status of products already placed on the market before 11 December 2027. The March 2026 draft guidance states that products placed on the market before that date remain subject to the Union legislation applicable at the time of their placing on the market and, if they were compliant then, they can continue to be sold and put into operation unless they are substantially modified on or after 11 December 2027.
The main CRA transition exception is Article 14 reporting, which still applies to in-scope products already placed on the market before 11 December 2027.
Article 14, Article 69(2)-(3)
Sections 5.3, 7.2, and 7.5 support the reporting exception, transition treatment, and distributor point.
Footnote 25 to point 223 states that compliant products placed before 11 December 2027 can be sold and put into operation unless substantially modified.