EU Cyber Resilience Act FAQ Transition Period

The CRA entered into force on 10 December 2024.

The Regulation itself says it enters into force on the twentieth day following its publication in the Official Journal. The Commission FAQ uses the concrete date 10 December 2024.

The CRA generally applies from 11 December 2027.

But the Regulation also has two earlier phased dates:

- Chapter IV, covering the notification of conformity assessment bodies, applies from 11 June 2026

- Article 14 reporting obligations apply from 11 September 2026

Chapter IV of the CRA starts to apply on 11 June 2026. That chapter covers notifying authorities and conformity assessment bodies, including designation, notification, operation, and oversight of notified bodies.

The Commission FAQ explains that Member States must have their notifying-authority arrangements in place by that date.

Article 14 starts to apply on 11 September 2026. From that date, manufacturers must report actively exploited vulnerabilities and severe incidents having an impact on the security of their products through the CRA reporting system.

That early date also matters for open-source software stewards, because Article 24(3) ties some of their reporting obligations to Article 14. So, from 11 September 2026, the limited steward reporting hooks become relevant as well, even though the rest of the CRA still applies later.

That is the general date of application of the CRA.

From 11 December 2027, the manufacturer obligations, essential cybersecurity requirements, conformity assessment rules, CE marking framework, market surveillance rules, and the rest of the CRA apply, except for the earlier-starting provisions that already applied before that date.

Yes.

The CRA turns on placement on the market of the individual product, not on the date the project started. The Commission FAQ makes this explicit by explaining that individual products first placed on the market on or after 11 December 2027 must comply, even if the product type or earlier units existed before then.

Yes, subject to any other applicable Union legislation.

The CRA's main product-compliance obligations do not apply until 11 December 2027. The transition problem is not whether the product must already bear CRA CE evidence before that date, but how the manufacturer prepares so that products first placed on the market on or after that date will comply.

Yes.

The Commission FAQ says this directly. During the transition period, manufacturers may integrate third-party components that do not yet bear CRA CE marking, because those component manufacturers may not yet be under the CRA's full application date. The integrating manufacturer must still exercise due diligence through other means so the component does not compromise the cybersecurity of the finished product.

No.

Article 13(5) is part of the manufacturer obligations that apply from 11 December 2027, but the Commission FAQ's transition guidance is clear about the practical point: manufacturers preparing products for post-application placement should expect to exercise due diligence even where CRA CE marking is not yet available on integrated components.

Yes.

The Commission FAQ says manufacturers are free to integrate components, including important or critical products with digital elements, even where those components were not designed in accordance with harmonised standards. Harmonised standards are a route to presumption of conformity, not a mandatory condition for integration.

That point matters during the transition because the absence of harmonised standards, or the fact that a component does not follow them, does not by itself block integration. The manufacturer still has to assess and manage the resulting risks.

Article 69(1) says those certificates and approval decisions remain valid until 11 June 2028, unless they expire earlier or the other Union legislation says otherwise.

The March 2026 draft guidance explains that this can include certificates or approval decisions issued under legislation such as the RED cybersecurity delegated act or the Machinery Regulation, but only for the cybersecurity risks actually covered by those instruments.

No.

The March 2026 draft guidance says those certificates or approval decisions remain relevant only for the cybersecurity risks they actually cover. Manufacturers still have to assess and address any remaining CRA-relevant risks that fall outside the scope of the earlier certificate.

The Commission FAQ says the Commission aims to repeal Delegated Regulation (EU) 2022/30 with effect from 11 December 2027. That means the timing of placing on the market matters:

- products placed on the market between 1 August 2025 and 10 December 2027 can remain subject to the RED cybersecurity essential requirements made applicable by that delegated regulation

- products first placed on the market on 11 December 2027 or later are subject to the CRA instead

The FAQ also says repealing the RED delegated regulation from 11 December 2027 does not affect market-surveillance treatment of radio equipment that was placed on the market during the earlier RED window.

No, unless the product is substantially modified from that date.

Article 69(2) preserves the pre-existing status of products already placed on the market, while Article 69(3) separately keeps Article 14 reporting obligations applicable.

Yes.

This is the specific consequence of the phased dates. Article 14 starts on 11 September 2026, and Article 69(3) extends it to in-scope products already placed on the market before 11 December 2027.

No.

The Commission FAQ says distributors are not required to bring such products into CRA compliance merely because the general application date has passed. The key transition point is still whether the individual product was placed on the market before 11 December 2027. The main exception remains reporting under Article 14, and a separate trigger exists if someone substantially modifies the product after that date.

No.

Once 11 December 2027 arrives, products first placed on the market on or after that date must comply with the CRA as applicable. The transition period helps manufacturers prepare, but it does not create an extra post-application grace period for newly placed products.

The practical transition question is not whether the CRA already applies to the product today, but when the individual product will first be placed on the market and what evidence will be needed by that date.

The CRA phased dates and the Commission FAQ together point to a simple planning structure:

- be ready for Article 14 reporting from 11 September 2026

- be ready for full CRA compliance for products first placed on the market from 11 December 2027

- treat existing third-party certificates only as partial evidence for the risks they actually cover, and only within their validity window

No.

The Blue Guide says products in the stocks of the manufacturer or importer are not yet placed on the market if they have not yet been supplied for distribution, consumption, or use on the Union market. The Commission FAQ then applies that logic specifically to the CRA transition: only individual products actually placed on the market before 11 December 2027 avoid the CRA's full application, while later-placed units of the same type must comply.

So manufacturing a unit before 11 December 2027 is not enough by itself. If that unit is first placed on the market on or after 11 December 2027, it must comply with the CRA as applicable.

No.

The Blue Guide says products introduced from a third country but still in transit, in free zones, in warehouses, in temporary storage, or under other special customs procedures are not yet placed on the Union market. The CRA transition therefore does not turn on the shipment date or on the fact that the goods have already entered the customs territory. The relevant question is when they are first made available on the Union market.

If those goods are only released for free circulation and first supplied on the Union market on or after 11 December 2027, the CRA timing is assessed at that later moment.

For standalone software supplied digitally, the relevant date is the first offering for distribution or use on the EU market.

The March 2026 draft guidance says a standalone software version is placed on the market when its manufacturing phase is complete and that version is first supplied for distribution or use on the EU market in the course of a commercial activity. Later downloads or remote access to the same version are instances of making that software available, not new placements on the market. The same is true for later iterations that do not qualify as substantial modifications.

That means a standalone software version first offered before 11 December 2027 is not newly placed on the market again merely because users download that unchanged or non-substantially modified version after that date. But if a later iteration is a substantial modification, that later version is treated as newly placed on the market and must comply accordingly.

No.

The CRA transition does not grandfather products merely because the commercial contract, procurement cycle, or development project started before 11 December 2027. The legal trigger remains when the individual product is first placed on the market. The March 2026 draft guidance expressly notes that some complex systems may involve contracts signed before the CRA applies, but the manufacturer must still ensure before placement on the market that the conformity assessment has been carried out, the EU declaration of conformity has been drawn up, and the CE marking affixed.

The same draft guidance also explains that products designed before the CRA applies may still be placed on the market after 11 December 2027 without redesign, but only if the manufacturer can demonstrate compliance through the cybersecurity risk assessment and technical documentation.

Yes, unless they are substantially modified from that date.

Article 69(2) preserves the status of products already placed on the market before 11 December 2027. The March 2026 draft guidance states that products placed on the market before that date remain subject to the Union legislation applicable at the time of their placing on the market and, if they were compliant then, they can continue to be sold and put into operation unless they are substantially modified on or after 11 December 2027.

The main CRA exception is Article 14 reporting, which still applies to in-scope products already placed on the market before 11 December 2027.