EU Cyber Resilience Act FAQ User Information and Transparency

Yes.

Article 13(18) requires manufacturers to accompany products with the Annex II information and instructions to the user, in paper or electronic form. Those materials must be clear, understandable, intelligible, legible, and sufficient for secure installation, operation, and use.

It must be in a language that can be easily understood by users and market surveillance authorities.

Yes.

The CRA allows the information and instructions to be provided in paper or electronic form. If they are provided online, the manufacturer must ensure they are accessible, user-friendly, and remain available online for at least 10 years after placing on the market or for the support period, whichever is longer.

Annex II requires, at minimum:

- manufacturer identity and contact details

- the single point of contact for vulnerability reporting and the location of the coordinated vulnerability disclosure policy

- product identification information

- intended purpose, essential functionalities, and security properties

- known or foreseeable circumstances that may lead to significant cybersecurity risks

- the declaration-of-conformity web address where applicable

- the type of security support offered and the end date of the support period

- instructions for secure commissioning, use, updates, and decommissioning

- instructions on how to turn off automatic security updates where applicable

- integration information for integrators where applicable

- SBOM access information if the manufacturer decides to make the SBOM available to users

Yes.

Article 13(19) requires the end date of the support period, at least month and year, to be clearly and understandably specified at the time of purchase in an easily accessible manner.

Annex II also requires the product to be accompanied by information on the type of technical security support offered and the end date of the support period.

Yes, where technically feasible in light of the nature of the product.

Article 13(19) says manufacturers must display a notification to users informing them that the product has reached the end of its support period where this is technically feasible.

Users must be given the manufacturer's name, trade name or trademark, and postal address and email address or other digital contact details and, where applicable, website.

That information must appear on the product, packaging, or accompanying document and must also be included in the Annex II information and instructions.

The single point of contact is the channel through which users can communicate directly and rapidly with the manufacturer, including to report vulnerabilities.

It must be easily identifiable, must let users choose their preferred means of communication, and must not limit communication to automated tools. Annex II also requires users to be told where the manufacturer's coordinated vulnerability disclosure policy can be found.

Yes.

Annex II requires the intended purpose of the product, including the security environment provided by the manufacturer, as well as the product's essential functionalities and information about its security properties.

Yes.

Annex II requires information about any known or foreseeable circumstance related to intended use or reasonably foreseeable misuse that may lead to significant cybersecurity risks. The Commission FAQ gives examples such as deployment on insecure networks or use outside the expected professional setting.

Yes.

The Commission FAQ says that where the risk assessment relies on assumptions or requirements needed for secure installation, integration, or operation, those assumptions must be communicated through the information and instructions to the user. This includes deployment conditions such as use on a secure network or use by trained professional users.

Yes.

The Commission FAQ, relying on the Blue Guide, says manufacturers must consider reasonably foreseeable use and the expected audience for installation and operation. If non-professional or low-skilled users are a foreseeable audience, the instructions must be adapted accordingly.

Users must receive information on how security-relevant updates can be installed. Where the product has a default setting enabling automatic installation of security updates, Annex II also requires instructions on how that setting can be turned off.

Yes.

Annex II requires information on secure decommissioning of the product, including how user data can be securely removed.

Then the manufacturer must provide the information necessary for the integrator to comply with the essential cybersecurity requirements and the documentation requirements in Annex VII.

No, not generally.

The CRA requires the manufacturer to prepare and retain technical documentation for authorities, but the Commission FAQ says there is no general obligation to make the technical documentation available to customers or to the public.

Yes, either in full or in simplified form.

If the manufacturer provides a simplified EU declaration of conformity, it must contain the exact internet address where the full declaration can be accessed. Annex II also requires the internet address to be included where applicable.

Yes.

Annex II requires the type of technical security support offered by the manufacturer and the end date of the support period during which users can expect vulnerabilities to be handled and receive security updates.

Yes.

If the manufacturer decides to make the SBOM available to the user, Annex II requires information on where the SBOM can be accessed.

For at least 10 years after placing the product on the market or for the support period, whichever is longer.

Yes.

After becoming aware of an actively exploited vulnerability or a severe incident having an impact on the security of the product, the manufacturer must inform the impacted users and, where appropriate, all users, of that vulnerability or incident and of any corrective or mitigating measures users can take.

The CRA adds that this information should, where appropriate, be provided in a structured, machine-readable format that is easily automatically processable.

Yes.

Annex I Part II point (8) requires available security updates to be disseminated without delay and, unless the tailor-made exception applies, free of charge. It also requires those updates to be accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.

So the CRA's transparency duties are not limited to giving users access to the update package itself. They also include the user-facing information needed to understand and apply the update safely.

Yes.

Article 13(23) says that if a manufacturer ceases operations and, as a result, cannot comply with the CRA, it must inform the relevant market surveillance authorities before the cessation takes effect and must also inform users of the relevant products, by any available means and to the extent possible.

That is a specific CRA transparency duty aimed at letting users understand that the manufacturer may no longer be able to maintain compliance or provide the expected support.

Yes.

The March 2026 draft guidance says that each version of a software product placed on the market has to have its own declared support period complying with Article 13(8). That matters for transparency because Article 13(19) requires the end date of the support period to be clearly specified at the time of purchase. So for substantially modified software versions, the support-period information must track the specific version being placed on the market, not just a generic family-wide date.

No.

The March 2026 draft guidance says the Article 14(8) duty to inform users is risk-based and proportionate. It does not mean the information must always be made public or disclosed indiscriminately. Where appropriate, manufacturers may limit detailed disclosure to the relevant affected users or customers, especially for products used in sensitive or essential environments where wider public disclosure could itself increase cybersecurity risks.

No.

The CRA requires several specific disclosures, not a blanket publication of all security analysis. Users may need to be informed about significant cybersecurity risks under Annex II point 5, about actively exploited vulnerabilities or severe incidents under Article 14(8), and about fixed vulnerabilities once a security update is available under Annex I Part II point (4). But the Commission FAQ also says there is no general obligation to make the technical documentation available to customers or to the public.

Yes, where those circumstances may lead to significant cybersecurity risks.

The Commission FAQ explains that even where a function or capability sits outside the intended purpose, the information and instructions may need to mention it if reasonably foreseeable misuse could create significant cybersecurity risks. The same logic applies where manufacturers allow users to alter configurations, remove security functionality, or downgrade security measures for legacy compatibility. In those cases, the risks should be treated in the risk assessment and explicitly reflected in user information where Annex II point 5 is engaged.

No fixed format is required by the Regulation text itself.

Article 30(6) allows the Commission to adopt implementing acts laying down technical specifications for labels, pictograms, or other marks related to product security and support periods. But the CRA text itself does not already prescribe one mandatory standard label or scoring format that manufacturers must use in Annex II information.