CRA FAQ – Cyber Resilience Act

The European Commission has published a first version of the technical FAQs relating to the Cyber Resilience Act (CRA), a key European Union regulation aimed at strengthening the level of cybersecurity of products with digital elements placed on the European market.

This document, published two years before the full application of the CRA (11 December 2027), aims to help market players interpret and anticipate the requirements of the Regulation.

83 questions concerning the CRA

These 83 questions are structured into seven chapters and provide a comprehensive, 360-degree overview of the Cyber Resilience Act.

Additional questions and answers will be added over time to address the most frequently raised issues. Sign-up to reveive notifications!

1 – Scope

• • 1.1 When is a product with digital elements in scope of the Cyber Resilience Act?
  • 1.2 What is a product with digital elements? Are stand-alone software or firmware products with digital elements?
  • 1.3 What is a direct or indirect logical or physical data connection to a device or network?
  • 1.4 Does the CRA apply to products with digital elements placed on the market before 11 December 2027?
  • 1.5 Are products that are manufacturer only for one’s own use in scope of the CRA?
  • 1.6 Can manufacturers release non-compliant versions of software for testing?
  • 1.7 Can manufacturers maintain publicly accessible software archives?
  • 1.8 Are products meant to be used for national security or defence purposes excluded from the CRA?
  • 1.9 Are there products with digital elements covered by other Union legislation that are exempted from the CRA?

2 – Interplay with other legislation

• • 2.1 Regulation (EU) 2018/1139 on common rules in the field of civil aviation
    • 2.1.1 Are products falling within the scope of Regulation (EU) 2018/1139 also covered by the CRA?
  • 2.2 Directive (EU) 2014/90 on marine equipment
    • 2.2.1 Are products falling within the scope of Directive (EU) 2014/90 also covered by the CRA?
  • 2.3 Product Liability Directive (EU) 2024/2853
    • 2.3.1 What is the interplay between the CRA and the Product Liability Directive?
  • 2.4 Machinery Regulation (Regulation (EU) 2023/1230)
    • 2.4.1 What is the interplay between the CRA and the Machinery Regulation?
    • 2.4.2 Should a product comply with both the CRA and MR cybersecurity requirements?
    • 2.4.3 Should a manufacturer ensure the assessment of conformity for a product through the procedures set out in both the CRA and the MR?
  • 2.5 General Product Safety Regulation (EU) 2023/988
    • 2.5.1 What is the interplay between the CRA and the General Product Safety Regulation?
    • 2.5.2 Does a product with digital elements need to comply with the requirements of both the CRA and the GPSR?
  • 2.6 Radio Equipment Directive 2014/53/EU and the Commission Delegated Regulation (EU) 2022/30
    • 2.6.1 What is the interplay between the CRA and the Radio Equipment Directive?
  • 2.7 European Health Data Space Regulation (Regulation (EU) 2025/327)
    • 2.7.1 What is the interplay between the CRA and the European Health Data Space Regulation?
    • 2.7.2 Should a product comply with both the CRA and EHDS Regulation requirements?
    • 2.7.3 Should a manufacturer ensure the assessment of conformity for a product through the procedures set out in both the CRA and EHDS Regulation?
    • 2.7.4 Should the manufacturer draw up separate EU declarations of conformity per Union legal act?
  • 2.8 General Data Protection Regulation (Regulation (EU) 2016/679)
    • 2.8.1 What is the interplay between the CRA and the General Data Protection Regulation?
  • 2.9 Data Act (Regulation (EU) 2023/2854)
    • 2.9.1 What is the interplay between the CRA and the Data Act?
    • 2.9.2 How do the requirements for products with digital elements under the CRA take account of the obligations to make data available to users or third parties under the Data Act?
    • 2.9.3 Should a manufacturer redesign their products to comply with the requirements of the DA and the CRA?

3- Important and critical products

• • 3.1 What determines if a product with digital elements is an important or critical product?
  • 3.2 Does integrating an important or critical product with digital elements into another product with digital elements render that product important or critical?
  • 3.3 Does the classification of a product as important or critical impact the manufacturer’s risk assessment?
  • 3.4 Does the presence of multiple functions mean that a product does not have the core functionality of an important or critical product?

4 – Manufacturer’s obligations

• • 4.1 Risk-based approach and risk-assessment
    • 4.1.1 What does the CRA require of the manufacturer’s cybersecurity risk assessment?
    • 4.1.2 Does the CRA mandate a specific risk assessment methodology?
    • 4.1.3 Does a manufacturer need to implement all the essential requirements?
    • 4.1.4 What are intended purpose and reasonably foreseeable use, and how do they affect the cybersecurity risk assessment?
    • 4.1.5 What is reasonably foreseeable misuse, and how does it affect the cybersecurity risk assessment?
    • 4.1.6 How does the length of time the product is expected to be in use affect the manufacturer’s cybersecurity risk assessment?
    • 4.1.7 What is the relationship between harmonised standards and the manufacturer’s cybersecurity risk assessment?
    • 4.1.8 What does a manufacturer need to include regarding the cybersecurity risk assessment in the technical documentation to be kept at the disposal of market surveillance authorities?
  • 4.2 Product-related essential requirements (Annex I, Part I)
    • 4.2.1 Which technical measures does a manufacturer need to implement?
    • 4.2.2 How can a manufacturer ensure that a product is free from all vulnerabilities?
    • 4.2.3 How should manufacturers deal with known exploitable vulnerabilities discovered after a product has been placed on the market but before reaching its final user?
    • 4.2.4 How does the secure-by-default requirement work?
    • 4.2.5 When is a product “tailor-made”? What documentation is required in these cases?
  • 4.3 Vulnerability handling obligations (Annex I, Part II)
    • 4.3.1 Are manufacturers required to patch all vulnerabilities that are discovered during the support period?
    • 4.3.2 Does the manufacturer need to address and remediate vulnerabilities for all versions of a software product?
    • 4.3.3 Is the manufacturer responsible for the installation of security updates by the product’s users?
    • 4.3.4 Does the manufacturer need to recall the product if it cannot fix a vulnerability?
    • 4.3.5 How should manufacturers ensure a separation between security and functionality updates, particularly where updates serve both purposes?
    • 4.3.6 How should vulnerabilities in integrated components be addressed and remediated?
    • 4.3.7 How does the end of the support period in an integrated component impact a product’s compliance with the CRA?
  • 4.4 Due diligence requirements for integrating components
    • 4.4.1 What does the CRA prescribe when integrating components?
    • 4.4.2 What is the appropriate level of due diligence?
    • 4.4.3 In order to exercise due diligence, should a manufacturer only integrate components that bear the CE marking?
    • 4.4.4 How should manufacturers exercise due diligence with regards to open-source components that are not subject to the CRA?
  • 4.5 Support period
    • 4.5.1 Which criteria should the manufacturer take into account when determining a product’s support period?
    • 4.5.2 Is there a minimum support period?
    • 4.5.3 Can a manufacturer continue to sell products without a support period?
  • 4.6 Other manufacturer’s obligations
    • 4.6.1 Can a third-country manufacturer directly place products on the Union market?

5 – Reporting obligations of manufacturers

• • 5.1 How can a manufacturer become aware of an actively exploited vulnerability or a severe incident?
  • 5.2 Does a manufacturer need to report zero-day vulnerabilities?
  • 5.3 Does a manufacturer need to report actively exploited vulnerabilities or severe incidents for products placed on the market before the CRA applies?
  • 5.4 If an actively exploited vulnerability is contained in a third-party component, are all manufacturers integrating that component required to notify it?

6 – Conformity assessment

• • 6.1 What is module A? How does it work? What conformity assessment activities are expected for self-assessment?
  • 6.2 What is module B+C? How does it work?
  • 6.3 What is module H? How does it work?
  • 6.4 Are manufacturers required to ensure the conformity of “existing” product types?
  • 6.5 Which evaluation methodology should a manufacturer apply?
  • 6.6 What is the technical documentation?
  • 6.7 What is the CE marking?
  • 6.8 What is the declaration of conformity?
  • 6.9 What are notified bodies?
  • 6.10 When will harmonised standards to support CRA compliance be ready?

7 – Transition period

• • 7.1 When does the CRA start applying?
  • 7.2 A manufacturer develops a product type before the CRA applies. Can it continue to manufacture products identical to that type after the CRA applies?
  • 7.3 Can a manufacturer place on the market products with digital elements developed during the transition period, and that integrate components that do not bear the CE marking?
  • 7.4 Is a manufacturer allowed to integrate components that are important or critical products with digital elements that do not follow harmonised standards?
  • 7.5 Are distributors required to bring into compliance products with digital elements placed on the market before 11 December 2027?