EU publishes answers to frequently asked questions on the CRA

The first official FAQ document on the Cyber Resilience Act is now available. On 66 pages the EU Commission clarifies key questions about scope, manufacturer obligations and implementation.

Background and importance

The Cyber Resilience Act (Regulation (EU) 2024/2847) entered into force on 10 December 2024. The regulation sets cybersecurity requirements for products with digital elements that are placed on the EU market. Since its entry into force, there has been a significant need for clarification among manufacturers, importers and other economic operators regarding concrete implementation.

The newly published document offers initial guidance. The Commission explicitly emphasizes:

  • It is a “living document” that will be updated as needed
  • The answers do not constitute a binding legal interpretation
  • Further official guidelines under Article 26 of the CRA will follow in the coming months

Structure and scope

The document is divided into seven main chapters with a total of 75 individual questions:

  1. Scope (9 questions) – Which products fall under the CRA and which are excluded?
  2. Interaction with other legal acts (23 questions) – Relationship with the Machinery Regulation, GDPR, product safety, Radio Equipment Directive and other EU legal acts
  3. Important and critical products (4 questions) – Classification and its effects
  4. Manufacturer obligations (29 questions) – Risk assessment, essential requirements, vulnerability handling, due diligence, support periods
  5. Reporting obligations (4 questions) – Requirements for reporting vulnerabilities and incidents
  6. Conformity assessment (10 questions) – Modules A, B+C and H, technical documentation, CE marking
  7. Transitional provisions (5 questions) – Dates of application and treatment of legacy products

Selected clarifications

The document contains numerous practical clarifications. Some examples:

  • On scope: The Commission gives concrete examples of products that do not fall under the CRA, such as a dishwasher with embedded firmware that has no connection capability to other devices, or an electric toothbrush with a wireless charging station but without data connectivity.
  • On manufacturer obligations: Manufacturers are not necessarily required to patch every discovered vulnerability; they must decide based on risk. The Commission explains with examples when different remediation measures can be appropriate – from immediate patches through workarounds to documentation updates.
  • On components: Manufacturers may integrate components without CE marking, for example open-source components. The decisive factor is the exercise of appropriate due diligence, the extent of which depends on the risk posed by the respective component.
  • On the support period: The minimum support period of five years is not absolute. For products with a shorter expected useful life, the support period can be correspondingly shorter. Conversely, for products with a longer expected period of use, manufacturers must provide longer support periods.
  • On transitional provisions: The CRA applies to individual products, not to product types. A product type developed before the cut-off date cannot simply continue to be produced and placed on the market after 11 December 2027 if it is not CRA-compliant.

Practical significance

The document answers many questions that businesses raised with the Commission in recent months. It provides manufacturers with concrete guidance for preparing for mandatory CRA implementation from 11 December 2027.

Particularly helpful are the numerous practical examples that concretize the abstract requirements of the regulation. However, the document does not replace the need for an individual legal assessment, especially for complex products or constellations.

Conclusion

The published document provides manufacturers with the first official guidance on interpreting the CRA requirements. Especially useful are the treatment of borderline cases, clarifications on overlaps with other legal acts and the many practical examples that reveal a pragmatic approach by the Commission.

However, the document remains deliberately general. The Commission repeatedly points out that manufacturers must decide on the basis of their individual risk assessment and emphasizes the provisional nature of this first guidance. With the announcement of further guidelines in the coming months, manufacturers should view the document as an important first building block for their CRA compliance, not as a final manual.

Further links: