Complete collection of all FAQ topics organized thematically. This includes questions and answers covering all aspects of the Cyber Resilience Act as it relates to open source.
Note: This list includes all FAQs regardless of completion status. Some entries may be drafts, have missing content, or require additional guidance.
-
ποΈ CRA Basics
Official questions and answers from the European Commission
- What is the new EU Cyber Resilience Act? Official FAQ
- What kind of risks does the proposal aim to address? Official FAQ
- How does the Cyber Resilience Act address these problems? Official FAQ
- Who will benefit from the Cyber Resilience Act? Official FAQ
- What will happen to non-compliant products? Official FAQ
- Will software, when provided as a service and not as a product, be covered under the CRA? Official FAQ
- How will it interplay with the existing rules? Official FAQ
- NIS2 Directive Official FAQ
- Delegated Regulation under the Radio Equipment Directive Official FAQ
- What are the next steps? Official FAQ
-
π‘οΈ The Cyber Resilience Act (CRA) itself
Essential information about the CRA regulation, its scope, timeline, and key requirements
- What is the Cyber Resilience Act (CRA)? Approved
- Where is the official text of the CRA? Approved
- When does the CRA enter into force and when does the regulation start to apply? Approved
- What kinds of products are regulated by the CRA? Approved
- What kinds of products are NOT regulated by the CRA? Approved Recently Updated
- What is the 'CE mark' and do I need to add it to my software? Approved
- What is the CRA Expert Group? Draft
-
π§βπ» Contributors
Understanding how the CRA impacts open source contributions, if at all
-
π§βπ§ Maintainers
Understanding the role of maintainers under the CRA and clarifying their obligations
- I am worried about how the CRA might impact me, and so I am considering shutting down my open source projects. Should I do that? Draft
- Am I subject to the CRA if I only contribute to an open source project? Approved
- Am I subject to the CRA if I maintain, but do not monetize, an open source project? Draft
- Am I subject to the CRA if I maintain and monetise an open source project? Draft
- If I maintain an open source codebase, and am treated as a "manufacturer" or "steward", what penalties could I face for violating the CRA? Draft
- I am NOT subject to the CRA, and want to make this clear to downstream users. What should I say Draft
- Can a solo maintainer be considered to be an open-source software steward? Draft Related Guidance Request
- Can a loosely organized group of maintainers be considered to be an open-source software steward? Draft Related Guidance Request
-
π§° Open source projects
Understanding the role of open source projects in the CRA
- What criteria determine whether an open source project is in scope of the CRA? Draft Needs Refactoring
- What does "Monetizing without making a profit" mean? Draft Needs Refactoring
- Is distributing binaries or container images of an open source project considered as making it available on the market? Draft
-
π± Open-Source Software Stewards
Understanding the steward role, obligations, and requirements under the CRA
- Do all open source projects have an open-source software steward? Draft
- What is an open-source software steward? Draft
- Who can be an open-source software steward? Draft
- What are the obligations of open-source software stewards? Draft
- What are the notification obligations of open-source software stewards? Draft
- How do open-source software stewards demonstrate that they meet their obligations? Draft Missing Answer
- What happens when an open-source software steward doesn't meet its obligations? Draft Missing Answer
- Does a steward bear the cost of translating and maintaining its policy documents in many of the EU languages? Draft Missing Answer
-
π Manufacturers
Understanding the manufacturer role and responsibilities under the CRA
-
π Remote Data Processing Solutions
Understanding how remote data processing solutions (RDPS) substantially broaden the scope of the CRA
- What is remote data processing? Draft New
- What is considered remote data processing? Draft New
- What is not considered remote data processing? Draft New Recently Updated
- Are 3rd-party remote data processing solutions in scope? Draft New
- Are remote data processing solutions that are built in house subject to the CRA? Draft New
- Is cloud infrastructure that supports remote data processing also in scope? Draft New
-
π Standards
Understanding harmonised standards and their role in CRA compliance
- What is a harmonised standard and why does it matter? Draft
- When will harmonised standards to support CRA compliance be ready? Official FAQ New
- What is the relationship between harmonised standards and the manufacturerβs cybersecurity risk assessment? Official FAQ New
- Is a manufacturer allowed to integrate components that are important or critical products with digital elements that do not follow harmonised standards? Official FAQ New
-
π‘ Important and Critical Product Categories
Understanding product categories and their impact on compliance in the CRA
-
π Vulnerability Handling
Understanding vulnerability handling and incident response requirements in the CRA
-
π Due diligence
Understanding the due diligence obligations of manufacturers
-
π Security attestations
Understanding security attestations and their role in CRA compliance
-
πͺπΊ EU Legislation
Understanding the broader EU legislative framework that supports the CRA
-
πͺπΊ Official FAQs
Message from the European Commission: βThis preliminary set of technical Frequently Asked Questions (FAQs), published approximately two years before the entry into application of the Cyber Resilience Act (CRA), is designed to assist stakeholders in the implementation of the CRA. The FAQs are not meant to cover exhaustively the scope of the CRA, but rather aim to address recurring questions that the Commission services have collected since the entry into force of the CRA. This is intended to be a βliving documentβ that will be updated as and when necessary.β
-
π― 1 Scope
Understanding which products and situations fall under the CRA
- 1.1 When is a product with digital elements in scope of the Cyber Resilience Act? Official FAQ New
- 1.2 What is a product with digital elements? Are stand-alone software or firmware products with digital elements? Official FAQ New
- 1.3 What is a direct or indirect logical or physical data connection to a device or network? Official FAQ New
- 1.4 Does the CRA apply to products with digital elements placed on the market before 11 December 2027? Official FAQ New
- 1.5 Are products that are manufacturer only for oneβs own use in scope of the CRA? Official FAQ New
- 1.6 Can manufacturers release non-compliant versions of software for testing? Official FAQ New
- 1.7 Can manufacturers maintain publicly accessible software archives? Official FAQ New
- 1.8 Are products meant to be used for national security or defence purposes excluded from the CRA? Official FAQ New
- 1.9 Are there products with digital elements covered by other Union legislation that are exempted from the CRA? Official FAQ New
-
βοΈ 2 Interplay with other legislation
How the CRA works alongside other EU regulations and directives
-
βοΈ 2.1 Regulation (EU) 2018/1139 on common rules in the field of civil aviation
Overlap between EU regulations on civil aviation and the CRA
-
β 2.2 Directive (EU) 2014/90 on marine equipment
Marine equipment directive and CRA requirements
-
βοΈ 2.3 Product Liability Directive (EU) 2024/2853
Product liability directive interaction with CRA
-
π οΈ 2.4 Machinery Regulation (Regulation (EU) 2023/1230)
Machinery regulation cybersecurity requirements
- 2.4.1 What is the interplay between the CRA and the Machinery Regulation? Official FAQ New
- 2.4.2 Should a product comply with both the CRA and MR cybersecurity requirements? Official FAQ New
- 2.4.3 Should a manufacturer ensure the assessment of conformity for a product through the procedures set out in both the CRA and the MR? Official FAQ New
-
π‘οΈ 2.5 General Product Safety Regulation (EU) 2023/988
General product safety regulation compliance
-
π» 2.6 Radio Equipment Directive 2014/53/EU and the Commission Delegated Regulation (EU) 2022/30
Radio equipment directive requirements
-
π₯ 2.7 European Health Data Space Regulation (Regulation (EU) 2025/327)
European health data space regulation
- 2.7.1 What is the interplay between the CRA and the European Health Data Space Regulation? Official FAQ New
- 2.7.2 Should a product comply with both the CRA and EHDS Regulation requirements? Official FAQ New
- 2.7.3 Should a manufacturer ensure the assessment of conformity for a product through the procedures set out in both the CRA and EHDS Regulation? Official FAQ New
- 2.7.4 Should the manufacturer draw up separate EU declarations of conformity per Union legal act? Official FAQ New
-
π 2.8 General Data Protection Regulation (Regulation (EU) 2016/679)
GDPR and data protection requirements
-
π 2.9 Data Act (Regulation (EU) 2023/2854)
Data act requirements and obligations
- 2.9.1 What is the interplay between the CRA and the Data Act? Official FAQ New
- 2.9.2 How do the requirements for products with digital elements under the CRA take account of the obligations to make data available to users or third parties under the Data Act? Official FAQ New
- 2.9.3 Should a manufacturer redesign their products to comply with the requirements of the DA and the CRA? Official FAQ New
-
-
π‘ 3 Important and critical products
Classification and requirements for high-risk products
- 3.1 What determines if a product with digital elements is an important or critical product? Official FAQ New
- 3.2 Does integrating an important or critical product with digital elements into another product with digital elements render that product important or critical? Official FAQ New
- 3.3 Does the classification of a product as important or critical impact the manufacturerβs risk assessment? Official FAQ New
- 3.4 Does the presence of multiple functions mean that a product does not have the core functionality of an important or critical product? Official FAQ New
-
π 4 Manufacturerβs obligations
Key responsibilities and requirements for manufacturers
-
β οΈ 4.1 Risk-based approach and risk-assessment
Cybersecurity risk assessment requirements
- 4.1.1 What does the CRA require of the manufacturerβs cybersecurity risk assessment? Official FAQ New
- 4.1.2 Does the CRA mandate a specific risk assessment methodology? Official FAQ New
- 4.1.3 Does a manufacturer need to implement all the essential requirements? Official FAQ New
- 4.1.4 What are intended purpose and reasonably foreseeable use, and how do they affect the cybersecurity risk assessment? Official FAQ New
- 4.1.5 What is reasonably foreseeable misuse, and how does it affect the cybersecurity risk assessment? Official FAQ New
- 4.1.6 How does the length of time the product is expected to be in use affect the manufacturerβs cybersecurity risk assessment? Official FAQ New
- 4.1.7 What is the relationship between harmonised standards and the manufacturerβs cybersecurity risk assessment? Official FAQ New
- 4.1.8 What does a manufacturer need to include regarding the cybersecurity risk assessment in the technical documentation to be kept at the disposal of market surveillance authorities? Official FAQ New
-
β 4.2 Product-related essential requirements (Annex I, Part I)
Product-related essential cybersecurity requirements
- 4.2.1 Which technical measures does a manufacturer need to implement? Official FAQ New
- 4.2.2 How can a manufacturer ensure that a product is free from all vulnerabilities? Official FAQ New
- 4.2.3 How should manufacturers deal with known exploitable vulnerabilities discovered after a product has been placed on the market but before reaching its final user? Official FAQ New
- 4.2.4 How does the secure-by-default requirement work? Official FAQ New
- 4.2.5 When is a product βtailor-madeβ? What documentation is required in these cases? Official FAQ New
-
π 4.3 Vulnerability handling obligations (Annex I, Part II)
Vulnerability management and remediation obligations
- 4.3.1 Are manufacturers required to patch all vulnerabilities that are discovered during the support period? Official FAQ New
- 4.3.2 Does the manufacturer need to address and remediate vulnerabilities for all versions of a software product? Official FAQ New
- 4.3.3 Is the manufacturer responsible for the installation of security updates by the productβs users? Official FAQ New
- 4.3.4 Does the manufacturer need to recall the product if it cannot fix a vulnerability? Official FAQ New
- 4.3.5 How should manufacturers ensure a separation between security and functionality updates, particularly where updates serve both purposes? Official FAQ New
- 4.3.6 How should vulnerabilities in integrated components be addressed and remediated? Official FAQ New
- 4.3.7 How does the end of the support period in an integrated component impact a productβs compliance with the CRA? Official FAQ New
-
π 4.4 Due diligence requirements for integrating components
Due diligence for integrating components
- 4.4.1 What does the CRA prescribe when integrating components? Official FAQ New
- 4.4.2 What is the appropriate level of due diligence? Official FAQ New
- 4.4.3 In order to exercise due diligence, should a manufacturer only integrate components that bear the CE marking? Official FAQ New
- 4.4.4 How should manufacturers exercise due diligence with regards to open-source components that are not subject to the CRA? Official FAQ New
-
β° 4.5 Support period
Product support period requirements
-
π 4.6 Other manufacturerβs obligations
Additional manufacturer responsibilities
-
-
π¨ 5 Reporting obligations of manufacturers
When and how manufacturers must report incidents and vulnerabilities
- 5.1 How can a manufacturer become aware of an actively exploited vulnerability or a severe incident? Official FAQ New
- 5.2 Does a manufacturer need to report zero-day vulnerabilities? Official FAQ New
- 5.3 Does a manufacturer need to report actively exploited vulnerabilities or severe incidents for products placed on the market before the CRA applies? Official FAQ New
- 5.4 If an actively exploited vulnerability is contained in a third-party component, are all manufacturers integrating that component required to notify it? Official FAQ New
-
β 6 Conformity assessment
Procedures for demonstrating compliance with CRA requirements
- 6.1 What is module A? How does it work? What conformity assessment activities are expected for self-assessment? Official FAQ New
- 6.2 What is module B+C? How does it work? Official FAQ New
- 6.3 What is module H? How does it work? Official FAQ New
- 6.4 Are manufacturers required to ensure the conformity of βexistingβ product types? Official FAQ New
- 6.5 Which evaluation methodology should a manufacturer apply? Official FAQ New
- 6.6 What is the technical documentation? Official FAQ New
- 6.7 What is the CE marking? Official FAQ New
- 6.8 What is the declaration of conformity? Official FAQ New
- 6.9 What are notified bodies? Official FAQ New
- 6.10 When will harmonised standards to support CRA compliance be ready? Official FAQ New
-
β³ 7 Transition period
Timeline and provisions for implementing the CRA
- 7.1 When does the CRA start applying? Official FAQ New
- 7.2 A manufacturer develops a product type before the CRA applies. Can it continue to manufacture products identical to that type after the CRA applies? Official FAQ New
- 7.3 Can a manufacturer place on the market products with digital elements developed during the transition period, and that integrate components that do not bear the CE marking? Official FAQ New
- 7.4 Is a manufacturer allowed to integrate components that are important or critical products with digital elements that do not follow harmonised standards? Official FAQ New
- 7.5 Are distributors required to bring into compliance products with digital elements placed on the market before 11 December 2027? Official FAQ New
-