CRA FAQ

🏛️ CRA Basics

Official questions and answers from the European Commission

• What is the new EU Cyber Resilience Act?
• What kind of risks does the proposal aim to address?
• How does the Cyber Resilience Act address these problems?
• Who will benefit from the Cyber Resilience Act?
• What will happen to non-compliant products?
• Will software, when provided as a service and not as a product, be covered under the CRA?
• How will it interplay with the existing rules?
• NIS2 Directive
• Delegated Regulation under the Radio Equipment Directive
• What are the next steps?

🛡️ The Cyber Resilience Act (CRA) itself

Essential information about the CRA regulation, its scope, timeline, and key requirements

• What is the Cyber Resilience Act (CRA)?
• Where is the official text of the CRA?
• When does the CRA enter into force and when does the regulation start to apply?
• What kinds of products are regulated by the CRA?
• What kinds of products are NOT regulated by the CRA?
• What is the 'CE mark' and do I need to add it to my software?
• What is the CRA Expert Group?
• What does 'make a profit' mean under the CRA?
• What does 'actual costs' mean under the CRA?
• What does 'intention to monetise' mean under the CRA?
• What happens to freeware (non-FOSS, free-of-charge) projects under the CRA?

🧑‍💻 Contributors

Understanding how the CRA impacts open source contributions, if at all

• Am I subject to the CRA if I only contribute to an open source project?

🧑‍🔧 Maintainers

Understanding the role of maintainers under the CRA and clarifying their obligations

• I am worried about how the CRA might impact me, and so I am considering shutting down my open source projects. Should I do that?
• Am I subject to the CRA if I earn a living from the open source project I maintain?
• Am I subject to the CRA if I only contribute to an open source project?
• Am I subject to the CRA if I maintain, but do not monetize, an open source project?
• If I maintain an open source codebase, and am treated as a "manufacturer" or "steward", what penalties could I face for violating the CRA?
• I am NOT subject to the CRA, and want to make this clear to downstream users. What should I say
• Can a solo maintainer be considered to be an open-source software steward?
• Can a loosely organized group of maintainers be considered to be an open-source software steward?
• Does the mere popularity of my open source project expose me to CRA regulation?
• Do common consulting arrangements make me a manufacturer?
• Does receiving grants make me a manufacturer?
• Does accepting donations make me a manufacturer?
• Does providing technical support for a fee put you in scope of the CRA?
• Can a natural person's living expenses count as 'costs' or is that profit?
• Can I get paid to develop an open source project without being considered a manufacturer?
• How is 'sponsorware' affected by the CRA?

🧰 Open source projects

Understanding the role of open source projects in the CRA

• What criteria determine whether an open source project is in scope of the CRA?
• What does "Monetizing without making a profit" mean?
• Is distributing binaries or container images of an open source project considered as making it available on the market?

🌱 Open-Source Software Stewards

Understanding the steward role, obligations, and requirements under the CRA

• Do all open source projects have an open-source software steward?
• What is an open-source software steward?
• Who can be an open-source software steward?
• What are the obligations of open-source software stewards?
• What are the notification obligations of open-source software stewards?
• Does a steward bear the cost of translating and maintaining its policy documents in many of the EU languages?
• How do open-source software stewards demonstrate that they meet their obligations?
• What is required from an open source steward for evidence showing compliance with vulnerability reporting?
• What happens when an open-source software steward doesn't meet its obligations?
• Will open source stewards be expected to provide an SBOM?
• What technical documentation is expected from an open source steward?
• Which of the essential requirements described in Annex I, if any, are in scope for the 'light-touch and tailor-made regulatory regime' of stewards?
• Does a steward bear the cost of translating and maintaining its policy documents in many of the EU languages?
• Can a company be classified as an open-source software steward?
• What's the difference between a manufacturer and a steward in the context of open source?
• Can you be a steward of your own codebase or only someone else's?
• If a non-profit receives donations to pay developers, is there an 'intention to monetise'?

🏭 Manufacturers

Understanding the manufacturer role and responsibilities under the CRA

• What is a manufacturer?
• Can a manufacturer also be an open-source software steward?
• As a manufacturer, if I make a mistake or a security flaw is found in my project, will I get in trouble?
• Is a company considered a manufacturer if it funds the development and maintenance of an open source project that is not under their responsibility?
• Does getting paid for open source software development make you a manufacturer?

🌐 Remote Data Processing Solutions

Understanding how remote data processing solutions (RDPS) substantially broaden the scope of the CRA

• What is remote data processing?
• What is considered remote data processing?
• What is not considered remote data processing?
• Are 3rd-party remote data processing solutions in scope?
• Are remote data processing solutions that are built in house subject to the CRA?
• Is cloud infrastructure that supports remote data processing also in scope?

🔌 Standards

Understanding harmonised standards and their role in CRA compliance

• What is a harmonised standard and why does it matter?
• When will harmonised standards to support CRA compliance be ready?
• What is the relationship between harmonised standards and the manufacturer's cybersecurity risk assessment?
• Is a manufacturer allowed to integrate components that are important or critical products with digital elements that do not follow harmonised standards?

📡 Important and Critical Product Categories

Understanding product categories and their impact on compliance in the CRA

• Does a product which includes an open source component belonging to the category of important products (Annex III) inherit that category?
• What is the CRA Expert Group?

🚒 Vulnerability Handling

Understanding vulnerability handling and incident response requirements in the CRA

• What is a CSIRT?
• What is ENISA?

🔍 Due diligence

Understanding the due diligence obligations of manufacturers

• What is due diligence?
• How are security attestations and due diligence related?

📋 Security attestations

Understanding security attestations and their role in CRA compliance

• What is a security attestation in the CRA?
• How are security attestations and due diligence related?

🇪🇺 EU Legislation

Understanding the broader EU legislative framework that supports the CRA

• What is the Blue Guide?
• What is the New Legislative Framework (NLF)?
• What is a legal person?
• What is the CRA Expert Group?

🇪🇺 Official FAQs

Message from the European Commission: "This preliminary set of technical Frequently Asked Questions (FAQs), published approximately two years before the entry into application of the Cyber Resilience Act (CRA), is designed to assist stakeholders in the implementation of the CRA. The FAQs are not meant to cover exhaustively the scope of the CRA, but rather aim to address recurring questions that the Commission services have collected since the entry into force of the CRA. This is intended to be a 'living document' that will be updated as and when necessary."

Current version: 1.2 (16 January 2026)

• 🎯 1 Scope

  Understanding which products and situations fall under the CRA

  • 1.1 When is a product with digital elements in scope of the Cyber Resilience Act?
  • 1.2 What is a product with digital elements? Are stand-alone software or firmware products with digital elements?
  • 1.3 What is a direct or indirect logical or physical data connection to a device or network?
  • 1.4 Does the CRA apply to products with digital elements placed on the market before 11 December 2027?
  • 1.5 Are products that are manufacturer only for one's own use in scope of the CRA?
  • 1.6 Can manufacturers release non-compliant versions of software for testing?
  • 1.7 Can manufacturers maintain publicly accessible software archives?
  • 1.8 Are products meant to be used for national security or defence purposes excluded from the CRA?
  • 1.9 Are there products with digital elements covered by other Union legislation that are exempted from the CRA?

• ⚖️ 2 Interplay with other legislation

  How the CRA works alongside other EU regulations and directives

  • ✈️ 2.1 Regulation (EU) 2018/1139 on common rules in the field of civil aviation

    Overlap between EU regulations on civil aviation and the CRA

    • 2.1.1 Are products falling within the scope of Regulation (EU) 2018/1139 also covered by the CRA?

  • ⚓ 2.2 Directive (EU) 2014/90 on marine equipment

    Marine equipment directive and CRA requirements

    • 2.2.1 Are products falling within the scope of Directive (EU) 2014/90 also covered by the CRA?

  • ⚖️ 2.3 Product Liability Directive (EU) 2024/2853

    Product liability directive interaction with CRA

    • 2.3.1 What is the interplay between the CRA and the Product Liability Directive?

  • 🛠️ 2.4 Machinery Regulation (Regulation (EU) 2023/1230)

    Machinery regulation cybersecurity requirements

    • 2.4.1 What is the interplay between the CRA and the Machinery Regulation?
    • 2.4.2 Should a product comply with both the CRA and MR cybersecurity requirements?
    • 2.4.3 Should a manufacturer ensure the assessment of conformity for a product through the procedures set out in both the CRA and the MR?

  • 🛡️ 2.5 General Product Safety Regulation (EU) 2023/988

    General product safety regulation compliance

    • 2.5.1 What is the interplay between the CRA and the General Product Safety Regulation?
    • 2.5.2 Does a product with digital elements need to comply with the requirements of both the CRA and the GPSR?

  • 📻 2.6 Radio Equipment Directive 2014/53/EU and the Commission Delegated Regulation (EU) 2022/30

    Radio equipment directive requirements

    • 2.6.1 What is the interplay between the CRA and the Radio Equipment Directive?

  • 🏥 2.7 European Health Data Space Regulation (Regulation (EU) 2025/327)

    European health data space regulation

    • 2.7.1 What is the interplay between the CRA and the European Health Data Space Regulation?
    • 2.7.2 Should a product comply with both the CRA and EHDS Regulation requirements?
    • 2.7.3 Should a manufacturer ensure the assessment of conformity for a product through the procedures set out in both the CRA and EHDS Regulation?
    • 2.7.4 Should the manufacturer draw up separate EU declarations of conformity per Union legal act?

  • 🔒 2.8 General Data Protection Regulation (Regulation (EU) 2016/679)

    GDPR and data protection requirements

    • 2.8.1 What is the interplay between the CRA and the General Data Protection Regulation?

  • 📊 2.9 Data Act (Regulation (EU) 2023/2854)

    Data act requirements and obligations

    • 2.9.1 What is the interplay between the CRA and the Data Act?
    • 2.9.2 How do the requirements for products with digital elements under the CRA take account of the obligations to make data available to users or third parties under the Data Act?
    • 2.9.3 Should a manufacturer redesign their products to comply with the requirements of the DA and the CRA?

• 📡 3 Important and critical products

  Classification and requirements for high-risk products

  • 3.1 What determines if a product with digital elements is an important or critical product?
  • 3.2 Does integrating an important or critical product with digital elements into another product with digital elements render that product important or critical?
  • 3.3 Does the classification of a product as important or critical impact the manufacturer's risk assessment?
  • 3.4 Does the presence of multiple functions mean that a product does not have the core functionality of an important or critical product?
  • 3.5 {#section .unnumbered}

• 🏭 4 Manufacturer's obligations

  Key responsibilities and requirements for manufacturers

  • ⚠️ 4.1 Risk-based approach and risk-assessment

    Cybersecurity risk assessment requirements

    • 4.1.1 What does the CRA require of the manufacturer's cybersecurity risk assessment?
    • 4.1.2 Does the CRA mandate a specific risk assessment methodology?
    • 4.1.3 Does a manufacturer need to implement all the essential requirements?
    • 4.1.4 What are intended purpose and reasonably foreseeable use, and how do they affect the cybersecurity risk assessment?
    • 4.1.5 What is reasonably foreseeable misuse, and how does it affect the cybersecurity risk assessment?
    • 4.1.6 How does the length of time the product is expected to be in use affect the manufacturer's cybersecurity risk assessment?
    • 4.1.7 What is the relationship between harmonised standards and the manufacturer's cybersecurity risk assessment?
    • 4.1.8 What does a manufacturer need to include regarding the cybersecurity risk assessment in the technical documentation to be kept at the disposal of market surveillance authorities?

  • ✅ 4.2 Product-related essential requirements (Annex I, Part I)

    Product-related essential cybersecurity requirements

    • 4.2.1 Which technical measures does a manufacturer need to implement?
    • 4.2.2 How can a manufacturer ensure that a product is free from all vulnerabilities?
    • 4.2.3 How should manufacturers deal with known exploitable vulnerabilities discovered after a product has been placed on the market but before reaching its final user?
    • 4.2.4 How does the secure-by-default requirement work?
    • 4.2.5 When is a product "tailor-made"? What documentation is required in these cases?

  • 🚒 4.3 Vulnerability handling obligations (Annex I, Part II)

    Vulnerability management and remediation obligations

    • 4.3.1 Are manufacturers required to patch all vulnerabilities that are discovered during the support period?
    • 4.3.2 Does the manufacturer need to address and remediate vulnerabilities for all versions of a software product?
    • 4.3.3 Is the manufacturer responsible for the installation of security updates by the product's users?
    • 4.3.4 Does the manufacturer need to recall the product if it cannot fix a vulnerability?
    • 4.3.5 How should manufacturers ensure a separation between security and functionality updates, particularly where updates serve both purposes?
    • 4.3.6 How should vulnerabilities in integrated components be addressed and remediated?
    • 4.3.7 How does the end of the support period in an integrated component impact a product's compliance with the CRA?

  • 🔍 4.4 Due diligence requirements for integrating components

    Due diligence for integrating components

    • 4.4.1 What does the CRA prescribe when integrating components?
    • 4.4.2 What is the appropriate level of due diligence?
    • 4.4.3 In order to exercise due diligence, should a manufacturer only integrate components that bear the CE marking?
    • 4.4.4 How should manufacturers exercise due diligence with regards to open-source components that are not subject to the CRA?

  • ⏰ 4.5 Support period

    Product support period requirements

    • 4.5.1 Which criteria should the manufacturer take into account when determining a product's support period?
    • 4.5.2 Is there a minimum support period?
    • 4.5.3 Can a manufacturer continue to sell products without a support period?

  • 📋 4.6 Other manufacturer's obligations

    Additional manufacturer responsibilities

    • 4.6.1 Can a third-country manufacturer directly place products on the Union market?

• 🚨 5 Reporting obligations of manufacturers

  When and how manufacturers must report incidents and vulnerabilities

  • 5.1 How can a manufacturer become aware of an actively exploited vulnerability or a severe incident?
  • 5.2 Does a manufacturer need to report zero-day vulnerabilities?
  • 5.3 Does a manufacturer need to report actively exploited vulnerabilities or severe incidents for products placed on the market before the CRA applies?
  • 5.4 If an actively exploited vulnerability is contained in a third-party component, are all manufacturers integrating that component required to notify it?

• ✅ 6 Conformity assessment

  Procedures for demonstrating compliance with CRA requirements

  • 6.1 What is module A? How does it work? What conformity assessment activities are expected for self-assessment?
  • 6.2 What is module B+C? How does it work?
  • 6.3 What is module H? How does it work?
  • 6.4 Are manufacturers required to ensure the conformity of "existing" product types?
  • 6.5 Which evaluation methodology should a manufacturer apply?
  • 6.6 What is the technical documentation?
  • 6.7 What is the CE marking?
  • 6.8 What is the declaration of conformity?
  • 6.9 What are notified bodies?
  • 6.10 When will harmonised standards to support CRA compliance be ready?

• ⏳ 7 Transition period

  Timeline and provisions for implementing the CRA

  • 7.1 When does the CRA start applying?
  • 7.2 A manufacturer develops a product type before the CRA applies. Can it continue to manufacture products identical to that type after the CRA applies?
  • 7.3 Can a manufacturer place on the market products with digital elements developed during the transition period, and that integrate components that do not bear the CE marking?
  • 7.4 Is a manufacturer allowed to integrate components that are important or critical products with digital elements that do not follow harmonised standards?
  • 7.5 Are distributors required to bring into compliance products with digital elements placed on the market before 11 December 2027?