CRA FAQ

 Open Regulatory Compliance Working Group Orc mascott

Does the CRA apply to products with digital elements placed on the market before 11 December 2027?

“Products with digital elements that have been placed on the market before 11 December 2027 are subject to the requirements of the CRA only if, from that date, they are subject to a substantial modification” (Article 69(2)).

“By way of derogation, the obligations laid down in Article 14 shall apply to all products with digital elements that fall within the scope of this Regulation, even if placed on the market before 11 December 2027” (Article 69(3)).

The CRA applies to products placed on the market before 11 December 2027 only if those products are substantially modified after that date. See also 7.1 When does the CRA start applying?

For example, a manufacturer places on the market a smart TV in mid-2027. The manufacturer is not required to comply with the CRA for this product with digital elements. In 2028, it releases a software update, which does not qualify as a substantial modification, to fix a bug that causes apps running on the TV to crash after some usage time. The manufacturer is not required to bring the smart TV in conformity with the CRA, as it would not be substantially modifying it.

In 2029, that manufacturer releases a software update that qualifies as a substantial modification, for example because it modifies the original intended functions by enabling the smart TV to control smart home systems. In that case, the manufacturer is required to bring the smart TV into compliance with the CRA.

See also 7.2 A manufacturer develops a product type before the CRA applies. Can it continue to manufacture products identical to that type after the CRA applies?

A derogation to this general rule, however, applies to reporting obligations laid down in Article 14. Manufacturers are required to notify actively exploited vulnerabilities and severe incidents having an impact on the security of the product with digital elements for all products with digital elements falling within the scope of the CRA, including products that have been placed on the market before 11 December 2027 (Article 69(3)). See for further explanation 5.3 Does a manufacturer need to report actively exploited vulnerabilities or severe incidents for products placed on the market before the CRA applies?

© 2025 European Union • CC-BY 4.0“FAQs on the Cyber Resilience Act” p.10–11 (PDF)
Disclaimer

Disclaimer: This document is prepared by the Commission services and should not be considered as representative of the European Commission’s official position. The replies to the FAQs do not extend in any way the rights and obligations deriving from applicable legislation nor introduce any additional requirement. The expressed views are not authoritative and cannot prejudge any future actions the European Commission may take, including potential positions before the Court of Justice of the European Union, which is competent to authoritatively interpret Union law.