CRA FAQ

 Open Regulatory Compliance Working Group Orc mascott

Should a manufacturer redesign their products to comply with the requirements of the DA and the CRA?

Under the DA, there is no strict (re)design product obligation. Rather, manufacturers remain free to design products as they see fit, as long as the obligations related to making data available are complied with.

Whilst the CRA is set to apply fully by 11 December 2027, products with digital elements placed on the market before that date are only subject to the CRA’s cybersecurity requirements if, from that date, they are subject to a substantial modification (Article 69(2) CRA). Reporting obligations, e.g. for actively exploited vulnerabilities, apply for all products with digital elements (Article 14). See also 1.4 Does the CRA apply to products with digital elements placed on the market before 11 December 2027?

© 2025 European Union • CC-BY 4.0“FAQs on the Cyber Resilience Act” p.22–23 (PDF)
Disclaimer

Disclaimer: This document is prepared by the Commission services and should not be considered as representative of the European Commission’s official position. The replies to the FAQs do not extend in any way the rights and obligations deriving from applicable legislation nor introduce any additional requirement. The expressed views are not authoritative and cannot prejudge any future actions the European Commission may take, including potential positions before the Court of Justice of the European Union, which is competent to authoritatively interpret Union law.