CRA FAQ

 Open Regulatory Compliance Working Group Orc mascott

When is a product “tailor-made”? What documentation is required in these cases?

Manufacturers should make their products with digital elements available on the market with a secure by default configuration and provide security updates to users free of charge. Manufacturers should only be able to deviate from the essential cybersecurity requirements in relation to tailor-made products that are fitted to a particular purpose for a particular business user and where both the manufacturer and the user have explicitly agreed to a different set of contractual terms (Recital 64).

The CRA establishes that manufacturers may deviate from two essential requirements (namely, secure by default configuration in point (2.b) of Annex I, Part I and providing security updates to users free of charge in point (8) of Annex I, Part II) in relation to tailor-made products that are fitted to a particular purpose for a particular business user and where both the manufacturer and the user have explicitly agreed to a different set of contractual terms, as stated in the aforementioned points of Annex I, Part I.

This could be the case, for example, for custom-developed hardware or software designed to meet the needs of a specific business user, or products that are developed for integration into a specific customer’s highly controlled environments (e.g. closed networks or air-gapped environments) and are subject to specific contractual terms.

A product is not tailor-made, on the other hand, when it undergoes minor customisations before being sold to a customer, without specific sets of contractual terms or arrangements. This is the case, for example, for a customer relationship management (CRM) platform sold to multiple businesses, even if the manufacturer enables some minor customisations; or platforms that use plugins or APIs to be customised, but are fundamentally the same product for every customer.

In accordance with Article 31, the manufacturer is expected to include in its technical documentation all relevant data or details to show that its product complies with the relevant essential cybersecurity requirements, including appropriate evidence to demonstrate that the product is tailor-made.

© 2025 European Union • CC-BY 4.0“FAQs on the Cyber Resilience Act” p.37–38 (PDF)
Disclaimer

Disclaimer: This document is prepared by the Commission services and should not be considered as representative of the European Commission’s official position. The replies to the FAQs do not extend in any way the rights and obligations deriving from applicable legislation nor introduce any additional requirement. The expressed views are not authoritative and cannot prejudge any future actions the European Commission may take, including potential positions before the Court of Justice of the European Union, which is competent to authoritatively interpret Union law.