CRA FAQ

 Open Regulatory Compliance Working Group Orc mascott

Can a manufacturer place on the market products with digital elements developed during the transition period, and that integrate components that do not bear the CE marking?

For the purpose of complying with paragraph 1, manufacturers shall exercise due diligence when integrating components sourced from third parties so that those components do not compromise the cybersecurity of the product with digital elements, including when integrating components of free and open-source software that have not been made available on the market in the course of a commercial activity (Article 13(5)).

Immediately after the transitional period for the application of this Regulation, a manufacturer of a product with digital elements that integrates one or several components sourced from third parties which are also subject to this Regulation may not be able to verify, as part of its due diligence obligation, that the manufacturers of those components have demonstrated conformity with this Regulation by checking, for instance, if the components already bear the CE marking. This may be the case where the components have been integrated before this Regulation becomes applicable to the manufacturers of those components. In such a case, a manufacturer integrating such components should exercise due diligence through other means (Recital 35).

As explained in the entries 4.4.1 What does the CRA prescribe when integrating components? and 4.4.3 In order to exercise due diligence, should a manufacturer only integrate components that bear the CE marking?, a manufacturer can integrate components that do not bear the CE marking, but is required to exercise due diligence to ensure that those components do not compromise the cybersecurity of its product with digital elements.

During the transition period before the CRA applies, manufacturers will not be able to check whether third-party components are compliant with the CRA. This does not prevent manufacturers from integrating such components, and they should exercise due diligence through other means (see also entry 4.4.2 What is the appropriate level of due diligence?).

© 2025 European Union • CC-BY 4.0“FAQs on the Cyber Resilience Act” p.65–66 (PDF)
Disclaimer

Disclaimer: This document is prepared by the Commission services and should not be considered as representative of the European Commission’s official position. The replies to the FAQs do not extend in any way the rights and obligations deriving from applicable legislation nor introduce any additional requirement. The expressed views are not authoritative and cannot prejudge any future actions the European Commission may take, including potential positions before the Court of Justice of the European Union, which is competent to authoritatively interpret Union law.