CRA FAQ

According to Article 71(2) Articles 35 to 51 apply from 11 June 2026. Member States are required to designate by that date notifying authorities that are responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies.

Reporting obligations laid down in Article 14 apply from 11 September 2026. As of that date, manufacturers are required to notify actively exploited vulnerabilities and severe incidents having an impact on the security of their products with digital elements via the single reporting platform.

The obligations of manufacturers to ensure that products with digital elements are in conformity with the essential cybersecurity requirements set out in Annex I, the provisions on market surveillance and enforcement, as well as all the other provisions set out in the CRA, apply from 11 December 2027.

According to Article 69(1), EU-type examination certificates and approval decision issued regarding cybersecurity requirements for products with digital elements that are subject to other Union harmonisation legislation, such as Commission Delegated Regulation (EU) 2022/30, remain valid until 11 June 2028 (unless otherwise specified in such legislation or unless the certificate expires before that date).

As stated in section 2.2 of the Blue Guide, Union harmonisation legislation including the CRA applies to individual products, and not product types. Therefore, only individual products that have been placed on the market before 11 December 2027 do not need to comply with the CRA.

Products that are manufactured according to a type that is not compliant with the CRA cannot be placed on the market on or after 11 December 2027, even if the first instance of that product “type” has been placed on the market before 11 December 2027.

For example, a manufacturer has produced 10 000 copies of a router according to a type that is not compliant with the CRA. It places those 10 000 copies on the market before 11 December 2027. Even if those units have not reached their final user (but have been placed on the market), the manufacturer does not need to bring them into compliance with the CRA (see also entry 1.4 Does the CRA apply to products with digital elements placed on the market before 11 December 2027?). However, that manufacturer may not produce another 5 000 copies of that router and place them on the market after 11 December 2027, as those 5 000 copies would not be compliant with the CRA.

For the purpose of complying with paragraph 1, manufacturers shall exercise due diligence when integrating components sourced from third parties so that those components do not compromise the cybersecurity of the product with digital elements, including when integrating components of free and open-source software that have not been made available on the market in the course of a commercial activity (Article 13(5)).

Immediately after the transitional period for the application of this Regulation, a manufacturer of a product with digital elements that integrates one or several components sourced from third parties which are also subject to this Regulation may not be able to verify, as part of its due diligence obligation, that the manufacturers of those components have demonstrated conformity with this Regulation by checking, for instance, if the components already bear the CE marking. This may be the case where the components have been integrated before this Regulation becomes applicable to the manufacturers of those components. In such a case, a manufacturer integrating such components should exercise due diligence through other means (Recital 35).

As explained in the entries 4.4.1 What does the CRA prescribe when integrating components? and 4.4.3 In order to exercise due diligence, should a manufacturer only integrate components that bear the CE marking?, a manufacturer can integrate components that do not bear the CE marking, but is required to exercise due diligence to ensure that those components do not compromise the cybersecurity of its product with digital elements.

During the transition period before the CRA applies, manufacturers will not be able to check whether third-party components are compliant with the CRA. This does not prevent manufacturers from integrating such components, and they should exercise due diligence through other means (see also entry 4.4.2 What is the appropriate level of due diligence?).

Yes, manufacturers are free to integrate components that are important or critical products that have not been designed in accordance with harmonised standards – regardless of whether such harmonised standards are available or not.

The application of harmonised standards is a means to demonstrate compliance, but is not the only means to do so.

Furthermore, as discussed in entries 4.4.1 What does the CRA prescribe when integrating components? and 4.4.3 In order to exercise due diligence, should a manufacturer only integrate components that bear the CE marking?, the manufacturer is not required to integrate only components that bear the CE marking.

No, products with digital elements placed on the market before 11 December 2027 are not subject to the requirements of the CRA (with the exception of reporting obligations), unless they are substantially modified. Distributors are therefore not required to bring such products into compliance with the CRA on or after 11 December 2027, unless they carry out a substantial modification.