CRA FAQ

The Blue Guide is one of the main reference documents of the European Commission explaining how to implement legislation based on the New Legislative Framework (NLF). Unlike the CRA, the Blue Guide does not have legal force. It predates the CRA and only discusses software as something embedded into a physical product, not as standalone. For this reason, until an updated version is available, the Blue Guide's guidance should be read in light of the CRA's wider scope and take into account the nuances introduced in the CRA for software. For example, on the concept of "commercial activity", Recital 18 CRA provides more specific guidance on "monetisation" and "non-profit organisations" than is available in the Blue Guide's "Making available on the market" section.

The following are NOT regulated by the Cyber Resilience Act (CRA):

• Services
• Software as a service (SaaS) (already regulated by NIS 2 (Directive (EU) 2022/2555) and/or DORA (Regulation (EU) 2022/2554)) and websites, unless used to process data for a product that is regulated by the CRA (see 🌐 Remote Data Processing Solutions FAQ list)
• Products that do not contain software
• Products already covered by other regulations or directives: civil aviation equipment (already covered by Regulation (EU) 2018/1139), marine equipment (already covered by Directive (EU) 2014/90), medical devices (already covered by Regulation (EU) 2017/745 and Regulation (EU) 2017/746), and motor vehicles (already covered by Regulation (EU) 2019/2144)
• Products exclusively designed for national security or defence purposes
• Products specifically designed to process classified information

It is worth noting however, that the intent of the EU legislators is to harmonize the various regulations mentioned above with the CRA in the near future.

The following are not considered remote data processing:

• Remote processing of data that isn't fed back into the product (such as telemetry data).
• Websites that do not support the function of the product (by contrast with websites that support a function, such as providing an authentication page).
• Data processing that supports the manufacturer’s own operations (such as payroll systems, customer relationship management, or other administrative systems).

ENISA is the European Union Agency for Cybersecurity. Its is headquarted in Athens, Greece.

ENISA supports National and EU authorities, the private sector, and European citizens through various activities.

The role of ENISA is defined in the Cybersecurity Act (CSA).

You can find more information on ENISA's website.

Under the Cyber Resilience Act, due diligence refers to the obligation of manufacturers to ensure that any third-party components integrated into their products, including Free and Open Source Software, adhere to the essential cybersecurity requirements of Annex I. Manufacturers remain responsible for the security of the final product as a whole, and failure to comply may result in administrative fines.

The appropriate level of due diligence depends on the nature and cybersecurity risk of the component. As outlined in Recital 34, due diligence typically involves one or more of the following actions:

• Verifying conformity: Checking if the component already bears the CE marking or has demonstrated conformity with the CRA, for example through a security attestation.
• Checking maintenance: Verifying that the component receives regular security updates (e.g., checking its update history).
• Vulnerability scanning: Ensuring the component is free from known vulnerabilities listed in public databases (e.g., the ENISA database).
• Security testing: Carrying out additional security tests relative to the risk.

If a vulnerability is identified during this process, the manufacturer must remediate it and share the applied fix with the upstream maintainer (i.e., open a merge/pull request upstream).