Share Article
The CRA aims to create a uniform EU-wide regulatory framework for cybersecurity requirements for products with digital elements – across the entire product life cycle.
According to Article 26 of Regulation (EU) 2024/2847, the European Commission is obliged to publish guidelines to assist economic operators in applying the Regulation. The draft of this guidance has now been published by the EU Commission on 3 March 2026.
This technical article focuses on explaining the contents of the guidance to manufacturers of machinery, equipment and electrical equipment (IoT devices) and supporting them in complying with the new requirements.
What exactly does “placing on the market” mean, and what clarifications are needed in this regard?
Here, the guidance refers to the Blue Guide and also clarifies that the terms ‘placing on the market’ and ‘making available’ are to be understood as referring ‘to each individual product’ and not to a product type, regardless of whether it was manufactured as a single item or in series.
For standalone software that is made available digitally, the terms within the meaning of Regulation (EU) 2024/2847 are considered to have been placed on the market as soon as its development is complete and it is offered for the first time within the framework of a commercial activity for distribution or use on the EU market.
Since digital software can be reproduced without physical production or storage limits, this initial offer means that a virtually unlimited number of identical copies are considered to be placed on the market simultaneously. Subsequent downloads or accesses are merely considered to be the provision of the same product already placed on the market, even if they occur at different times.
New versions of the software are only considered to be placed on the market again if they constitute a substantial modification. Minor updates or iterations without substantial modification do not require a new conformity assessment and do not change the original date of placing on the market.
This interpretation applies only to standalone software that is digitally provided. It does not apply if:
How is CRA applied when hardware and software are combined to form a product?
Regulation (EU) 2024/2847 applies to products with digital elements, i.e. hardware or software products and their remote processing solutions, provided they have a direct or indirect data connection to devices or networks.
The scope of application includes, among other things:
The decisive factor is not how or when software is provided, but whether it is necessary for the intended functions of the product. If a hardware device can only perform its functions in conjunction with specific software, the hardware and software are jointly considered a single product with digital elements.
This also applies if the software is only provided after the hardware has been sold through other channels (e.g. website, app store, download). Examples include device drivers for printers or apps for controlling a fitness tracker, which are necessary for the operation or use of the device.
How does the CRA guidance interpret the term ‘data link’?
Regulation (EU) 2024/2847 applies to products with digital elements if their intended or foreseeable purpose involves a direct or indirect data connection to a device or network.
The definition of the term ‘product with digital elements’ is ultimately based on the definition of the term ‘electronic information system’, i.e. ‘a system, including electrical or electronic equipment, capable of processing, storing or transmitting digital data’ (Article 3(7), CRA). The scope of the CRA is therefore not linked to the mere presence of electronics, but to the ability of a product to exchange digital information.
A data connection within the meaning of the CRA only exists if information can be deliberately digitally encoded (e.g. in binary form) and sent and interpreted as data by a recipient. Pure electrical signals that merely trigger a function (e.g. on/off signals without information transmission) are not considered data connections and therefore do not fall under this aspect of the CRA's scope.
How should the CRA be applied to machinery and equipment classified as ‘complex systems’ in the guide?
Regulation (EU) 2024/2847 also applies to ‘complex systems’ consisting of multiple hardware and software components if they are provided on the market as a single product.
Such systems may be difficult to adapt to new security requirements due to long development cycles, existing architectures or necessary interoperability. Nevertheless, they do not automatically fall outside the scope of the CRA. Instead, a risk-based approach applies.
Manufacturers must:
These limitations, risks and measures must be described transparently in the technical documentation and user information and reviewed regularly during the support period and updated if necessary.
How should products that were developed before the CRA came into force be treated?
Products that were developed before the application of Regulation (EU) 2024/2847 may continue to be placed on the market without requiring redevelopment.
This is subject to the manufacturer:
However, even without design changes, all CRA obligations must be complied with, in particular:
If no original security assessment from the development phase is available, the manufacturer must prepare a current risk assessment and document how existing measures mitigate the identified risks. In addition, processes for dealing with vulnerabilities must be established and the risk assessment must be updated regularly during the support period.
How should a ‘significant change’ to products within the scope of the CRA be assessed?
Regulation (EU) 2024/ 2847 Article 3(30) defines a ‘substantial modification’ as a change to the product with digital elements after it has been placed on the market that affects the product's compliance with the essential cybersecurity requirements in Annex I, Part I, or leads to a change in the intended purpose for which the product was manufactured.
According to the CRA, any person or company is considered a manufacturer if they make a substantial modification to a product and subsequently make it available on the market.
This applies in particular to:
Regulation (EU) 2024/2847 distinguishes between ‘modifications’, “repairs”, ‘replacement parts’ and ‘software updates’ in order to determine whether a substantial modification to a product has been made.
Physical changes/repairs
Maintenance, repair or replacement of components does not automatically result in a substantial modification. The decisive factor is whether:
The replacement of defective parts with equivalent or better components is not generally considered a substantial modification as long as the function and risk remain unchanged.
Spare parts
Nevertheless, their installation does not normally constitute a substantial modification of the original product if the purpose and risk profile remain the same.
Software updates
A software update is considered a substantial modification if it:
Normal security updates or updates that were already included in the original risk assessment are generally not considered a significant change.
What are the consequences of a significant change to a product?
If a significant change is made:
With regard to documentation following a significant change, reference is made to section 2.1 of the Blue Guide. This clarifies that the technical documentation must be updated if the change has an impact on the requirements of the applicable legislation. It is not necessary to repeat tests and create new documentation relating to aspects that are not affected by the change. It is the responsibility of the natural or legal person who makes or has made changes to the product to demonstrate that not all elements of the technical documentation need to be updated. The natural or legal person who makes or has made changes to the product is responsible for the conformity of the changed product and must issue a declaration of conformity, even if they use existing tests and technical files.
Products that were made available on the market before 11 December 2027 will only be covered by the CRA if they are substantially modified after that date.
Product note
Safexpert 9.1 - The CE software already supports the new Machinery Regulation (EU) 2023/1230
Since version 9.1, Safexpert has been providing you with targeted support when switching to the new Machinery Regulation (EU) 2023/1230. For machines with a long service life that are placed on the market from 20 January 2027, you can now use the CE guide in accordance with the new Machinery Regulation!
More information
The guidance document on Regulation (EU) 2024/2847 clarifies key terms and use cases of the regulation and provides manufacturers of machinery, equipment and electrical equipment with important guidance on the practical implementation of the new cybersecurity requirements.
A key aspect is the clarification of when a product is considered to have been placed on the market and which products fall within the scope of the CRA. The decisive factor is not only the presence of electronic components, but also the ability of a product to process or exchange digital data. Combinations of hardware and software are also considered to be products with digital elements if both are necessary for the functionality of the product.
The guidance also clarifies that the CRA takes a risk-based approach. Manufacturers must assess and document cybersecurity risks throughout the entire life cycle of a product and implement appropriate protective measures. This also applies to complex systems such as machines or industrial plants, where technical limitations or existing system architectures must be taken into account.
There is generally no obligation to redesign products developed before the CRA. The key thing is that manufacturers can demonstrate through an up-to-date cybersecurity risk assessment that their products continue to achieve an appropriate level of safety and meet the essential requirements.
The term ‘significant change’ is also of particular importance. Only changes that alter the intended use of a product or introduce new or increased cybersecurity risks result in a product being considered newly placed on the market and requiring a new conformity assessment. Maintenance, repairs, identical replacement parts or pure security updates do not usually lead to such a classification.
Overall, the guidance shows that the CRA not only defines new security requirements, but also establishes clear rules for software updates, product changes, documentation and responsibilities throughout the product life cycle. For manufacturers, this means above all systematically integrating cybersecurity into their development, change and support processes and transparently documenting the relevant evidence in the technical documentation.
The draft of these guidelines has a deadline for comments of 31 March 2026.
Posted on: 2026-03-10 (Last amendment)
Hendrik Stupin
Trained technical editor (tekom-certified) and certified CE coordinator. Previously 11 years of experience in technical communication and as a CE coordinator in the field of mechanical and plant engineering, specialising in ‘Engineered to Order (ETO)’ products.
E-Mail: hendrik.stupin@ibf-solutions.com| www.ibf-solutions.com
Wolfgang Reich CE marking and safety expert HTL electrical engineering, specialising in power engineering (Dipl.-HTL-Ing.), 20 years of experience in CE marking, machine safety, conversion of machines, electrical engineering and explosion protection, 10 years of which at TÜV Austria and Intertek Deutschland GmbH. Chairman of the master craftsman examination commission in the Styrian Chamber of Commerce for mechatronics (automation technology and electronics).
E-Mail: wolfgang.reich@ibf-solutions.com
CE software for systematic and professional safety engineering
Practical seminars on aspects of risk assessment and ce marking
With the CE InfoService you stay informed about important developments in the field of product safety.