Share Article
On December 10, 2024, the Regulation (EU) 2024/2847 of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act, hereinafter “CRA”) entered into force. Around two years before the Regulation comes into full effect on 11 December 2027, the European Commission has now published an initial FAQ addressing the most important questions of interpretation arising from practical application. Although the document, designed as a ‘living document’, is not legally binding, it may be taken into account by market surveillance authorities and courts when interpreting the CRA.
The FAQs bring together practical questions that have been submitted to the Commission since the CRA came into force. They are divided into seven thematic sections (scope of application, interaction with other legal acts, classification of important and critical products, manufacturer obligations, reporting obligations, conformity assessment and transitional provisions) and comprise a total of 66 individual questions. The document is intended to facilitate compliance with the Regulation and supplements the guidelines on the CRA pursuant to Article 26(1) CRA, which are currently still being drafted.
II. Clarifications on the scope
1. Material scope
The FAQs clarify the two key requirements of Article 2(1) CRA. A product falls within the scope only if it is a ‘product with digital elements’ within the meaning of Article 3(1) of the CRA and its intended or reasonably foreseeable use involves a direct or indirect logical or physical data connection with a device or network. A logical connection is, for example, the connection of an offline text editor to the operating system. Physical connections can be established via both wired (USB, Ethernet, fibre optic) and wireless (Wi-Fi, Bluetooth, NFC) means. Products without communication capabilities – such as embedded dishwasher firmware without a network connection or an electric toothbrush with a wireless charging station – do not fall within the scope of the CRA. Of practical significance is the clarification that websites which do not support the functionality of a product with digital elements, as well as standalone Software-as-a-Service (SaaS) or cloud solutions outside the manufacturer’s responsibility, are not subject to the CRA, provided they are not classified as remote data processing within the meaning of Article 3(2) of the CRA.
2. Temporal scope
Furthermore, the product must meet the essential cybersecurity requirements under Article 6 of the CRA in conjunction with Annex I of the CRA. In this regard, pursuant to Article 27 of the CRA, it is presumed that the product meets the requirements if it complies with harmonised standards (so-called presumption of conformity).
Products placed on the market before 11 December 2027 are subject to the CRA only if they are ‘substantially modified’ from that date onwards (Article 69(2) CRA). A substantial change within the meaning of Article 3(30) of the CRA occurs if the change affects compliance with the essential cybersecurity requirements or alters the intended use. The FAQs illustrate this using the example of a smart TV: a software update to rectify a fault does not constitute a substantial change, whereas the subsequent introduction of a smart home control function does.
Important: The notification obligations under Article 14 of the CRA apply, in accordance with Article 69(3) and Article 71(2), second subparagraph, of the CRA, from 11 September 2026 for all products falling within the scope of the CRA – regardless of when they were placed on the market.
The FAQs address the interaction of the CRA with a wide range of other Union legal acts. In principle, product-specific cybersecurity-related provisions under Article 2(5), first sentence, of the CRA take precedence over the CRA; otherwise, the two apply in parallel. Particular attention should be paid to the phased relationship with the EU Radio Equipment Directive: Radio equipment made available between 1 August 2025 and 10 December 2027 is subject to the requirements of Regulation (EU) 2022/30 on RED, whilst the CRA applies from 11 December 2027 – Regulation (EU) 2022/30 will be repealed on that date. With regard to the EU Machinery Regulation (Regulation (EU) 2023/1230), both legal acts will continue to apply in parallel; however, compliance with the cybersecurity requirements of the CRA may also cover the safety-related requirements of points 1.1.9 and 1.2.1 of Annex III to the EU Machinery Regulation, provided the manufacturer demonstrates this. Finally, the EU Product Liability Directive supplements the CRA without overlapping with it; However, the cybersecurity requirements of the CRA are taken into account in the assessment of defectiveness under Article 7(1) of the EU Product Liability Directive.
1. Risk assessment
The key instrument of manufacturer responsibility is the cybersecurity risk assessment under Article 13(2) and (3) of the CRA. It determines which essential requirements under Annex I, Part I, No. 2 of the CRA apply to the specific product and how these are to be implemented. The FAQs clarify that manufacturers may choose either to carry out a single, cross-regulatory risk assessment or to prepare a separate assessment for each piece of legislation. The methodology for the cybersecurity risk assessment is not prescribed, but must be based on the intended use, the reasonably foreseeable use (Article 3(23) and (24) of the CRA) and the specific operational environment. Products for critical infrastructure therefore generally require a more sophisticated threat model than simple consumer products.
2. Basic cybersecurity requirements
The CRA takes a risk-based approach. Manufacturers are not required to implement all the requirements of Annex I, Part I of the CRA, but only those that are relevant given the specific risks of their product. The Commission expressly clarifies that the CRA does not require products to be entirely free of vulnerabilities. Rather, it requires that products be placed on the market with as few vulnerabilities as possible and that known exploitable vulnerabilities be adequately addressed during the support period. The application of harmonised standards listed in the Official Journal of the EU remains voluntary, but triggers the presumption of conformity under Article 27 of the CRA.
For so-called customised products – products individually adapted for a commercial user on a contractual basis – the requirements for a secure default configuration and free security updates may be modified under strict conditions; such deviations are not permitted in relation to consumers.
3. Vulnerability management
Not every vulnerability discovered during the support period needs to be patched. What is decisive is rather the risk it poses, taking into account exploitability, potential impact and available mitigation measures. For example, a remote code execution vulnerability in a smart home hub may justify an immediate obligation to patch, whilst a non-exploitable buffer overflow in router firmware need only be documented. In accordance with Annex I, Part II, paragraph 2 of the CRA, security updates must generally be provided separately from functional updates, where technically possible.
4. Support period
The manufacturer determines the support period independently in accordance with Article 13(8), third subparagraph, sentence 1 of the CRA. It must reflect the expected useful life of the product and shall be at least five years; if the expected useful life is shorter, the support period shall correspond to this duration. For hardware such as motherboards or network devices, operating systems and products in industrial environments, the FAQs generally assume a longer period. Particular consideration must be given to reasonable user expectations, the nature of the product and relevant EU legal requirements. The circumstances relevant to the determination must be recorded in the technical documentation.
Manufacturers must report actively exploited vulnerabilities and serious security incidents that affect the security of products containing digital elements, in accordance with Article 14(1) and (3) of the CRA. The reporting obligation is linked solely to the actual acquisition of knowledge. Article 14 of the CRA does not in itself establish an obligation to operate specific monitoring channels – however, corresponding product monitoring obligations arise from Annex I, Part II, No. 3 of the CRA. The FAQs specifically cite internal security monitoring (telemetry, honeypots, dark web monitoring), reports from users or security researchers, public threat intelligence reports, and information from national CERTs as sources of information. The reporting obligation explicitly covers zero-day vulnerabilities as soon as the manufacturer becomes aware of their active exploitation.
The European Commission’s FAQs offer economic operators initial, practice-oriented guidance on the CRA. They correct widespread misconceptions – in particular the assumption of a supposedly required “absolute freedom from vulnerabilities” – and confirm the Regulation’s risk-based, pragmatic approach. Nevertheless, key questions of interpretation remain unresolved, such as the definition of remote data processing, the concept of a “substantial change” and the specifics of risk assessment. These are to be addressed in greater depth in the future guidelines under Article 26 of the CRA.
Manufacturers, importers and distributors are advised to closely monitor the forthcoming clarifications and to adopt a flexible approach to their own compliance planning. In view of the reporting obligations coming into force on 11 September 2026, processes for vulnerability monitoring and reporting in particular should be implemented without delay.
Tip: A detailed legal analysis of the Cyber Resilience Act 2024/2847 can be found in the technical article “The Cyber Resilience Act from a legal perspective”, also by Dr Gerhard Wiebe.
Posted on: 2026-04-30
Dr. Gerhard Wiebe Lawyer in the product law firm. He specialises in advising on product compliance issues and advises international and national manufacturers, importers and distributors of non-food products (consumer and capital goods) on product safety and product liability law. In addition to classic product law aspects, Dr Wiebe also focuses on the constantly growing IT security law product requirements for digital products. Email: wiebe@produktkanzlei.com
CE software for systematic and professional safety engineering
Practical seminars on aspects of risk assessment and ce marking
With the CE InfoService you stay informed about important developments in the field of product safety.