The European Commission has prepared a Communication providing practical guidance on applying the Cyber Resilience Act (CRA). It will help manufacturers, developers, and other stakeholders understand their obligations and ensure consistent implementation across the EU, with particular focus on easing compliance for micro, small, and medium-sized enterprises. As part of the broader simplification exercise, the Commission is consulting stakeholders on the draft guidance to ensure alignment with implementation efforts, practical challenges, and market realities.
Stakeholders are invited to submit comments using the attached template within the four-week consultation window, ending Mar. 31 (midnight Brussels time). All feedback will inform the finalisation of this initiative and will be published on this site in accordance with the feedback rules.
The CRA entered into force on Dec. 10, 2024. The main obligations introduced by the Act will apply from Dec. 11, 2027, with reporting obligations applicable from Sept. 11 this year. The Commission is actively working to strengthen the EU’s cybersecurity resilience and capabilities. A new cybersecurity package was proposed in January.
“With today’s guidelines, the Commission supports the effective application of the Cyber Resilience Act,” Henna Virkkunen, executive vice-president for tech sovereignty, security and democracy, said in a media statement last week. “From baby monitors to smart watches, digital elements are part of our daily lives, and we will make sure all digital products on the EU market are safe from cyber threats.”
Article 26 requires the Commission to publish guidance that will assist economic operators in applying the CRA, with a particular focus on facilitating compliance by microenterprises and small and medium-sized enterprises. It is therefore important that economic operators are provided with timely guidance to assist their preparations towards compliance with the CRA.
The draft guidance aims to help economic operators comply with the Cyber Resilience Act and support market surveillance, notifying authorities, and notified bodies in ensuring consistent enforcement across the European Union. It does not cover the full scope of the Act but instead clarifies the reasoning behind key provisions and how they may be applied in practice. The guidance applies only to the Cyber Resilience Act and not to other EU laws. Stakeholders, including the Expert Group on Cybersecurity of Products with Digital Elements, were consulted during its preparation through expert engagement and public consultation.
While the document is not legally binding, only the Court of Justice of the European Union can provide an authoritative interpretation of the Act. However, the guidance reflects the European Commission’s interpretation to support compliance and effective implementation, while recognizing that assessments will need to be made on a case-by-case basis.
Under Article 26 of the Act, the European Commission may issue further guidance, including material aimed at manufacturers subject to the regulation and other related EU legislation. Future guidance may also address how the Cyber Resilience Act interacts with other frameworks, such as the Artificial Intelligence Act (EU) 2024/1689 and the Digital Operational Resilience Act (EU) 2022/2554.
The guidance prescribed that products under the Cyber Resilience Act may include not only individual devices or software components but also complex systems made up of multiple hardware and software elements working together to perform a specific function. When such a system is placed on the market as a single product, it is treated as a product under the Act.
These complex systems often involve long design and development cycles, contracts signed before the regulation takes effect, extended operational lifetimes, and significant technical and organizational complexity. Many rely on components already on the market before the Act applies, established system architectures, or widely used interoperability standards, including those referenced in other EU legislation or sector frameworks. As a result, modifying certain technical characteristics may be difficult or disproportionate if it risks affecting the system’s intended purpose, safety, reliability, or interoperability with existing infrastructure.
These factors do not remove complex systems from the scope of the Act. Instead, they illustrate its risk-based approach, which allows compliance to be demonstrated in different ways depending on the product’s characteristics and constraints. Such characteristics form part of the product’s intended purpose and operating context and must be considered when assessing compliance with essential cybersecurity requirements. Recital 55 also recognizes that some requirements may not fully align with the nature of certain products, for example, when compliance could undermine mandatory interoperability requirements or proper system functioning.
Manufacturers must therefore address cybersecurity risks based on the risk assessment required. In some cases, specific essential cybersecurity requirements may not apply or cannot be implemented using ‘state of the art’ security measures since the system’s intended purpose, including the need to interact with existing dependencies or meet interoperability requirements. In these situations, manufacturers should identify and document the constraints, assess the associated risks, and apply appropriate alternative or compensatory risk mitigation measures to maintain the product’s security.
Technical documentation under Article 31 and the user information and instructions outlined in Annex II play an important role in clearly describing these constraints, the related cybersecurity risks, and the mitigation measures adopted. Manufacturers must also keep the risk assessment updated throughout the support period. If constraints can be reduced or removed over time, the product should be updated accordingly so it can gradually move toward ‘state of the art’ cybersecurity.
The guidance explains that products designed before the regulation came into effect may still be placed on the market without redesign. Manufacturers must conduct a cybersecurity risk assessment under Article 13(2) to determine whether the product, based on its intended purpose and reasonably foreseeable use, meets the essential cybersecurity requirements.
If the assessment shows that the product already includes effective security measures addressing relevant risks, those existing measures can be used to demonstrate compliance. The regulation does not require new security features or product redesign if the current protections are sufficient.
However, manufacturers must still meet all regulatory obligations before placing the product on the market. These include completing the appropriate conformity assessment, preparing the EU declaration of conformity, and affixing the CE marking. For products designed before the Act applies, manufacturers must still perform and document a cybersecurity risk assessment showing that adequate measures are in place to minimize risks, prevent incidents, and limit potential impacts, including those affecting user safety.
Such products can therefore be marketed under the regulation if the manufacturer demonstrates through risk assessment and technical documentation that the product achieves an appropriate level of cybersecurity and complies with the essential requirements.
Conformity assessment obligations also apply. Manufacturers must demonstrate compliance with applicable cybersecurity requirements and include supporting evidence in technical documentation. However, when products were designed before the regulation took effect and already contain effective security measures, manufacturers are not required to provide test results from the original design and development phases, as this would not improve the product’s security. Where testing is needed, it may be grouped across product families rather than repeated for every variant.
Manufacturers must still demonstrate compliance with vulnerability handling requirements, keep the cybersecurity risk assessment updated, and fulfill other obligations under the regulation, including providing users with appropriate information and instructions.
Under the Cyber Resilience Act, Article 13(8) requires manufacturers to define a support period during which product vulnerabilities, including those in components, are effectively managed according to the cybersecurity requirements. Manufacturers must consider specific criteria when setting this period to ensure the decision remains proportionate.
The regulation establishes a minimum support period of five years, unless the product is expected to be used for less time, in which case the support period should match its expected lifespan. The five-year minimum serves as a safeguard rather than a standard for all products. Products likely to remain in use longer should have correspondingly longer support periods.
Manufacturers must clearly inform buyers of the support period end date at the time of purchase, at least specifying the month and year. Where technically feasible, users must also be notified once the support period expires. This requirement aims to ensure transparency about how long security support will be available.
For software products, which often evolve through frequent updates and new versions, each version placed on the market must have its own declared support period that complies with Article 13(8), including the five-year minimum unless its expected use time is demonstrably shorter.
The regulation allows some flexibility. Under Article 13(10), manufacturers may limit vulnerability remediation to the most recent software version if users of earlier versions can upgrade to the latest version free of charge and without incurring additional costs related to hardware or system changes. Normal operational efforts involved in updates, such as testing, configuration adjustments, or routine maintenance, are not considered additional costs. However, requirements like purchasing new hardware or replacing infrastructure would count as additional costs.
For continuously evolving software, manufacturers may release substantially modified versions frequently. Each new version must have its own declared support period when placed on the market. At the same time, manufacturers may stop addressing vulnerabilities in earlier versions once users can upgrade to the latest version without cost or major system changes, even if this shortens the effective support period for older versions. Other vulnerability management obligations still apply, including maintaining coordinated vulnerability disclosure policies and facilitating information sharing about potential security issues.
Under the Cyber Resilience Act, manufacturers must conduct a cybersecurity risk assessment to identify risks to a product and implement measures that meet the essential cybersecurity requirements. Compliance is judged against a regulatory standard based on the product’s intended purpose and foreseeable use, not the manufacturer’s internal risk tolerance, cost considerations, or commercial priorities.
Residual risk may remain, but a product can only be marketed if identified risks have been sufficiently addressed. If risks cannot be mitigated adequately, manufacturers may need to modify the product’s design, functionality, or intended purpose. Responsibility for product security cannot be shifted to users, although user instructions may support secure deployment.
Manufacturers must also ensure products are designed and developed to achieve an appropriate level of cybersecurity. This includes addressing risks from external environments through product-level safeguards and exercising due diligence over third-party components, verifying that integrated hardware or software supports the product’s cybersecurity requirements.
The Act prescribes that manufacturers must notify the designated CSIRT coordinator and the European Union Agency for Cybersecurity (ENISA) if they become aware of an actively exploited vulnerability in their product or a severe incident that compromises its security. Reporting obligations begin once the manufacturer becomes aware of such events.
Awareness occurs when, after an initial assessment of a detected or reported suspicious event, the manufacturer has reasonable certainty that a vulnerability is being actively exploited or that a serious security incident affecting the product has occurred. The interpretation aligns with related EU guidance to ensure consistency across regulatory reporting requirements.
Just last month, the European Commission introduced an ICT Supply Chain Security Toolbox to provide a coordinated EU framework for identifying, assessing, and mitigating risks across ICT supply chains. The toolbox defines key risk scenarios and recommends mitigation measures, including scrutiny of critical suppliers, adoption of multi-vendor strategies, and steps to reduce dependence on high-risk vendors. Its goal is to give member states a practical structure to reinforce supply chain security.
