Frequently asked questions

Classification follows the product's core functionality, not every feature it includes. If the core function matches a category named in Annex III the product is 'important' (Class I or II); if it matches Annex IV it is 'critical'; otherwise it is 'default'. A capability such as identity management or a VPN, included only as a feature, does not make the product 'important' unless that is its core purpose. Where more than one category could apply, the stricter class applies. Art. 7

Non-commercial open-source software developed outside a commercial activity is largely outside the scope. Open-source software stewards have a lighter, tailored set of obligations. Open-source components supplied in the course of a commercial activity can fall within scope.

Standalone services are generally outside the CRA. However, remote data-processing solutions that are necessary for a product to perform its functions are treated as part of that product and are in scope. Art. 3(2)

Yes. The CRA applies to products placed on the EU market regardless of where the manufacturer is established. Manufacturers outside the EU must ensure an economic operator established in the Union is responsible for the relevant obligations.

They fall into two parts of Annex I: security properties the product must have (secure by default, confidentiality, integrity, availability, minimised attack surface, security updates) and vulnerability-handling processes the manufacturer must operate (SBOM, remediation, coordinated disclosure). Annex I

Yes. Manufacturers must identify and document the components contained in the product, including by drawing up a software bill of materials in a commonly used, machine-readable format. Annex I · II(1)

The support period is the time during which a manufacturer must provide security updates. It must reflect the period the product is reasonably expected to be in use; Commission guidance indicates this should generally be at least five years unless the expected use is shorter. Art. 13(8)

Actively exploited vulnerabilities and severe incidents affecting the security of the product must be notified to ENISA and the relevant CSIRT. An early warning is due within 24 hours of becoming aware, followed by a fuller notification and a final report. Art. 14

The Act entered into force on 10 December 2024. Reporting obligations apply from September 2026 (21 months later) and the bulk of the obligations apply from December 2027 (36 months later). Art. 71

Breaches of the essential requirements or manufacturer obligations can attract fines of up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher. Lower ceilings apply to other infringements and to supplying incorrect information.

The Article 14 reporting obligations become enforceable on 11 September 2026. ENISA is establishing the single reporting platform under Article 16, through which manufacturers will notify actively exploited vulnerabilities and severe incidents to ENISA and the national CSIRT; it is intended to be operational by that date. Art. 14

The Commission's standardisation request M/606 was accepted by CEN, CENELEC and ETSI in 2025, covering around 41 standards (horizontal and product-specific). The two core horizontal standards (secure development and vulnerability handling) are expected by 30 August 2026, the vertical product standards by 30 October 2026, and the remaining horizontal standards by 30 October 2027, ahead of full application in December 2027. Following a cited harmonised standard gives a presumption of conformity. Annex I

Carry out the conformity assessment route for your product class, compile the technical documentation, draw up and sign the EU declaration of conformity, and then affix the CE marking. Default products may self-assess; important and critical products require stricter routes. Art. 28 · 32

Begin with the CRA Fast Check to confirm scope and class, follow the guide written for your role, and use the compliance matrix to track the essential requirements to done.