Share This Article
The European Commission has just published for feedback its long-awaited draft guidance to assist companies in applying the Cyber Resilience Act (CRA), a landmark EU regulation aiming to strengthen cybersecurity across the digital product landscape. This draft guidance is now open for stakeholder input until 31 March 2026 and seeks to clarify key implementation questions to ensure consistency and effectiveness in enforcement across the European Union.
The CRA represents one of the most ambitious pieces of cybersecurity legislation enacted by the EU, mandating robust security requirements for products with digital elements, from connected devices to embedded software. As firms prepare for the CRA’s phased rollout — with reporting obligations beginning in September 2026 and full application by December 2027 — the guidance plays a critical role in translating regulatory text into practical compliance pathways.
What Is the Cyber Resilience Act?
At its core, the Cyber Resilience Act (EU Regulation 2024/2847) imposes horizontal cybersecurity requirements on products with digital elements (PDEs) sold or made available in the EU. It requires manufacturers, importers, and distributors to ensure that products are secure by design and maintained throughout their lifecycle. The CRA introduces lifecycle-wide obligations, such as vulnerability handling, incident reporting, and security updates, aimed at reducing systemic risk in an increasingly connected digital ecosystem.
Unlike previous frameworks that primarily addressed organizational cybersecurity, the CRA directly targets products — from smart wearables and IoT devices to embedded software components — making cyber resilience a precondition for market access and CE marking within the EU.
Purpose and Scope of the CRA Draft Guidance
The Commission’s draft guidance focuses on clarifying several complex elements of the CRA to support both micro, small and medium-sized enterprises (SMEs) and large manufacturers in understanding their obligations. It is designed to assist stakeholders — from software developers and hardware manufacturers to conformity assessment bodies — by highlighting interpretative issues and practical compliance questions.
Significant areas addressed in the guidance include:
1. Scoping and Applicability
Understanding when and how products are considered to be “placed on the market” under the CRA is a foundational compliance issue. The guidance offers clarity on this principle, including how it applies to products developed before the CRA’s application date and the interpretation of key concepts such as products with digital elements.
2. Remote Data Processing Solutions
As cloud connectivity becomes ubiquitous, the draft guidance provides interpretative help on how remote data processing solutions fall within the CRA’s scope, including how functional dependency tests should be applied to determine whether a product with remote elements must comply.
3. Free and Open Source Software (FOSS)
One of the most debated topics is the treatment of free and open-source software. The guidance outlines when open source might be in scope — particularly when it is monetised or distributed commercially — and discusses responsibilities for open source stewards contributing to products subject to the CRA.
4. Support Periods
The CRA requires manufacturers to provide security updates for a defined support period. The guidance addresses how to interpret and implement these support obligations, a practical challenge for product teams planning release schedules and long-term maintenance strategies.
5. Substantial Modifications and Spare Parts
Clarification is provided on what constitutes a substantial modification, which impacts whether a product needs to be re-assessed for CRA conformity after significant changes.
6. Reporting and Interaction with Other Legislation
The guidance touches on reporting duties for exploited vulnerabilities and security incidents, and how the CRA interacts with other EU cyber and digital legislation such as NIS2 and the forthcoming European cybersecurity standards framework.
Why This Guidance Matters
The draft guidance not only supports compliance but also reduces fragmentation in how the CRA is implemented across Member States and market surveillance authorities. By clarifying concepts and outlining practical examples, it helps stakeholders manage compliance risk and prepare for upcoming CRA milestones — including the launch of the Single Reporting Platform by ENISA for coordinated vulnerability and incident reporting.
For manufacturers and technology vendors, this guidance is particularly relevant as the CRA transitions from regulatory text to real-world implementation. The guidance is expected to shape conformity assessment procedures, supplier obligations, and compliance documentation practices in 2026 and beyond.
Next Steps and How to Engage
Feedback on the draft guidance can be submitted until 31 March 2026. Companies and industry associations are encouraged to participate actively in the consultation, providing insights on parts of the draft that may be ambiguous or challenging to implement. Stakeholder input will be instrumental in refining the guidance before its final adoption.
As the CRA’s implementation timeline accelerates, organisations should:
-
Establish internal cross-functional compliance teams;
-
Review product portfolios and development pipelines against CRA requirements;
-
Assess whether current update and support practices align with expected CRA support periods;
-
Prepare for early reporting duties starting in September 2026.
Conclusion
The draft guidance on the EU Cyber Resilience Act is a significant milestone in the CRA’s implementation journey. It reflects the EU’s commitment to harmonising cybersecurity requirements and equipping companies with the interpretative tools needed to comply effectively with one of the most comprehensive cybersecurity product laws in the world.
As cybersecurity continues to rise in strategic importance, proactive engagement in the guidance process will help organisations shape practical and aligned regulatory outcomes — ensuring secure digital products for European consumers and businesses alike.
On the same topic, you can read the article “The EU Parliament approved the Cyber Resilience Act: what obligations lie ahead for manufacturers, importers and distributors?“.