EU: Draft Commission guidance on the Cyber Resilience Act 

 

The EU Commission has published a draft guidance on the Cyber Resilience Act. 

The European Commission is preparing a Communication to provide practical guidance on the application of the Cyber Resilience Act (CRA). This guidance is intended to help manufacturers, developers, and other stakeholders understand their obligations under the Regulation and promote a consistent approach across the EU. It will clarify how key provisions should be interpreted and implemented. Stakeholders are invited to submit comments through the consultation using the provided template to facilitate the consolidation of feedback. 

Regulation (EU) 2024/2847 entered into force on 10 December 2024. It aims to strengthen the EU’s approach to cybersecurity, enhance cyber resilience at Union level, and improve the functioning of the internal market by establishing a harmonised framework of essential cybersecurity requirements for placing products with digital elements on the EU market and throughout their lifecycle. 

The CRA is based on the EU’s New Legislative Framework (NLF), as set out in Regulation (EC) No 765/2008 and Decision No 768/2008/EC, which together establish common rules for accreditation, market surveillance, and the marketing of products. 

Market surveillance and enforcement are carried out by national authorities. Products with digital elements within the scope of the CRA are also subject to Regulation (EU) 2019/1020. The Commission and the European Union Agency for Cybersecurity support economic operators and Member States in implementing the CRA. 

Article 26(1) of the CRA requires the Commission to publish guidance to assist economic operators in applying the Regulation, with particular attention to microenterprises and small and medium-sized enterprises. Article 26(2) identifies key areas to be covered, including the scope of the CRA (notably remote data processing solutions and free and open-source software), the concept of support periods, the interaction with other EU legislation, and the notion of substantial modification. 

On 3 December 2025, the Commission published a set of frequently asked questions to help economic operators prepare for the implementation of the CRA. 

This guidance is intended to support compliance by economic operators and assist market surveillance authorities, notifying authorities, and notified bodies in ensuring harmonised enforcement across the EU. It does not aim to cover the CRA in full, but rather to clarify the rationale behind certain key provisions and how they may be applied in practice. It applies specifically to the CRA and not to other EU legislation. 

Stakeholders were extensively consulted during the preparation of this guidance, including through the Expert Group on Cybersecurity of Products with Digital Elements and a public consultation process. 

The guidance is not legally binding. Authoritative interpretation of the CRA rests solely with the Court of Justice of the European Union. However, it reflects the Commission’s interpretation and is intended to support compliance and effective implementation. Case-by-case assessment will remain necessary to account for specific circumstances. 

In line with Article 26, the Commission may issue additional guidance in the future, including materials tailored to manufacturers subject to the CRA and other EU harmonisation legislation. This may include guidance on the interaction between the CRA and Regulation (EU) 2024/1689, as well as Regulation (EU) 2022/2554. 

To find out more about cyber compliance and the EU Cyber Resilience Act, do not hesitate to contact the Product Compliance Institute directly.