---
title: "CRA Blue Guide Concepts FAQ"
canonical_url: "https://www.sorena.io/artifacts/eu/cyber-resilience-act/faq/blue-guide-concepts"
source_url: "https://www.sorena.io/artifacts/eu/cyber-resilience-act/faq/blue-guide-concepts"
author: "Sorena AI"
description: "CRA FAQ on Blue Guide concepts used in Cyber Resilience Act interpretation: placing on the market, making available, putting into service, online sales."
published_at: "2026-03-10"
updated_at: "2026-03-10"
keywords:
  - "CRA Blue Guide FAQ"
  - "placing on the market CRA"
  - "making available on the market CRA"
  - "CRA distance sales"
  - "CRA imported products"
  - "CRA transition stock"
  - "CRA unfinished software testing"
  - "Cyber Resilience Act"
  - "CRA FAQ"
  - "EU compliance"
  - "CRA Blue Guide concepts FAQ"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# CRA Blue Guide Concepts FAQ

CRA FAQ on Blue Guide concepts used in Cyber Resilience Act interpretation: placing on the market, making available, putting into service, online sales.

*FAQ* *EU* *Cyber Resilience Act*

## EU Cyber Resilience Act FAQ Blue Guide Concepts

Understand the market-access concepts that drive CRA timing, compliance cutoffs, and transition decisions, including placing on the market, making available, imports, online sales, and unfinished software testing.

Built for legal, compliance, product, and operations teams that need defensible CRA timing decisions.

This FAQ focuses on the Blue Guide concepts that matter most for CRA implementation. If your team is arguing about placement dates, distance sales, warehouse stock, imports, transition inventory, or whether unfinished software can be tested before full compliance, these are the concepts you need to get right.

## Why does the Blue Guide matter for CRA interpretation?

Because the CRA sits within the New Legislative Framework product-law architecture and uses the same core concepts that the Blue Guide explains, including placing on the market, making available on the market, CE marking, technical documentation, declarations of conformity, notified bodies, and market surveillance.

The Commission's CRA FAQ repeatedly relies on the Blue Guide when explaining those concepts, and the draft Commission guidance expressly describes the CRA as being built on the NLF.

Sources for this answer:

- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - sections 1.2, 2.2 to 2.8, 4.3, 4.4 and 7
- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - sections 1.4, 4.1.7, 4.1.8, 6.6, 6.8 and 7.2
- [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - introduction and section 2.1

## What is "placing on the market" for CRA purposes?

It is the first making available of an individual product on the Union market.

That is the decisive timing point for CRA compliance, because the applicable requirements are assessed when the individual product is first placed on the market.

Sources for this answer:

- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 3(21), Article 6 and Article 13
- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - sections 1.4 and 7.2

## What must already be complete when a product is placed on the market?

The required compliance work must already be complete at that point.

The Blue Guide says that, by the time of placing on the market, the manufacturer must have completed the design work against the applicable requirements, the relevant risk and conformity assessment, the declaration of conformity, the marking steps and the technical file. The CRA aligns with that logic by requiring the technical documentation to be drawn up before placement on the market and the cybersecurity risk assessment to be included in it.

Sources for this answer:

- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3, including footnote 55
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(4), Article 13(12), Article 28, Article 30 and Article 31
- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - sections 6.6, 6.7 and 6.8

## What is "making available on the market"?

It is the supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge.

Once a product has already been placed on the market, later supplies in the distribution chain are usually cases of making available, not new placing-on-the-market events.

Sources for this answer:

- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - sections 2.2 and 2.3
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 3(22)

## Does placing on the market happen once per model or once per individual unit?

Once per individual product.

The Blue Guide explains that placing on the market refers to each individual product, not to a model or type. That is why units of an existing model first placed on the market after new requirements apply must comply with the new rules.

Sources for this answer:

- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3
- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 7.2

## Does placing on the market require payment?

No.

The Blue Guide explains that the first supply can be for payment or free of charge. What matters is that the product is complete and supplied for distribution, consumption or use on the Union market.

Sources for this answer:

- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3

## Does placing on the market require physical handover of the product?

No.

The Blue Guide says placing on the market requires a completed product and an offer or agreement transferring ownership, possession or another property right, but it does not require physical handover.

Sources for this answer:

- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3

## Does stock in a manufacturer's or importer's warehouse count as placing on the market?

No, not by itself.

Products kept in the stock of the manufacturer, the authorised representative or the importer are not yet placed on the market if they have not yet been supplied for distribution, consumption or use.

Sources for this answer:

- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3

## Can an internal transfer within the manufacturer's own distribution structure count as placing on the market?

Yes.

The first supply for distribution on the Union market can still be a placing-on-the-market event even if it happens through the manufacturer's own commercial chain rather than through an unrelated distributor.

Sources for this answer:

- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3

## If the manufacturer first supplies the product to an importer, distributor or end user, which transaction matters for placing on the market?

The first one.

For the individual product, the legal placing-on-the-market event is the first supply for distribution, consumption or use on the Union market, whether that first supply is to an importer, a distributor or directly to the end user.

Sources for this answer:

- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3

## Does a pre-order or contract signed before manufacture is complete count as placing on the market?

No.

The Blue Guide explains that placing on the market requires the manufacturing stage to be complete. An offer or agreement concluded before the product is finished is not yet placing on the market.

Sources for this answer:

- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3

## How do distance sales and online sales affect CRA timing?

They can bring a product into EU product-law scope before physical delivery to the customer.

If an online or distance offer is targeted at Union end users, the product is deemed to be made available on the Union market for market-surveillance purposes. The Blue Guide says that whether an offer targets Union end users must be assessed case by case, taking into account factors such as dispatch areas, ordering languages and payment possibilities; mere website accessibility is not enough. Where the product is already manufactured and ready to be shipped, a direct distance sale to an EU end user can also be the placing-on-the-market event for that individual product.

Sources for this answer:

- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.4 and example 5 in section 2.12

## Does an online offer targeting EU customers mean the product is already placed on the market?

Not necessarily.

The Blue Guide distinguishes between products being deemed made available on the Union market for market-surveillance purposes and the actual placing-on-the-market event for the individual product. The latter still depends on the distribution chain and on whether the product is already manufactured and supplied for distribution or use.

Sources for this answer:

- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.4

## When do imported products count as placed on the Union market?

Often at release for free circulation, but not always.

The Blue Guide says products declared for release for free circulation can generally be treated as placed on the market, while also making clear that in practice placing on the market may happen before or after that customs step depending on the distribution chain.

Sources for this answer:

- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.5 and examples 2 and 7 in section 2.12

## Are products in transit, free zones or temporary storage already placed on the market?

No.

The Blue Guide says placing on the market is considered not to take place where products are introduced into the EU customs territory in transit, placed in free zones, temporary storage, warehouses or other special customs procedures.

Sources for this answer:

- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - sections 2.3 and 2.5

## If a consumer buys a product in a third country while physically present there and brings it into the EU for personal use, is that placing on the market?

No.

The Blue Guide treats that situation as outside placing on the market. It also distinguishes it from products bought online and shipped into the EU, which do not fall under that carve-out.

Sources for this answer:

- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3, including footnote 50

## Does manufacturing for one's own use count as placing on the market under the CRA?

Usually no.

The Blue Guide says placing on the market does not occur where a product is manufactured for one's own use unless the legislation in question expressly treats own use as an equivalent trigger. The Commission's CRA FAQ applies that logic to the CRA and explains that products developed only for the manufacturer's own use are outside scope unless they are separately placed on the market.

Sources for this answer:

- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3
- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 1.5

## What is "putting into service," and does it usually matter under the CRA?

The Blue Guide defines it as the first use of a product within the Union by the end user for its intended purpose.

That concept matters in some Union product laws, but the CRA's general trigger structure is built around placing on the market and making available on the market, not a separate general putting-into-service trigger.

Sources for this answer:

- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.6
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 3(21), Article 3(22), Article 6 and Article 13

## If a product was lawfully placed on the market before new CRA rules applied, can it still be sold later?

Yes, in principle.

The Blue Guide explains that once a compliant product has been placed on the market, it may continue to be made available later in the distribution chain even if the law changes afterward or the relevant harmonised standards are revised, unless the new legislation provides otherwise. The Commission's CRA FAQ applies the same logic to the CRA transition.

Sources for this answer:

- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - sections 2.3, 2.10 and 4.1.2.5
- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - sections 1.4 and 7.2

## If stock was already lawfully placed on the market, can it stay in a distributor warehouse and still be sold after the CRA legal change date?

Yes.

The relevant question is whether the individual product had already been placed on the market before the new rules applied. If it had, later storage and resale within the distribution chain do not create a new placing-on-the-market event.

Sources for this answer:

- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - sections 2.3 and 2.10
- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 7.2

## Does repeated renting create a new placing-on-the-market event?

No.

The Blue Guide says repeated renting of the same product does not create a new placing-on-the-market event. The compliance moment remains the first renting or other first supply of that individual product.

Sources for this answer:

- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3

## Are prototypes or pre-production units shown at trade fairs or demonstrations already placed on the market?

No, provided the Blue Guide and CRA conditions are met.

The Blue Guide treats products displayed or operated under controlled conditions at trade fairs, exhibitions or demonstrations as not yet placed on the market, as long as they are clearly identified as non-compliant and not yet available for placing on the market. The CRA contains the same type of carve-out for products, including prototypes, presented or used at such events.

Sources for this answer:

- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 4(2) and recital 36

## Can unfinished software be made available for testing before full CRA compliance?

Yes, but only under a narrow CRA exception.

Article 4(3) allows unfinished software such as alpha versions, beta versions or release candidates to be made available on the market for the limited period required for testing, provided it carries a visible sign stating that it does not comply and is not available for purposes other than testing. Recital 37 also says manufacturers should not force users to upgrade to versions released only for testing purposes.

Sources for this answer:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 4(3) and recital 37
- [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - section 2.3, including footnote 7

## Why does the Blue Guide matter for technical documentation and declarations of conformity under the CRA?

Because the CRA uses the same NLF documentation logic.

The Blue Guide explains the role of technical documentation and the possibility of a single declaration of conformity dossier across several Union acts. The Commission's CRA FAQ relies on that same logic when explaining what technical documentation must contain and how the declaration of conformity works under the CRA.

Sources for this answer:

- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - sections 4.3 and 4.4
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 28(3), Article 31 and Annex VII
- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - sections 4.1.8, 6.6 and 6.8

## Why does the Blue Guide matter for intended purpose and reasonably foreseeable use under the CRA?

Because the CRA uses the same product-law logic that compliance cannot be assessed only against the manufacturer's preferred use case.

The Commission's CRA FAQ relies on Blue Guide concepts to explain that the cybersecurity risk assessment must take account of intended purpose, reasonably foreseeable use and reasonably foreseeable misuse, and that those choices also affect the user information that has to be provided.

Sources for this answer:

- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - sections 2.8 and 3.1
- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - sections 4.1.4, 4.1.5, 4.1.7 and 4.1.8

## How are Blue Guide market-placement concepts applied to standalone software supplied digitally?

For software, the CRA follows the same NLF concepts, but the draft Commission guidance explains how they work in a digital delivery model.

According to the draft guidance, once the software manufacturing phase is complete and a given software product is first offered for distribution or use on the Union market in the course of a commercial activity, that software product is regarded as placed on the market. Later downloads or remote access to that same unchanged software product are instances of making available rather than fresh placing-on-the-market events.

Sources for this answer:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 3(21) and Article 3(22)
- [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - section 2.1, points 10 to 14

## Does a later software version that is not a substantial modification get a new placing-on-the-market date?

No.

The draft guidance says later iterations that do not qualify as substantial modifications do not trigger a new conformity assessment and do not change the software product's date of placement on the market. A new placing-on-the-market date arises only where the later iteration qualifies as a substantial modification.

Sources for this answer:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 3(30) and recital 41
- [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - section 2.1, points 15 and 16

## Does the same software-placement rule apply where software is supplied on physical media or combined with hardware?

No.

The draft guidance says the "first offering creates the placing-on-the-market date" logic applies only to standalone software supplied via digital means. If the software is supplied on a USB flash drive or other physical medium, the physical item is the product supplied for distribution. If software is necessary for hardware to perform its intended functions, the hardware and that software together form the product placed on the market.

Sources for this answer:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 3(1)
- [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - section 2.1, point 16, and section 2.2, points 17 to 19

## Primary sources

- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - sections 1.2, 2.2 to 2.8, 4.3, 4.4 and 7
- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - sections 1.4, 4.1.7, 4.1.8, 6.6, 6.8 and 7.2
- [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - introduction and section 2.1
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 3(21), Article 6 and Article 13
- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - sections 1.4 and 7.2
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3, including footnote 55
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(4), Article 13(12), Article 28, Article 30 and Article 31
- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - sections 6.6, 6.7 and 6.8
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - sections 2.2 and 2.3
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 3(22)
- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 7.2
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.4 and example 5 in section 2.12
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.4
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.5 and examples 2 and 7 in section 2.12
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - sections 2.3 and 2.5
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3, including footnote 50
- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 1.5
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.6
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 3(21), Article 3(22), Article 6 and Article 13
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - sections 2.3, 2.10 and 4.1.2.5
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - sections 2.3 and 2.10
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 4(2) and recital 36
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 4(3) and recital 37
- [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - section 2.3, including footnote 7
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - sections 4.3 and 4.4
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 28(3), Article 31 and Annex VII
- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - sections 4.1.8, 6.6 and 6.8
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - sections 2.8 and 3.1
- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - sections 4.1.4, 4.1.5, 4.1.7 and 4.1.8
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 3(21) and Article 3(22)
- [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - section 2.1, points 10 to 14
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 3(30) and recital 41
- [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - section 2.1, points 15 and 16
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 3(1)
- [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - section 2.1, point 16, and section 2.2, points 17 to 19

## Topic Guides

- [Applicability Test | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/applicability-test.md): Use this CRA applicability test to confirm product scope, exclusions, remote data processing boundaries, operator role, product classification.
- [Checklist | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/checklist.md): Use this Cyber Resilience Act checklist to assign owners, deadlines, evidence, and release gates for scope, Annex I controls, support period operations.
- [Compliance Program | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/compliance.md): Build a CRA compliance program that covers product scope, governance, engineering controls, support period operations, Article 14 reporting.
- [Conformity Assessment and CE Marking | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/conformity-assessment-and-ce-marking.md): Choose the right CRA conformity route, prepare the declaration of conformity, structure the technical file.
- [CRA CE Marking FAQ | Meaning, Placement Rules, Software Labeling, Notified Bodies](/artifacts/eu/cyber-resilience-act/faq/ce-marking.md): CRA CE marking FAQ covering what the mark means, when it is mandatory, software and website placement rules, packaging fallback, notified body numbers.
- [CRA Component Due Diligence FAQ | Third-Party Components, FOSS, SBOM, Vulnerabilities](/artifacts/eu/cyber-resilience-act/faq/component-due-diligence.md): CRA component due diligence FAQ covering third-party components, FOSS, CE-marked components, SBOM review, risk-based checks, upstream vulnerability reporting.
- [CRA Conformity Assessment Routes FAQ | Module A, Module B+C, Module H, Critical and Important Products](/artifacts/eu/cyber-resilience-act/faq/conformity-assessment-routes.md): CRA FAQ on conformity assessment routes covering module A, module B+C, module H, important and critical products, harmonised standards, certification schemes.
- [CRA Core Functionality FAQ | Important Products, Critical Products, Classification](/artifacts/eu/cyber-resilience-act/faq/core-functionality.md): CRA FAQ on core functionality covering classification of important and critical products, ancillary functions, integrated components.
- [CRA Cybersecurity Risk Assessment FAQ | Article 13, Threat Modelling, Variants, Constraints](/artifacts/eu/cyber-resilience-act/faq/cybersecurity-risk-assessment.md): CRA FAQ on cybersecurity risk assessment covering Article 13, threat modelling, intended purpose, foreseeable misuse, external dependencies, documentation.
- [CRA Declaration of Conformity FAQ | Full vs Simplified, Languages, Updates, Duties](/artifacts/eu/cyber-resilience-act/faq/declaration-of-conformity.md): CRA FAQ on the EU declaration of conformity covering full and simplified formats, required contents, languages, updates, single declarations across EU laws.
- [CRA Economic Operators FAQ | Manufacturers, Importers, Distributors, Authorised Representatives](/artifacts/eu/cyber-resilience-act/faq/economic-operators.md): CRA FAQ on economic operators covering manufacturer, authorised representative, importer, distributor, responsible operator rules, checks, traceability.
- [CRA Essential Cybersecurity Requirements FAQ | Annex I Part I and Part II](/artifacts/eu/cyber-resilience-act/faq/essential-cybersecurity-requirements.md): CRA FAQ on the essential cybersecurity requirements covering Annex I Part I and Part II, applicability, evidence, interoperability constraints.
- [CRA FAQ Hub | Blue Guide Concepts, CE Marking, Component Due Diligence](/artifacts/eu/cyber-resilience-act/faq.md): Browse the CRA FAQ hub for Blue Guide market-access concepts, CE marking, and component due diligence.
- [CRA Hardware and Software Boundaries FAQ | Product Scope, Combined Products, Source Code](/artifacts/eu/cyber-resilience-act/faq/hardware-software-boundaries.md): CRA FAQ on hardware and software boundaries covering combined products, standalone software, source code, companion apps, remote data processing.
- [CRA Harmonised Standards and Common Specifications FAQ | Presumption of Conformity, OJ Publication](/artifacts/eu/cyber-resilience-act/faq/harmonised-standards-and-common-specifications.md): CRA FAQ on harmonised standards, common specifications, and certification schemes covering presumption of conformity, Official Journal publication.
- [CRA Important and Critical Products FAQ | Annex III, Annex IV, Core Functionality](/artifacts/eu/cyber-resilience-act/faq/important-and-critical-products.md): CRA FAQ on important and critical products covering Annex III and Annex IV classification, core functionality, conformity routes, FOSS rule limits.
- [CRA Integrated Components and Dependencies FAQ | Due Diligence, RDPS, Third-Party Components](/artifacts/eu/cyber-resilience-act/faq/integrated-components-and-dependencies.md): CRA FAQ on integrated components and dependencies covering due diligence, third-party components, RDPS, cloud dependencies, upstream fixes, FOSS dependencies.
- [CRA Interplay With Other EU Laws FAQ | RED, AI Act, GDPR, Data Act, EHDS, Machinery](/artifacts/eu/cyber-resilience-act/faq/interplay-with-other-eu-laws.md): CRA FAQ on interplay with other EU laws covering exclusions, overlap with RED, AI Act, GDPR, Data Act, EHDS, Machinery, GPSR, NIS2, aviation, marine.
- [CRA Known Exploitable Vulnerabilities at Launch FAQ | Placement on the Market, CVEs, Late Discoveries](/artifacts/eu/cyber-resilience-act/faq/known-exploitable-vulnerabilities-at-launch.md): CRA FAQ on known exploitable vulnerabilities at launch covering the launch-time rule, exploitability, known vulnerabilities, CVEs, compensating controls.
- [CRA Legacy Products FAQ | Pre-2027 Products, Reporting, Grandfathering, Substantial Modification](/artifacts/eu/cyber-resilience-act/faq/legacy-products.md): CRA FAQ on legacy products covering pre-11 December 2027 products, Article 14 reporting, continued sale, substantial modification, spare parts, old designs.
- [CRA Manufacturer Obligations FAQ | Article 13 Duties, Support Period, Reporting, Documentation](/artifacts/eu/cyber-resilience-act/faq/manufacturer-obligations.md): CRA FAQ on manufacturer obligations covering Article 13 duties, risk assessment, support periods, vulnerability handling, reporting, documentation.
- [CRA Market Surveillance and Enforcement FAQ | Authorities, Safeguards, Sweeps, Formal Non-Compliance](/artifacts/eu/cyber-resilience-act/faq/market-surveillance-and-enforcement.md): CRA FAQ on market surveillance and enforcement covering authorities, investigations, safeguard procedures, formal non-compliance, sweeps, joint activities.
- [CRA Module A FAQ | Internal Control, Self-Assessment, Eligibility, Documentation](/artifacts/eu/cyber-resilience-act/faq/module-a.md): CRA FAQ on module A covering internal control, eligible products, class I limits, FOSS exception, technical documentation, testing, CE marking.
- [CRA Module B+C FAQ | EU-Type Examination, Conformity to Type, Notified Bodies](/artifacts/eu/cyber-resilience-act/faq/module-b-c.md): CRA FAQ on module B+C covering EU-type examination, conformity to type, notified-body role, certificate changes, production control, CE marking.
- [CRA Module H FAQ | Full Quality Assurance, Notified Body Surveillance, CE Marking](/artifacts/eu/cyber-resilience-act/faq/module-h.md): CRA FAQ on module H covering full quality assurance, quality-system approval, notified-body surveillance, scope changes, CE marking, language rules, records.
- [CRA Notified Bodies FAQ | Notification, Scope, NANDO, Independence, Competence](/artifacts/eu/cyber-resilience-act/faq/notified-bodies.md): CRA FAQ on notified bodies covering notification, competence, independence, NANDO scope, accreditation, cross-border choice, subcontracting.
- [CRA Open-Source Software FAQ | FOSS, Commercial Activity, Stewards, Donations, Paid Editions](/artifacts/eu/cyber-resilience-act/faq/open-source-software.md): CRA FAQ on open-source software covering FOSS qualification, commercial activity, donations, paid support, stewards, contributors, repositories.
- [CRA Over-the-Air Updates FAQ | OTA, Automatic Updates, Secure Distribution, Offline Paths](/artifacts/eu/cyber-resilience-act/faq/over-the-air-updates.md): CRA FAQ on over-the-air updates covering OTA versus automatic updates, secure distribution, screenless products, gateways, offline update paths.
- [CRA Penalties and Fines FAQ | Fine Tiers, Turnover Caps, SME Carve-Outs, Stewards](/artifacts/eu/cyber-resilience-act/faq/penalties-and-fines.md): CRA FAQ on penalties and fines covering Article 64 fine tiers, turnover caps, SME carve-outs, steward exemptions, cumulative fines, criminal sanctions.
- [CRA Product Families FAQ | Variants, Shared Assessments, Family Reuse, Conformity Scope](/artifacts/eu/cyber-resilience-act/faq/product-families.md): CRA FAQ on product families covering shared risk assessments, family-wide documentation reuse, cybersecurity-relevant variant differences.
- [CRA Remote Data Processing Solutions FAQ | RDPS Scope, Cloud Services, SaaS Boundaries, Documentation](/artifacts/eu/cyber-resilience-act/faq/remote-data-processing-solutions.md): CRA FAQ on remote data processing solutions covering Article 3(2) RDPS tests, cloud-service boundaries, websites and portals, third-party SaaS, backend scope.
- [CRA Repairs and Spare Parts FAQ | Repairs, Refurbishment, Spare-Part Exemption, Compatibility](/artifacts/eu/cyber-resilience-act/faq/repairs-and-spare-parts.md): CRA FAQ on repairs and spare parts covering substantial modification, Article 2(6) identical spare parts, non-identical replacements.
- [CRA Reporting Obligations FAQ | Article 14 Deadlines, CSIRT Filing, User Notices, Legacy Products](/artifacts/eu/cyber-resilience-act/faq/reporting-obligations.md): CRA FAQ on reporting obligations covering Article 14 deadlines, actively exploited vulnerabilities, severe incidents, CSIRT routing, user notifications.
- [CRA Scope FAQ | Products with Digital Elements, Connections, Software, Exclusions](/artifacts/eu/cyber-resilience-act/faq/scope-and-products-with-digital-elements.md): CRA FAQ on scope and products with digital elements covering software, firmware, components, direct and indirect connections, offline products, exclusions.
- [CRA Secure-by-Default FAQ | Default Configuration, Auto Updates, Tailor-Made Limits](/artifacts/eu/cyber-resilience-act/faq/secure-by-default.md): CRA FAQ on secure by default covering Annex I default configuration, automatic security updates, opt-outs, components, inapplicability.
- [CRA Security Updates vs Functionality Updates FAQ | Separation, Free Updates, Article 13(10)](/artifacts/eu/cyber-resilience-act/faq/security-updates-vs-functionality-updates.md): CRA FAQ on security updates versus functionality updates covering separation where technically feasible, free security updates, automatic updates.
- [CRA Substantial Modification FAQ | Post-Market Changes, New Manufacturer, Legacy Products](/artifacts/eu/cyber-resilience-act/faq/substantial-modification.md): CRA FAQ on substantial modification covering Article 3(30), software updates, repairs, new manufacturer status, conformity reassessment.
- [CRA Support Period FAQ | Placement on the Market, Unit-Level Timing, Update Availability](/artifacts/eu/cyber-resilience-act/faq/support-period.md): CRA FAQ on support periods covering Article 13(8), placement on the market timing, unit-level support periods, standalone software, update availability.
- [CRA Tailor-Made Products FAQ | Business-User Exception, Paid Updates, Evidence](/artifacts/eu/cyber-resilience-act/faq/tailor-made-products.md): CRA FAQ on tailor-made products covering the narrow business-user carve-out, secure-by-default and paid-update deviations, required evidence.
- [CRA Technical Documentation FAQ | Annex VII, Languages, Authority Access, Updates](/artifacts/eu/cyber-resilience-act/faq/technical-documentation.md): CRA FAQ on technical documentation covering Annex VII content, timing, languages, versioning, authority access, reused documentation, simplified formats.
- [CRA Transition Period FAQ | Key Dates, Legacy Products, Pre-CRA Stock, RED Interplay](/artifacts/eu/cyber-resilience-act/faq/transition-period.md): CRA FAQ on the transition period covering entry into force, phased application dates, legacy products, stock and customs timing, standalone software.
- [CRA Update Availability and Archives FAQ | Article 13(9), Archives, Historical Versions](/artifacts/eu/cyber-resilience-act/faq/update-availability-and-archives.md): CRA FAQ on update availability and software archives covering Article 13(9), Article 13(10), Article 13(11), retention of issued security updates.
- [CRA User Information and Transparency FAQ | Annex II, Support Disclosure, User Notices](/artifacts/eu/cyber-resilience-act/faq/user-information-and-transparency.md): CRA FAQ on user information and transparency covering Annex II instructions, support-period disclosure, end-of-support notices, vulnerability notices.
- [CRA vs RED Cybersecurity Delegated Act | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/cra-vs-red-cybersecurity-delegated-act.md): Compare the Cyber Resilience Act with the RED cybersecurity delegated act so you can decide which products fall under which rule, what dates apply.
- [CRA vs UK PSTI Act | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/cra-vs-uk-psti-act.md): Compare the EU Cyber Resilience Act with the UK PSTI product security regime so your team can plan dual market compliance without mixing two different rule.
- [CRA Vulnerability Handling FAQ | Lifecycle Duties, Components, Disclosure, Fix Sharing](/artifacts/eu/cyber-resilience-act/faq/vulnerability-handling.md): CRA FAQ on vulnerability handling covering Annex I Part II duties, component vulnerabilities, upstream reporting and fix sharing.
- [Deadlines and Compliance Calendar | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/deadlines-and-compliance-calendar.md): Track the CRA entry into force date, the notified body date, the reporting start date, and the main application date.
- [Essential Cybersecurity Requirements | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/essential-cybersecurity-requirements.md): Understand the CRA essential cybersecurity requirements in Annex I.
- [Penalties and Fines | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/penalties-and-fines.md): Understand the CRA administrative fine tiers in Article 64, the conduct that attracts the highest penalties, and the evidence that reduces enforcement exposure.
- [Products with Digital Elements Scope | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/products-with-digital-elements-scope.md): Understand what counts as a product with digital elements under the CRA, how remote data processing fits, and where the scope boundary usually causes mistakes.
- [Reporting Obligations | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/reporting-obligations.md): Prepare for CRA Article 14 reporting, including the twenty four hour early warning, the seventy two hour notification, final reports, CSIRT routing.
- [Requirements | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/requirements.md): Review the full CRA requirement set, including manufacturer duties, operator duties, support period rules, user information, corrective action, reporting.
- [SBOM and Vulnerability Management Template | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/sbom-and-vulnerability-management-template.md): Use this CRA SBOM and vulnerability management template to structure dependency records, triage, remediation, advisory publication, and support period evidence.
- [Technical Documentation and Audit File | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/technical-documentation-and-audit-file.md): Build a CRA technical documentation file that covers product definition, risk assessment, support period, Annex I mapping, standards use, test evidence.
- [Vulnerability Handling and Disclosure | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/vulnerability-handling-and-disclosure.md): Build a CRA vulnerability handling system that covers SBOM, intake, triage, remediation, coordinated vulnerability disclosure, secure updates.

*Recommended next step*

*Placement: after the FAQ section*

## Use Blue Guide Concepts FAQ as a cited research workflow

Research Copilot can turn this blue guide concepts FAQ into a reusable cited workflow for product, legal, engineering, and compliance teams working through CRA decisions.

- [Open Research Copilot](/solutions/research-copilot.md): Start from the blue guide concepts questions that block launch, review, and evidence workflows.
- [Talk through your CRA implementation](/contact.md): Review evidence gaps, ownership, and next steps for your current product portfolio.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/cyber-resilience-act/faq/blue-guide-concepts