---
title: "CRA CE Marking FAQ"
canonical_url: "https://www.sorena.io/artifacts/eu/cyber-resilience-act/faq/ce-marking"
source_url: "https://www.sorena.io/artifacts/eu/cyber-resilience-act/faq/ce-marking"
author: "Sorena AI"
description: "CRA CE marking FAQ covering what the mark means, when it is mandatory, software and website placement rules, packaging fallback, notified body numbers."
published_at: "2026-03-10"
updated_at: "2026-03-10"
keywords:
  - "CRA CE marking FAQ"
  - "CE marking CRA software"
  - "CRA website CE marking"
  - "CRA notified body number"
  - "CRA declaration of conformity"
  - "CRA importer distributor CE checks"
  - "Cyber Resilience Act"
  - "CRA FAQ"
  - "EU compliance"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# CRA CE Marking FAQ

CRA CE marking FAQ covering what the mark means, when it is mandatory, software and website placement rules, packaging fallback, notified body numbers.

*FAQ* *EU* *Cyber Resilience Act*

## EU Cyber Resilience Act FAQ CE Marking

Use this CRA CE marking FAQ to understand what the mark means, when it can be affixed, where it must appear for hardware and software, and what importers, distributors, and notified-body routes change in practice.

Built for teams preparing conformity assessment, launch readiness, packaging, software distribution, and market-access controls.

CE marking under the CRA is not just a label question. It sits on top of conformity assessment, technical documentation, declarations of conformity, launch timing, and operator responsibilities. This FAQ isolates the issues that usually create avoidable mistakes before release.

## What does the CE marking mean under the CRA?

Under the CRA, the CE marking is the manufacturer's visible indication that the product with digital elements, and the processes put in place by the manufacturer, conform to the CRA's essential cybersecurity requirements and to any other applicable Union harmonisation legislation that also provides for CE marking.

It is the visible consequence of the conformity-assessment process. It is not a separate licence or approval stamp issued by authorities.

Sources for this answer:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 3(31), Article 29, Article 30 and recital 89
- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 6.7
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 4.5.1.1 and Annex 5 FAQ

## What legal effect does the CE marking have for market access?

It supports free circulation by signalling presumed compliance with the applicable CE-marking legislation.

The Blue Guide explains that products bearing the CE marking are presumed to comply with the applicable Union harmonisation legislation and therefore benefit from free circulation. The CRA follows the same logic: Member States must not impede the making available on the market of products that comply with the Regulation, and recital 36 links that free movement function to CRA CE marking.

Sources for this answer:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 4(1), Article 30(5) and recital 36
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 4.5.1.1 and Annex 5 FAQ

## Is CE marking mandatory for products in scope of the CRA?

Yes, as the general rule for products with digital elements that are placed on the Union market under the CRA.

The manufacturer must affix the CE marking before placing the product on the market, after the applicable conformity assessment has been completed. The Blue Guide also makes clear that products not covered by Union legislation providing for CE marking must not bear the CE marking.

Sources for this answer:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 30(3)
- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 6.7
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 4.5.1.6 and Annex 5 FAQ

## Does the CE marking mean the product was tested or approved by an authority?

No, not as a general rule.

The CE marking remains the manufacturer's declaration of conformity on its sole responsibility. Some CRA conformity-assessment routes involve a notified body, but the CE marking does not by itself mean that a public authority approved the product.

Sources for this answer:

- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - sections 5.4.2, 5.4.3 and 6.7
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 4.5.1.1 and Annex 5 FAQ

## Does the CE marking mean the product was made in the EU?

No.

The CE marking indicates conformity with the applicable legislation. It is not a mark of origin and does not show where the product was manufactured.

Sources for this answer:

- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 4.5.1.1 and Annex 5 FAQ

## Who may affix the CE marking under the CRA?

The manufacturer may affix it, and the Blue Guide also recognises affixing by an authorised representative acting on the manufacturer's behalf.

Even where an authorised representative is used, the manufacturer remains ultimately responsible for conformity and for the CE marking.

Sources for this answer:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(12), Article 29 and Article 30
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 4.5.1.3 and Annex 5 FAQ

## Can someone other than the original manufacturer become responsible for CE marking?

Yes.

Under the CRA, an importer or distributor that places a product on the market under its own name or trademark, or that carries out a substantial modification, is treated as the manufacturer. A different natural or legal person that substantially modifies a product and makes it available on the market can also become the manufacturer for the affected product or part. The Blue Guide reflects the same general NLF logic.

Sources for this answer:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 21 and Article 22
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 4.5.1.3 and Annex 5 FAQ

## When must the CE marking be affixed?

Before the product with digital elements is placed on the market.

That means the manufacturer cannot defer CE marking until after launch or leave it to later stages in the distribution chain.

Sources for this answer:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 30(3)
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 4.5.1.4 and section 4.5.1.6

## Can the CE marking be affixed before the conformity assessment is complete?

No.

The manufacturer must first complete the applicable conformity assessment procedure with a positive result. The CRA FAQ states this directly, and the Blue Guide says the CE marking may not, in principle, be affixed until the conformity assessment has been completed.

Sources for this answer:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(12) and Article 30(3)
- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 6.7
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 4.5.1.4 and Annex 5 FAQ

## Where must the CE marking be placed on a physical product?

As a rule, it must be affixed visibly, legibly and indelibly to the product itself.

If that is not possible or not warranted because of the nature of the product, the CRA requires it to be affixed to the packaging and to the EU declaration of conformity accompanying the product.

Sources for this answer:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 30(1)
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 4.5.1.4 and Annex 5 FAQ

## Can the CE marking be moved to the packaging just because the product design would look cleaner without it?

No.

The Blue Guide is clear that moving the CE marking off the product cannot be justified on purely aesthetic grounds. The exception is only for cases where affixing it to the product is not possible or not warranted because of the product's nature.

Sources for this answer:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 30(1)
- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 6.7
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 4.5.1.4

## Can a physical product rely on a website-only CE marking?

No.

Under Article 30(1), the CRA gives the website option only for products with digital elements in the form of software. For other products, the rule is product first, with packaging and accompanying EU declaration of conformity as the fallback where the nature of the product justifies it.

Sources for this answer:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 30(1)
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 4.5.1.4

## Where does the CE marking go for software products?

For software products, the CE marking must be affixed either to the EU declaration of conformity or on the website accompanying the software product.

If the website option is used, the relevant section must be easily and directly accessible to consumers.

Sources for this answer:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 30(1)
- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 6.7

## What size and visibility rules apply to the CE marking?

It must be visible, legible and indelible.

The height may be below 5 mm only where the nature of the product justifies that and the mark still remains visible and legible. The CRA FAQ adds that reduced size cannot be justified by aesthetics alone and that the mark should not be placed where it is not easily visible in the product's intended use.

Sources for this answer:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 30(1) and Article 30(2)
- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 6.7
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 4.5.1.4

## Can a physical product use only an electronic label or on-screen CE marking?

Not as a purely electronic-only substitute.

The Blue Guide says electronic labelling only is not allowed. At the same time, it notes that some on-product technological solutions, such as certain LCD displays, can be acceptable where they still satisfy the visibility, legibility and indelibility requirements. For software, the CRA separately allows the CE marking on the accompanying website or EU declaration of conformity.

Sources for this answer:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 30(1)
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 4.5.1.4, including footnote 237

## Can other markings appear next to the CE marking?

Yes, but only within limits.

Under the CRA, the CE marking may be followed by a pictogram or other mark indicating a special cybersecurity risk or use if such markings are set out in implementing acts. More generally, the Blue Guide allows additional markings only where they serve a different function, do not create confusion with the CE marking, and do not reduce its visibility or legibility.

Sources for this answer:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 30(3) and Article 30(6)
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 4.5.1.7 and Annex 5 FAQ

## When must the notified body's identification number follow the CE marking?

Under the CRA, only where the conformity assessment procedure is based on full quality assurance under module H.

That is different from module B+C. Under module B+C, the manufacturer affixes the CE marking after obtaining the EU-type certificate, but Article 30(4) does not require the notified body's identification number to follow the CE marking for that route.

Sources for this answer:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 30(4) and Annex VIII Part IV, point 5.1
- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - sections 5.4.2 and 5.4.3
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 4.5.1.5

## Can the CE marking and notified body number be affixed outside the EU?

Yes.

The Blue Guide explains that the CE marking and, where relevant, the notified body's identification number do not need to be affixed within the Union. They may also be affixed in a third country, for example where the product is manufactured there.

Sources for this answer:

- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 4.5.1.5

## Can an open-source software steward affix the CE marking?

No.

The CRA recital on open-source software stewards says they should not be permitted to affix the CE marking to the products with digital elements whose development they support, because that light-touch steward regime does not make them subject to the same obligations as manufacturers.

Sources for this answer:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - recital 19

## Does a CE-marked component automatically mean the final product is CE-compliant?

No.

The Blue Guide says CE-marked components or parts do not automatically guarantee that the finished product complies. The manufacturer of the finished product must still verify the finished product as such. The CRA FAQ makes the same practical point from the component-due-diligence angle: CE-marked components can support the manufacturer's compliance work, but the CRA does not require manufacturers to integrate only CE-marked components.

Sources for this answer:

- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.1
- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - sections 4.4.1 and 4.4.3
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - recital 34 and recital 35

## What if the product is also subject to other EU laws that require CE marking?

The same CE marking indicates that the product also meets those other applicable Union harmonisation acts.

That is also why the CRA requires a single EU declaration of conformity when multiple applicable Union acts apply to the same product.

Sources for this answer:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 28(3) and Article 30(5)
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 4.5.1.1 and section 4.5.1.6
- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - sections 6.7 and 6.8

## What do importers and distributors need to check in practice about CRA CE marking?

Importers must ensure before placing the product on the market that the product bears the CE marking and is accompanied by the EU declaration of conformity and the required user information. Distributors must verify before making the product available that the product bears the CE marking and that the specified manufacturer and importer obligations have been met.

So CE marking is not only a manufacturer-side issue. Other economic operators are expected to check for it as part of their own CRA duties.

Sources for this answer:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 19(2)(c) and Article 20(2)
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - Annex 5 FAQ

## Can a non-compliant product be shown without CE marking at a trade fair or demonstration?

Yes, if it is not yet being made available on the market.

The CRA allows the presentation or use of a non-compliant product, including a prototype, at trade fairs, exhibitions, demonstrations or similar events, provided that it carries a visible sign clearly stating that it does not comply and will not be made available on the market until it does.

Sources for this answer:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 4(2) and recital 36

## Can unfinished software be distributed for testing without full CRA compliance and CE marking?

Yes, but only within the CRA's specific testing exception.

Article 4(3) allows unfinished software to be made available for a limited period required for testing purposes if it carries a visible sign stating that it does not comply with the CRA and is not available for purposes other than testing. Recital 37 and the Commission FAQ explain that this covers alpha, beta and release candidate software, that manufacturers should perform a risk assessment and comply to the extent possible with the relevant security and vulnerability-handling requirements, and that they should not force users to upgrade to testing versions. Article 4(4) excludes certain safety components from this exception.

Sources for this answer:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 4(3), Article 4(4) and recital 37
- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 1.6

## Does affixing the CE marking end the manufacturer's CRA responsibilities?

No.

CE marking comes after conformity assessment, but the manufacturer still has continuing obligations under the CRA, including vulnerability handling, support-period duties, corrective actions, and keeping the technical documentation and declaration of conformity available for the required period.

Sources for this answer:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(7) to 13(13), Article 28, Article 31(2) and Annex I Part II

## What happens if the CE-marking rules are not met?

Missing or improper CE marking is treated as formal non-compliance under the CRA.

Market surveillance authorities must require the relevant manufacturer to end the non-compliance. If the problem persists, Member States must take appropriate measures to restrict or prohibit the product from being made available on the market or to ensure recall or withdrawal. In addition, non-compliance with Article 30(1) to (4) can trigger administrative fines under Article 64(3).

Sources for this answer:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 58(1) to (2) and Article 64(3)
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 4.5.1.8

## Primary sources

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 3(31), Article 29, Article 30 and recital 89
- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 6.7
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 4.5.1.1 and Annex 5 FAQ
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 4(1), Article 30(5) and recital 36
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 30(3)
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 4.5.1.6 and Annex 5 FAQ
- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - sections 5.4.2, 5.4.3 and 6.7
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(12), Article 29 and Article 30
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 4.5.1.3 and Annex 5 FAQ
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 21 and Article 22
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 4.5.1.4 and section 4.5.1.6
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(12) and Article 30(3)
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 4.5.1.4 and Annex 5 FAQ
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 30(1)
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 4.5.1.4
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 30(1) and Article 30(2)
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 4.5.1.4, including footnote 237
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 30(3) and Article 30(6)
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 4.5.1.7 and Annex 5 FAQ
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 30(4) and Annex VIII Part IV, point 5.1
- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - sections 5.4.2 and 5.4.3
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 4.5.1.5
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - recital 19
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.1
- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - sections 4.4.1 and 4.4.3
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - recital 34 and recital 35
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 28(3) and Article 30(5)
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 4.5.1.1 and section 4.5.1.6
- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - sections 6.7 and 6.8
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 19(2)(c) and Article 20(2)
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - Annex 5 FAQ
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 4(2) and recital 36
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 4(3), Article 4(4) and recital 37
- [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 1.6
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(7) to 13(13), Article 28, Article 31(2) and Annex I Part II
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 58(1) to (2) and Article 64(3)
- [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 4.5.1.8

## Topic Guides

- [Applicability Test | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/applicability-test.md): Use this CRA applicability test to confirm product scope, exclusions, remote data processing boundaries, operator role, product classification.
- [Checklist | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/checklist.md): Use this Cyber Resilience Act checklist to assign owners, deadlines, evidence, and release gates for scope, Annex I controls, support period operations.
- [Compliance Program | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/compliance.md): Build a CRA compliance program that covers product scope, governance, engineering controls, support period operations, Article 14 reporting.
- [Conformity Assessment and CE Marking | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/conformity-assessment-and-ce-marking.md): Choose the right CRA conformity route, prepare the declaration of conformity, structure the technical file.
- [CRA Blue Guide Concepts FAQ | Placing on the Market, Making Available, Distance Sales](/artifacts/eu/cyber-resilience-act/faq/blue-guide-concepts.md): CRA FAQ on Blue Guide concepts used in Cyber Resilience Act interpretation: placing on the market, making available, putting into service, online sales.
- [CRA Component Due Diligence FAQ | Third-Party Components, FOSS, SBOM, Vulnerabilities](/artifacts/eu/cyber-resilience-act/faq/component-due-diligence.md): CRA component due diligence FAQ covering third-party components, FOSS, CE-marked components, SBOM review, risk-based checks, upstream vulnerability reporting.
- [CRA Conformity Assessment Routes FAQ | Module A, Module B+C, Module H, Critical and Important Products](/artifacts/eu/cyber-resilience-act/faq/conformity-assessment-routes.md): CRA FAQ on conformity assessment routes covering module A, module B+C, module H, important and critical products, harmonised standards, certification schemes.
- [CRA Core Functionality FAQ | Important Products, Critical Products, Classification](/artifacts/eu/cyber-resilience-act/faq/core-functionality.md): CRA FAQ on core functionality covering classification of important and critical products, ancillary functions, integrated components.
- [CRA Cybersecurity Risk Assessment FAQ | Article 13, Threat Modelling, Variants, Constraints](/artifacts/eu/cyber-resilience-act/faq/cybersecurity-risk-assessment.md): CRA FAQ on cybersecurity risk assessment covering Article 13, threat modelling, intended purpose, foreseeable misuse, external dependencies, documentation.
- [CRA Declaration of Conformity FAQ | Full vs Simplified, Languages, Updates, Duties](/artifacts/eu/cyber-resilience-act/faq/declaration-of-conformity.md): CRA FAQ on the EU declaration of conformity covering full and simplified formats, required contents, languages, updates, single declarations across EU laws.
- [CRA Economic Operators FAQ | Manufacturers, Importers, Distributors, Authorised Representatives](/artifacts/eu/cyber-resilience-act/faq/economic-operators.md): CRA FAQ on economic operators covering manufacturer, authorised representative, importer, distributor, responsible operator rules, checks, traceability.
- [CRA Essential Cybersecurity Requirements FAQ | Annex I Part I and Part II](/artifacts/eu/cyber-resilience-act/faq/essential-cybersecurity-requirements.md): CRA FAQ on the essential cybersecurity requirements covering Annex I Part I and Part II, applicability, evidence, interoperability constraints.
- [CRA FAQ Hub | Blue Guide Concepts, CE Marking, Component Due Diligence](/artifacts/eu/cyber-resilience-act/faq.md): Browse the CRA FAQ hub for Blue Guide market-access concepts, CE marking, and component due diligence.
- [CRA Hardware and Software Boundaries FAQ | Product Scope, Combined Products, Source Code](/artifacts/eu/cyber-resilience-act/faq/hardware-software-boundaries.md): CRA FAQ on hardware and software boundaries covering combined products, standalone software, source code, companion apps, remote data processing.
- [CRA Harmonised Standards and Common Specifications FAQ | Presumption of Conformity, OJ Publication](/artifacts/eu/cyber-resilience-act/faq/harmonised-standards-and-common-specifications.md): CRA FAQ on harmonised standards, common specifications, and certification schemes covering presumption of conformity, Official Journal publication.
- [CRA Important and Critical Products FAQ | Annex III, Annex IV, Core Functionality](/artifacts/eu/cyber-resilience-act/faq/important-and-critical-products.md): CRA FAQ on important and critical products covering Annex III and Annex IV classification, core functionality, conformity routes, FOSS rule limits.
- [CRA Integrated Components and Dependencies FAQ | Due Diligence, RDPS, Third-Party Components](/artifacts/eu/cyber-resilience-act/faq/integrated-components-and-dependencies.md): CRA FAQ on integrated components and dependencies covering due diligence, third-party components, RDPS, cloud dependencies, upstream fixes, FOSS dependencies.
- [CRA Interplay With Other EU Laws FAQ | RED, AI Act, GDPR, Data Act, EHDS, Machinery](/artifacts/eu/cyber-resilience-act/faq/interplay-with-other-eu-laws.md): CRA FAQ on interplay with other EU laws covering exclusions, overlap with RED, AI Act, GDPR, Data Act, EHDS, Machinery, GPSR, NIS2, aviation, marine.
- [CRA Known Exploitable Vulnerabilities at Launch FAQ | Placement on the Market, CVEs, Late Discoveries](/artifacts/eu/cyber-resilience-act/faq/known-exploitable-vulnerabilities-at-launch.md): CRA FAQ on known exploitable vulnerabilities at launch covering the launch-time rule, exploitability, known vulnerabilities, CVEs, compensating controls.
- [CRA Legacy Products FAQ | Pre-2027 Products, Reporting, Grandfathering, Substantial Modification](/artifacts/eu/cyber-resilience-act/faq/legacy-products.md): CRA FAQ on legacy products covering pre-11 December 2027 products, Article 14 reporting, continued sale, substantial modification, spare parts, old designs.
- [CRA Manufacturer Obligations FAQ | Article 13 Duties, Support Period, Reporting, Documentation](/artifacts/eu/cyber-resilience-act/faq/manufacturer-obligations.md): CRA FAQ on manufacturer obligations covering Article 13 duties, risk assessment, support periods, vulnerability handling, reporting, documentation.
- [CRA Market Surveillance and Enforcement FAQ | Authorities, Safeguards, Sweeps, Formal Non-Compliance](/artifacts/eu/cyber-resilience-act/faq/market-surveillance-and-enforcement.md): CRA FAQ on market surveillance and enforcement covering authorities, investigations, safeguard procedures, formal non-compliance, sweeps, joint activities.
- [CRA Module A FAQ | Internal Control, Self-Assessment, Eligibility, Documentation](/artifacts/eu/cyber-resilience-act/faq/module-a.md): CRA FAQ on module A covering internal control, eligible products, class I limits, FOSS exception, technical documentation, testing, CE marking.
- [CRA Module B+C FAQ | EU-Type Examination, Conformity to Type, Notified Bodies](/artifacts/eu/cyber-resilience-act/faq/module-b-c.md): CRA FAQ on module B+C covering EU-type examination, conformity to type, notified-body role, certificate changes, production control, CE marking.
- [CRA Module H FAQ | Full Quality Assurance, Notified Body Surveillance, CE Marking](/artifacts/eu/cyber-resilience-act/faq/module-h.md): CRA FAQ on module H covering full quality assurance, quality-system approval, notified-body surveillance, scope changes, CE marking, language rules, records.
- [CRA Notified Bodies FAQ | Notification, Scope, NANDO, Independence, Competence](/artifacts/eu/cyber-resilience-act/faq/notified-bodies.md): CRA FAQ on notified bodies covering notification, competence, independence, NANDO scope, accreditation, cross-border choice, subcontracting.
- [CRA Open-Source Software FAQ | FOSS, Commercial Activity, Stewards, Donations, Paid Editions](/artifacts/eu/cyber-resilience-act/faq/open-source-software.md): CRA FAQ on open-source software covering FOSS qualification, commercial activity, donations, paid support, stewards, contributors, repositories.
- [CRA Over-the-Air Updates FAQ | OTA, Automatic Updates, Secure Distribution, Offline Paths](/artifacts/eu/cyber-resilience-act/faq/over-the-air-updates.md): CRA FAQ on over-the-air updates covering OTA versus automatic updates, secure distribution, screenless products, gateways, offline update paths.
- [CRA Penalties and Fines FAQ | Fine Tiers, Turnover Caps, SME Carve-Outs, Stewards](/artifacts/eu/cyber-resilience-act/faq/penalties-and-fines.md): CRA FAQ on penalties and fines covering Article 64 fine tiers, turnover caps, SME carve-outs, steward exemptions, cumulative fines, criminal sanctions.
- [CRA Product Families FAQ | Variants, Shared Assessments, Family Reuse, Conformity Scope](/artifacts/eu/cyber-resilience-act/faq/product-families.md): CRA FAQ on product families covering shared risk assessments, family-wide documentation reuse, cybersecurity-relevant variant differences.
- [CRA Remote Data Processing Solutions FAQ | RDPS Scope, Cloud Services, SaaS Boundaries, Documentation](/artifacts/eu/cyber-resilience-act/faq/remote-data-processing-solutions.md): CRA FAQ on remote data processing solutions covering Article 3(2) RDPS tests, cloud-service boundaries, websites and portals, third-party SaaS, backend scope.
- [CRA Repairs and Spare Parts FAQ | Repairs, Refurbishment, Spare-Part Exemption, Compatibility](/artifacts/eu/cyber-resilience-act/faq/repairs-and-spare-parts.md): CRA FAQ on repairs and spare parts covering substantial modification, Article 2(6) identical spare parts, non-identical replacements.
- [CRA Reporting Obligations FAQ | Article 14 Deadlines, CSIRT Filing, User Notices, Legacy Products](/artifacts/eu/cyber-resilience-act/faq/reporting-obligations.md): CRA FAQ on reporting obligations covering Article 14 deadlines, actively exploited vulnerabilities, severe incidents, CSIRT routing, user notifications.
- [CRA Scope FAQ | Products with Digital Elements, Connections, Software, Exclusions](/artifacts/eu/cyber-resilience-act/faq/scope-and-products-with-digital-elements.md): CRA FAQ on scope and products with digital elements covering software, firmware, components, direct and indirect connections, offline products, exclusions.
- [CRA Secure-by-Default FAQ | Default Configuration, Auto Updates, Tailor-Made Limits](/artifacts/eu/cyber-resilience-act/faq/secure-by-default.md): CRA FAQ on secure by default covering Annex I default configuration, automatic security updates, opt-outs, components, inapplicability.
- [CRA Security Updates vs Functionality Updates FAQ | Separation, Free Updates, Article 13(10)](/artifacts/eu/cyber-resilience-act/faq/security-updates-vs-functionality-updates.md): CRA FAQ on security updates versus functionality updates covering separation where technically feasible, free security updates, automatic updates.
- [CRA Substantial Modification FAQ | Post-Market Changes, New Manufacturer, Legacy Products](/artifacts/eu/cyber-resilience-act/faq/substantial-modification.md): CRA FAQ on substantial modification covering Article 3(30), software updates, repairs, new manufacturer status, conformity reassessment.
- [CRA Support Period FAQ | Placement on the Market, Unit-Level Timing, Update Availability](/artifacts/eu/cyber-resilience-act/faq/support-period.md): CRA FAQ on support periods covering Article 13(8), placement on the market timing, unit-level support periods, standalone software, update availability.
- [CRA Tailor-Made Products FAQ | Business-User Exception, Paid Updates, Evidence](/artifacts/eu/cyber-resilience-act/faq/tailor-made-products.md): CRA FAQ on tailor-made products covering the narrow business-user carve-out, secure-by-default and paid-update deviations, required evidence.
- [CRA Technical Documentation FAQ | Annex VII, Languages, Authority Access, Updates](/artifacts/eu/cyber-resilience-act/faq/technical-documentation.md): CRA FAQ on technical documentation covering Annex VII content, timing, languages, versioning, authority access, reused documentation, simplified formats.
- [CRA Transition Period FAQ | Key Dates, Legacy Products, Pre-CRA Stock, RED Interplay](/artifacts/eu/cyber-resilience-act/faq/transition-period.md): CRA FAQ on the transition period covering entry into force, phased application dates, legacy products, stock and customs timing, standalone software.
- [CRA Update Availability and Archives FAQ | Article 13(9), Archives, Historical Versions](/artifacts/eu/cyber-resilience-act/faq/update-availability-and-archives.md): CRA FAQ on update availability and software archives covering Article 13(9), Article 13(10), Article 13(11), retention of issued security updates.
- [CRA User Information and Transparency FAQ | Annex II, Support Disclosure, User Notices](/artifacts/eu/cyber-resilience-act/faq/user-information-and-transparency.md): CRA FAQ on user information and transparency covering Annex II instructions, support-period disclosure, end-of-support notices, vulnerability notices.
- [CRA vs RED Cybersecurity Delegated Act | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/cra-vs-red-cybersecurity-delegated-act.md): Compare the Cyber Resilience Act with the RED cybersecurity delegated act so you can decide which products fall under which rule, what dates apply.
- [CRA vs UK PSTI Act | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/cra-vs-uk-psti-act.md): Compare the EU Cyber Resilience Act with the UK PSTI product security regime so your team can plan dual market compliance without mixing two different rule.
- [CRA Vulnerability Handling FAQ | Lifecycle Duties, Components, Disclosure, Fix Sharing](/artifacts/eu/cyber-resilience-act/faq/vulnerability-handling.md): CRA FAQ on vulnerability handling covering Annex I Part II duties, component vulnerabilities, upstream reporting and fix sharing.
- [Deadlines and Compliance Calendar | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/deadlines-and-compliance-calendar.md): Track the CRA entry into force date, the notified body date, the reporting start date, and the main application date.
- [Essential Cybersecurity Requirements | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/essential-cybersecurity-requirements.md): Understand the CRA essential cybersecurity requirements in Annex I.
- [Penalties and Fines | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/penalties-and-fines.md): Understand the CRA administrative fine tiers in Article 64, the conduct that attracts the highest penalties, and the evidence that reduces enforcement exposure.
- [Products with Digital Elements Scope | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/products-with-digital-elements-scope.md): Understand what counts as a product with digital elements under the CRA, how remote data processing fits, and where the scope boundary usually causes mistakes.
- [Reporting Obligations | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/reporting-obligations.md): Prepare for CRA Article 14 reporting, including the twenty four hour early warning, the seventy two hour notification, final reports, CSIRT routing.
- [Requirements | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/requirements.md): Review the full CRA requirement set, including manufacturer duties, operator duties, support period rules, user information, corrective action, reporting.
- [SBOM and Vulnerability Management Template | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/sbom-and-vulnerability-management-template.md): Use this CRA SBOM and vulnerability management template to structure dependency records, triage, remediation, advisory publication, and support period evidence.
- [Technical Documentation and Audit File | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/technical-documentation-and-audit-file.md): Build a CRA technical documentation file that covers product definition, risk assessment, support period, Annex I mapping, standards use, test evidence.
- [Vulnerability Handling and Disclosure | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/vulnerability-handling-and-disclosure.md): Build a CRA vulnerability handling system that covers SBOM, intake, triage, remediation, coordinated vulnerability disclosure, secure updates.

*Recommended next step*

*Placement: after the FAQ section*

## Use CE Marking FAQ as a cited research workflow

Research Copilot can turn this ce marking FAQ into a reusable cited workflow for product, legal, engineering, and compliance teams working through CRA decisions.

- [Open Research Copilot](/solutions/research-copilot.md): Start from the ce marking questions that block launch, review, and evidence workflows.
- [Talk through your CRA implementation](/contact.md): Review evidence gaps, ownership, and next steps for your current product portfolio.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/cyber-resilience-act/faq/ce-marking