--- title: "CRA Economic Operators FAQ" canonical_url: "https://www.sorena.io/artifacts/eu/cyber-resilience-act/faq/economic-operators" source_url: "https://www.sorena.io/artifacts/eu/cyber-resilience-act/faq/economic-operators" author: "Sorena AI" description: "CRA FAQ on economic operators covering manufacturer, authorised representative, importer, distributor, responsible operator rules, checks, traceability." published_at: "2026-03-10" updated_at: "2026-03-10" keywords: - "CRA economic operators FAQ" - "CRA manufacturer importer distributor" - "CRA authorised representative" - "CRA responsible operator" - "CRA importer obligations" - "CRA distributor obligations" - "Cyber Resilience Act" - "CRA FAQ" - "EU compliance" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # CRA Economic Operators FAQ CRA FAQ on economic operators covering manufacturer, authorised representative, importer, distributor, responsible operator rules, checks, traceability. *FAQ* *EU* *Cyber Resilience Act* ## EU Cyber Resilience Act FAQ Economic Operators Use this CRA FAQ to understand who counts as a manufacturer, authorised representative, importer, distributor, or other responsible operator, and what each role must do before and after placing products on the Union market. Built for legal, compliance, supply-chain, marketplace, and go-to-market teams allocating CRA responsibilities. CRA economic-operator rules determine who must handle conformity, documentation, traceability, and authority-facing obligations across the Union supply chain. This FAQ focuses on operator roles, handoffs, due-care checks, role changes, and the extra EU-based responsible-operator requirement for non-EU products. ## What is an economic operator under the CRA? Under the CRA, an economic operator means the manufacturer, authorised representative, importer, distributor, or another natural or legal person that is subject to obligations relating to the manufacture of products with digital elements or to their making available on the market under the Regulation. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 3(12) ## How does the CRA distinguish manufacturers, authorised representatives, importers and distributors? The CRA defines them as separate roles: - the manufacturer develops, manufactures, or has the product designed, developed or manufactured, and markets it under its own name or trademark - the authorised representative is an EU-established person with a written mandate from the manufacturer to act on specified tasks - the importer is an EU-established person who places on the market a product bearing the name or trademark of a person established outside the Union - the distributor is a person in the supply chain, other than the manufacturer or importer, who makes the product available on the Union market without affecting its properties Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 3(13), Article 3(15)-(17) ## Can the same company have different CRA roles for different products or sales channels? Yes. The CRA recognises that the same business can perform different functions depending on the product and the service it provides. A business that only provides online intermediation for one product may not be a CRA economic operator for that product, while the same business could still be a distributor or a manufacturer for other products that it actually sells or brands. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - recital 78 ## If a company sells a product under its own brand, is it the manufacturer even if someone else designed or built it? Yes. Under the CRA definition, what matters is not only who physically developed or assembled the product, but also who markets it under its own name or trademark. If a business places the product on the market under its own brand, it takes the manufacturer role for CRA purposes. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 3(13), recital 78 - [The Blue Guide on the implementation of EU product rules 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 3.1 ## Is an authorised representative mandatory under the CRA? Not in every case. Article 18 says a manufacturer may appoint an authorised representative by written mandate, so the appointment is optional under the CRA itself. But where the manufacturer is established outside the Union, a CRA-covered product can only be placed on the Union market if there is an EU-established operator performing the tasks required by Article 4 of Regulation (EU) 2019/1020. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 18(1) - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 4.6.1 ## Can a third-country manufacturer place CRA products on the Union market without any EU-based operator? No. The Commission FAQ explains that a non-EU manufacturer needs an economic operator established in the Union to perform the Article 4 tasks under Regulation (EU) 2019/1020. Depending on the setup, that can be an importer, an authorised representative or, where no other such operator exists, a fulfilment service provider. Sources for this answer: - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 4.6.1 ## What can an authorised representative do under the CRA? The authorised representative performs the tasks specified in the written mandate from the manufacturer. At minimum, that mandate must allow it to: - keep the EU declaration of conformity and technical documentation at the disposal of market surveillance authorities - provide the relevant information and documentation to market surveillance authorities on request The authorised representative must also provide a copy of its mandate to market surveillance authorities on request. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 18(3) ## What can an authorised representative not take over from the manufacturer? The authorised representative cannot take over the manufacturer's core product-compliance obligations listed in Article 13(1) to (11), Article 13(12), first subparagraph, and Article 13(14). That means the authorised representative can help with documentation and authority-facing tasks, but it does not replace the manufacturer for the core design, risk assessment, conformity assessment and ongoing compliance duties that the CRA keeps with the manufacturer. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 18(2)-(3) ## What are the importer's key CRA checks before placing a product on the market? Before placing a product on the market, the importer must ensure that: - the manufacturer carried out the appropriate conformity assessment - the manufacturer drew up the technical documentation - the product bears the CE marking and is accompanied by the declaration of conformity and Annex II information and instructions in an understandable language - the manufacturer complied with the identification, contact-detail and support-period-end-date obligations in Article 13(15), (16) and (19) Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 19(1)-(2) ## What must an importer do under the CRA if it doubts compliance or learns of a vulnerability? If the importer considers or has reason to believe that the product or the manufacturer's processes are not in conformity, it must not place the product on the market until conformity is restored. If the product presents a significant cybersecurity risk, the importer must inform the manufacturer and the market surveillance authorities. After placement on the market, if the importer becomes aware of a vulnerability, it must inform the manufacturer without undue delay and, where there is a significant cybersecurity risk, also inform the relevant market surveillance authorities. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 19(3), Article 19(5) ## What must an importer keep and provide to authorities under the CRA? The importer must keep a copy of the EU declaration of conformity at the disposal of market surveillance authorities for at least 10 years after placement on the market or for the support period, whichever is longer. It must also ensure that the technical documentation can be made available and must provide the necessary information and documentation further to a reasoned request. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 19(6)-(7) ## What are the distributor's key CRA checks before making a product available on the market? Before making a product available on the market, the distributor must verify that: - the product bears the CE marking - the manufacturer and the importer complied with the documentation and traceability obligations listed in Article 20(2) - the necessary documents have been provided to the distributor The distributor must also act with due care in relation to the CRA's requirements. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 20(1)-(2) ## What must a distributor do under the CRA if it suspects non-compliance or learns of a vulnerability? If the distributor considers or has reason to believe that the product or the manufacturer's processes are not in conformity, it must not make the product available until conformity is restored. If the distributor later knows or has reason to believe that a product it has made available is not in conformity, it must make sure that corrective measures, withdrawal or recall are taken as appropriate. Upon becoming aware of a vulnerability, it must inform the manufacturer without undue delay and, where there is a significant cybersecurity risk, immediately inform the relevant market surveillance authorities. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 20(3)-(4) ## What must a distributor provide to authorities under the CRA, and what if the manufacturer ceases operations? Further to a reasoned request, the distributor must provide the information and documentation necessary to demonstrate conformity and cooperate with the market surveillance authority on measures to eliminate cybersecurity risks. If the distributor becomes aware that the manufacturer has ceased operations and can no longer comply with the CRA, it must inform the relevant market surveillance authorities without undue delay and, to the extent possible, also inform the users of the products placed on the market. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 20(5)-(6) ## When does an importer or distributor become the manufacturer under the CRA? An importer or distributor becomes the manufacturer for CRA purposes if it: - places the product on the market under its own name or trademark, or - carries out a substantial modification of a product already placed on the market In that case it becomes subject to Articles 13 and 14 as manufacturer. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 21 - [The Blue Guide on the implementation of EU product rules 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 3.1, section 3.3, section 3.4 ## What if a company that is not the manufacturer, importer or distributor substantially modifies the product? A natural or legal person other than the manufacturer, importer or distributor that carries out a substantial modification and makes the product available on the market is also treated as the manufacturer. That person becomes subject to the CRA manufacturer obligations for the affected part of the product or, if the substantial modification affects the cybersecurity of the product as a whole, for the entire product. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 22 ## What traceability information must economic operators keep? On request, economic operators must provide the market surveillance authorities with the name and address of the operator who supplied them with the product and, where available, the operator to whom they supplied it. They must be able to present that information for 10 years after they were supplied with the product and for 10 years after they supplied it. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 23 ## Is a fulfilment service provider an economic operator under the CRA itself? Not as a named CRA operator category in Articles 18 to 23. But the Commission FAQ explains that, for CRA-covered products, a fulfilment service provider established in the Union can act as the Article 4 responsible operator under Regulation (EU) 2019/1020 where there is no Union manufacturer, importer or authorised representative. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 3(12), Articles 18-23 - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 4.6.1 ## Does running an online marketplace automatically make a business a distributor or another CRA economic operator? No. The CRA says that where an entity only provides online intermediation services for a given product and is merely a provider of an online marketplace, it does not qualify as one of the CRA economic operators for that product. But if the same entity also distributes that product, sells it under its own brand, or otherwise acts in an economic-operator role, it must comply with the obligations of that role. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - recital 78 ## Does hosting software on a repository or package manager automatically make the platform a distributor? No. The CRA says the sole act of hosting products with digital elements on open repositories, package managers or collaboration platforms does not by itself amount to making them available on the market. A provider of such a service is treated as a distributor only if it actually makes the software available on the Union market in the course of a commercial activity. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - recital 19 ## When do the CRA operator obligations for authorised representatives, importers and distributors start applying? As a rule, they apply from 11 December 2027. That is the CRA's general application date for the main economic-operator obligations in Chapter II. Earlier application dates in Article 71 concern other parts of the Regulation, such as notified bodies and reporting obligations, not the ordinary importer, distributor and authorised representative obligations as such. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Articles 18-23, Article 71(2) ## If a third-country manufacturer sells directly to an EU end user, must there still be an EU-based responsible operator? Yes. The CRA FAQ explains that a product with digital elements can be placed on the Union market only if there is an economic operator established in the Union performing the Article 4 tasks under Regulation (EU) 2019/1020. In direct third-country sales there may be no traditional importer in the usual commercial sense, but that does not remove the requirement. Depending on the setup, the role can be fulfilled by an authorised representative or, if none exists, a fulfilment service provider established in the Union. Sources for this answer: - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 4.6.1 - [The Blue Guide on the implementation of EU product rules 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.4 and section 3.6 ## Does a distributor have to keep its own 10-year copy of the declaration of conformity like an importer does? No, not as a general CRA retention duty. Under the CRA, the explicit long-term declaration-retention duty is imposed on manufacturers, authorised representatives within their mandate, and importers. Distributors must verify before making the product available that the required marking and documentation obligations have been met, and they must provide necessary information and documentation to authorities further to a reasoned request, but Article 20 does not impose the same express 10-year copy-retention duty on distributors that Article 19(6) imposes on importers. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(13), Article 18(3)(a), Article 19(6)-(7), Article 20(2) and Article 20(5) - [The Blue Guide on the implementation of EU product rules 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 3.4 and footnotes 143 and 149 ## Must importers and distributors redo the manufacturer's full CRA assessment themselves? No. Importers and distributors have real due-care and verification duties, but the CRA does not turn them into second manufacturers by default. Importers must check that the manufacturer has carried out the conformity assessment, drawn up the technical documentation, affixed the CE marking, and supplied the required declaration and Annex II information. Distributors must verify the marking and the listed documentation and traceability elements before making the product available. Those roles must react when they have reason to believe there is non-compliance, but they are not required by Articles 19 or 20 to repeat the manufacturer's risk assessment or conformity assessment from scratch. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 19(2)-(3), Article 20(1)-(3) - [The Blue Guide on the implementation of EU product rules 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 3.3, section 3.4 and footnote 143 ## Can an authorised representative become the importer if it actually supplies the product in the Union? Yes. The Blue Guide explains that an authorised representative of a third-country manufacturer is no longer acting merely as an authorised representative if it supplies the product to a distributor or directly to a consumer within the Union. In that case it becomes the importer and is subject to the importer's obligations. Sources for this answer: - [The Blue Guide on the implementation of EU product rules 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.5 ## Are distributors required to bring into CRA compliance products that were already placed on the market before 11 December 2027? No, unless they substantially modify them. The Commission FAQ says products with digital elements placed on the market before 11 December 2027 are not subject to the CRA requirements, apart from the earlier reporting obligation timing rules, unless they are substantially modified. A distributor is therefore not required to retrofit those pre-application products into CRA compliance merely because it continues making them available on or after 11 December 2027. Sources for this answer: - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 7.5 - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 71(2) ## Topic Guides - [Applicability Test | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/applicability-test.md): Use this CRA applicability test to confirm product scope, exclusions, remote data processing boundaries, operator role, product classification. - [Checklist | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/checklist.md): Use this Cyber Resilience Act checklist to assign owners, deadlines, evidence, and release gates for scope, Annex I controls, support period operations. - [Compliance Program | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/compliance.md): Build a CRA compliance program that covers product scope, governance, engineering controls, support period operations, Article 14 reporting. - [Conformity Assessment and CE Marking | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/conformity-assessment-and-ce-marking.md): Choose the right CRA conformity route, prepare the declaration of conformity, structure the technical file. - [CRA Blue Guide Concepts FAQ | Placing on the Market, Making Available, Distance Sales](/artifacts/eu/cyber-resilience-act/faq/blue-guide-concepts.md): CRA FAQ on Blue Guide concepts used in Cyber Resilience Act interpretation: placing on the market, making available, putting into service, online sales. - [CRA CE Marking FAQ | Meaning, Placement Rules, Software Labeling, Notified Bodies](/artifacts/eu/cyber-resilience-act/faq/ce-marking.md): CRA CE marking FAQ covering what the mark means, when it is mandatory, software and website placement rules, packaging fallback, notified body numbers. - [CRA Component Due Diligence FAQ | Third-Party Components, FOSS, SBOM, Vulnerabilities](/artifacts/eu/cyber-resilience-act/faq/component-due-diligence.md): CRA component due diligence FAQ covering third-party components, FOSS, CE-marked components, SBOM review, risk-based checks, upstream vulnerability reporting. - [CRA Conformity Assessment Routes FAQ | Module A, Module B+C, Module H, Critical and Important Products](/artifacts/eu/cyber-resilience-act/faq/conformity-assessment-routes.md): CRA FAQ on conformity assessment routes covering module A, module B+C, module H, important and critical products, harmonised standards, certification schemes. - [CRA Core Functionality FAQ | Important Products, Critical Products, Classification](/artifacts/eu/cyber-resilience-act/faq/core-functionality.md): CRA FAQ on core functionality covering classification of important and critical products, ancillary functions, integrated components. - [CRA Cybersecurity Risk Assessment FAQ | Article 13, Threat Modelling, Variants, Constraints](/artifacts/eu/cyber-resilience-act/faq/cybersecurity-risk-assessment.md): CRA FAQ on cybersecurity risk assessment covering Article 13, threat modelling, intended purpose, foreseeable misuse, external dependencies, documentation. - [CRA Declaration of Conformity FAQ | Full vs Simplified, Languages, Updates, Duties](/artifacts/eu/cyber-resilience-act/faq/declaration-of-conformity.md): CRA FAQ on the EU declaration of conformity covering full and simplified formats, required contents, languages, updates, single declarations across EU laws. - [CRA Essential Cybersecurity Requirements FAQ | Annex I Part I and Part II](/artifacts/eu/cyber-resilience-act/faq/essential-cybersecurity-requirements.md): CRA FAQ on the essential cybersecurity requirements covering Annex I Part I and Part II, applicability, evidence, interoperability constraints. - [CRA FAQ Hub | Blue Guide Concepts, CE Marking, Component Due Diligence](/artifacts/eu/cyber-resilience-act/faq.md): Browse the CRA FAQ hub for Blue Guide market-access concepts, CE marking, and component due diligence. - [CRA Hardware and Software Boundaries FAQ | Product Scope, Combined Products, Source Code](/artifacts/eu/cyber-resilience-act/faq/hardware-software-boundaries.md): CRA FAQ on hardware and software boundaries covering combined products, standalone software, source code, companion apps, remote data processing. - [CRA Harmonised Standards and Common Specifications FAQ | Presumption of Conformity, OJ Publication](/artifacts/eu/cyber-resilience-act/faq/harmonised-standards-and-common-specifications.md): CRA FAQ on harmonised standards, common specifications, and certification schemes covering presumption of conformity, Official Journal publication. - [CRA Important and Critical Products FAQ | Annex III, Annex IV, Core Functionality](/artifacts/eu/cyber-resilience-act/faq/important-and-critical-products.md): CRA FAQ on important and critical products covering Annex III and Annex IV classification, core functionality, conformity routes, FOSS rule limits. - [CRA Integrated Components and Dependencies FAQ | Due Diligence, RDPS, Third-Party Components](/artifacts/eu/cyber-resilience-act/faq/integrated-components-and-dependencies.md): CRA FAQ on integrated components and dependencies covering due diligence, third-party components, RDPS, cloud dependencies, upstream fixes, FOSS dependencies. - [CRA Interplay With Other EU Laws FAQ | RED, AI Act, GDPR, Data Act, EHDS, Machinery](/artifacts/eu/cyber-resilience-act/faq/interplay-with-other-eu-laws.md): CRA FAQ on interplay with other EU laws covering exclusions, overlap with RED, AI Act, GDPR, Data Act, EHDS, Machinery, GPSR, NIS2, aviation, marine. - [CRA Known Exploitable Vulnerabilities at Launch FAQ | Placement on the Market, CVEs, Late Discoveries](/artifacts/eu/cyber-resilience-act/faq/known-exploitable-vulnerabilities-at-launch.md): CRA FAQ on known exploitable vulnerabilities at launch covering the launch-time rule, exploitability, known vulnerabilities, CVEs, compensating controls. - [CRA Legacy Products FAQ | Pre-2027 Products, Reporting, Grandfathering, Substantial Modification](/artifacts/eu/cyber-resilience-act/faq/legacy-products.md): CRA FAQ on legacy products covering pre-11 December 2027 products, Article 14 reporting, continued sale, substantial modification, spare parts, old designs. - [CRA Manufacturer Obligations FAQ | Article 13 Duties, Support Period, Reporting, Documentation](/artifacts/eu/cyber-resilience-act/faq/manufacturer-obligations.md): CRA FAQ on manufacturer obligations covering Article 13 duties, risk assessment, support periods, vulnerability handling, reporting, documentation. - [CRA Market Surveillance and Enforcement FAQ | Authorities, Safeguards, Sweeps, Formal Non-Compliance](/artifacts/eu/cyber-resilience-act/faq/market-surveillance-and-enforcement.md): CRA FAQ on market surveillance and enforcement covering authorities, investigations, safeguard procedures, formal non-compliance, sweeps, joint activities. - [CRA Module A FAQ | Internal Control, Self-Assessment, Eligibility, Documentation](/artifacts/eu/cyber-resilience-act/faq/module-a.md): CRA FAQ on module A covering internal control, eligible products, class I limits, FOSS exception, technical documentation, testing, CE marking. - [CRA Module B+C FAQ | EU-Type Examination, Conformity to Type, Notified Bodies](/artifacts/eu/cyber-resilience-act/faq/module-b-c.md): CRA FAQ on module B+C covering EU-type examination, conformity to type, notified-body role, certificate changes, production control, CE marking. - [CRA Module H FAQ | Full Quality Assurance, Notified Body Surveillance, CE Marking](/artifacts/eu/cyber-resilience-act/faq/module-h.md): CRA FAQ on module H covering full quality assurance, quality-system approval, notified-body surveillance, scope changes, CE marking, language rules, records. - [CRA Notified Bodies FAQ | Notification, Scope, NANDO, Independence, Competence](/artifacts/eu/cyber-resilience-act/faq/notified-bodies.md): CRA FAQ on notified bodies covering notification, competence, independence, NANDO scope, accreditation, cross-border choice, subcontracting. - [CRA Open-Source Software FAQ | FOSS, Commercial Activity, Stewards, Donations, Paid Editions](/artifacts/eu/cyber-resilience-act/faq/open-source-software.md): CRA FAQ on open-source software covering FOSS qualification, commercial activity, donations, paid support, stewards, contributors, repositories. - [CRA Over-the-Air Updates FAQ | OTA, Automatic Updates, Secure Distribution, Offline Paths](/artifacts/eu/cyber-resilience-act/faq/over-the-air-updates.md): CRA FAQ on over-the-air updates covering OTA versus automatic updates, secure distribution, screenless products, gateways, offline update paths. - [CRA Penalties and Fines FAQ | Fine Tiers, Turnover Caps, SME Carve-Outs, Stewards](/artifacts/eu/cyber-resilience-act/faq/penalties-and-fines.md): CRA FAQ on penalties and fines covering Article 64 fine tiers, turnover caps, SME carve-outs, steward exemptions, cumulative fines, criminal sanctions. - [CRA Product Families FAQ | Variants, Shared Assessments, Family Reuse, Conformity Scope](/artifacts/eu/cyber-resilience-act/faq/product-families.md): CRA FAQ on product families covering shared risk assessments, family-wide documentation reuse, cybersecurity-relevant variant differences. - [CRA Remote Data Processing Solutions FAQ | RDPS Scope, Cloud Services, SaaS Boundaries, Documentation](/artifacts/eu/cyber-resilience-act/faq/remote-data-processing-solutions.md): CRA FAQ on remote data processing solutions covering Article 3(2) RDPS tests, cloud-service boundaries, websites and portals, third-party SaaS, backend scope. - [CRA Repairs and Spare Parts FAQ | Repairs, Refurbishment, Spare-Part Exemption, Compatibility](/artifacts/eu/cyber-resilience-act/faq/repairs-and-spare-parts.md): CRA FAQ on repairs and spare parts covering substantial modification, Article 2(6) identical spare parts, non-identical replacements. - [CRA Reporting Obligations FAQ | Article 14 Deadlines, CSIRT Filing, User Notices, Legacy Products](/artifacts/eu/cyber-resilience-act/faq/reporting-obligations.md): CRA FAQ on reporting obligations covering Article 14 deadlines, actively exploited vulnerabilities, severe incidents, CSIRT routing, user notifications. - [CRA Scope FAQ | Products with Digital Elements, Connections, Software, Exclusions](/artifacts/eu/cyber-resilience-act/faq/scope-and-products-with-digital-elements.md): CRA FAQ on scope and products with digital elements covering software, firmware, components, direct and indirect connections, offline products, exclusions. - [CRA Secure-by-Default FAQ | Default Configuration, Auto Updates, Tailor-Made Limits](/artifacts/eu/cyber-resilience-act/faq/secure-by-default.md): CRA FAQ on secure by default covering Annex I default configuration, automatic security updates, opt-outs, components, inapplicability. - [CRA Security Updates vs Functionality Updates FAQ | Separation, Free Updates, Article 13(10)](/artifacts/eu/cyber-resilience-act/faq/security-updates-vs-functionality-updates.md): CRA FAQ on security updates versus functionality updates covering separation where technically feasible, free security updates, automatic updates. - [CRA Substantial Modification FAQ | Post-Market Changes, New Manufacturer, Legacy Products](/artifacts/eu/cyber-resilience-act/faq/substantial-modification.md): CRA FAQ on substantial modification covering Article 3(30), software updates, repairs, new manufacturer status, conformity reassessment. - [CRA Support Period FAQ | Placement on the Market, Unit-Level Timing, Update Availability](/artifacts/eu/cyber-resilience-act/faq/support-period.md): CRA FAQ on support periods covering Article 13(8), placement on the market timing, unit-level support periods, standalone software, update availability. - [CRA Tailor-Made Products FAQ | Business-User Exception, Paid Updates, Evidence](/artifacts/eu/cyber-resilience-act/faq/tailor-made-products.md): CRA FAQ on tailor-made products covering the narrow business-user carve-out, secure-by-default and paid-update deviations, required evidence. - [CRA Technical Documentation FAQ | Annex VII, Languages, Authority Access, Updates](/artifacts/eu/cyber-resilience-act/faq/technical-documentation.md): CRA FAQ on technical documentation covering Annex VII content, timing, languages, versioning, authority access, reused documentation, simplified formats. - [CRA Transition Period FAQ | Key Dates, Legacy Products, Pre-CRA Stock, RED Interplay](/artifacts/eu/cyber-resilience-act/faq/transition-period.md): CRA FAQ on the transition period covering entry into force, phased application dates, legacy products, stock and customs timing, standalone software. - [CRA Update Availability and Archives FAQ | Article 13(9), Archives, Historical Versions](/artifacts/eu/cyber-resilience-act/faq/update-availability-and-archives.md): CRA FAQ on update availability and software archives covering Article 13(9), Article 13(10), Article 13(11), retention of issued security updates. - [CRA User Information and Transparency FAQ | Annex II, Support Disclosure, User Notices](/artifacts/eu/cyber-resilience-act/faq/user-information-and-transparency.md): CRA FAQ on user information and transparency covering Annex II instructions, support-period disclosure, end-of-support notices, vulnerability notices. - [CRA vs RED Cybersecurity Delegated Act | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/cra-vs-red-cybersecurity-delegated-act.md): Compare the Cyber Resilience Act with the RED cybersecurity delegated act so you can decide which products fall under which rule, what dates apply. - [CRA vs UK PSTI Act | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/cra-vs-uk-psti-act.md): Compare the EU Cyber Resilience Act with the UK PSTI product security regime so your team can plan dual market compliance without mixing two different rule. - [CRA Vulnerability Handling FAQ | Lifecycle Duties, Components, Disclosure, Fix Sharing](/artifacts/eu/cyber-resilience-act/faq/vulnerability-handling.md): CRA FAQ on vulnerability handling covering Annex I Part II duties, component vulnerabilities, upstream reporting and fix sharing. - [Deadlines and Compliance Calendar | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/deadlines-and-compliance-calendar.md): Track the CRA entry into force date, the notified body date, the reporting start date, and the main application date. - [Essential Cybersecurity Requirements | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/essential-cybersecurity-requirements.md): Understand the CRA essential cybersecurity requirements in Annex I. - [Penalties and Fines | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/penalties-and-fines.md): Understand the CRA administrative fine tiers in Article 64, the conduct that attracts the highest penalties, and the evidence that reduces enforcement exposure. - [Products with Digital Elements Scope | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/products-with-digital-elements-scope.md): Understand what counts as a product with digital elements under the CRA, how remote data processing fits, and where the scope boundary usually causes mistakes. - [Reporting Obligations | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/reporting-obligations.md): Prepare for CRA Article 14 reporting, including the twenty four hour early warning, the seventy two hour notification, final reports, CSIRT routing. - [Requirements | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/requirements.md): Review the full CRA requirement set, including manufacturer duties, operator duties, support period rules, user information, corrective action, reporting. - [SBOM and Vulnerability Management Template | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/sbom-and-vulnerability-management-template.md): Use this CRA SBOM and vulnerability management template to structure dependency records, triage, remediation, advisory publication, and support period evidence. - [Technical Documentation and Audit File | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/technical-documentation-and-audit-file.md): Build a CRA technical documentation file that covers product definition, risk assessment, support period, Annex I mapping, standards use, test evidence. - [Vulnerability Handling and Disclosure | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/vulnerability-handling-and-disclosure.md): Build a CRA vulnerability handling system that covers SBOM, intake, triage, remediation, coordinated vulnerability disclosure, secure updates. *Recommended next step* *Placement: after key answers* ## Use EU Cyber Resilience Act FAQ Economic Operators as a cited research workflow Research Copilot can turn EU Cyber Resilience Act FAQ Economic Operators into a reusable cited workflow for teams implementing EU Cyber Resilience Act FAQ. - [Open Research Copilot](/solutions/research-copilot.md): Start from EU Cyber Resilience Act FAQ Economic Operators and move to source-backed decisions and evidence workflows. - [Talk through your EU Cyber Resilience Act FAQ implementation](/contact.md): Review evidence gaps, ownership, and next steps for EU Cyber Resilience Act FAQ. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/cyber-resilience-act/faq/economic-operators