--- title: "CRA Legacy Products FAQ" canonical_url: "https://www.sorena.io/artifacts/eu/cyber-resilience-act/faq/legacy-products" source_url: "https://www.sorena.io/artifacts/eu/cyber-resilience-act/faq/legacy-products" author: "Sorena AI" description: "CRA FAQ on legacy products covering pre-11 December 2027 products, Article 14 reporting, continued sale, substantial modification, spare parts, old designs." published_at: "2026-03-10" updated_at: "2026-03-10" keywords: - "CRA legacy products FAQ" - "CRA pre-2027 products" - "CRA grandfathering" - "CRA Article 14 legacy reporting" - "CRA substantial modification legacy products" - "CRA legacy firmware" - "Cyber Resilience Act" - "CRA FAQ" - "EU compliance" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # CRA Legacy Products FAQ CRA FAQ on legacy products covering pre-11 December 2027 products, Article 14 reporting, continued sale, substantial modification, spare parts, old designs. *FAQ* *EU* *Cyber Resilience Act* ## EU Cyber Resilience Act FAQ Legacy Products Use this CRA FAQ to understand what happens to products placed on the market before 11 December 2027, what reporting obligations still apply, and when legacy products are brought into the full CRA regime. Built for legal, product, support, compliance, and lifecycle-management teams handling pre-CRA products. The CRA does not generally apply in full to products already placed on the market before 11 December 2027, but it does create important exceptions and limits. This FAQ focuses on grandfathering, Article 14 reporting for older products, substantial modification triggers, and how legacy hardware, spare parts, and separately marketed firmware or software should be treated. ## Does the CRA apply in full to products placed on the market before 11 December 2027? No. Article 69(2) says products with digital elements placed on the market before 11 December 2027 are subject to the CRA requirements only if, from that date, they are subject to a substantial modification. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 69(2) - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 1.4 ## Is there any CRA obligation that still applies to pre-11 December 2027 products even if they are not substantially modified? Yes. Article 69(3) creates a specific derogation for reporting. It says Article 14 applies to all in-scope products that were placed on the market before 11 December 2027, and Article 71(2) says Article 14 starts to apply on 11 September 2026. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 69(3); Article 71(2) - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 5.3 ## If a product was already placed on the market before 11 December 2027, can it continue to be sold or otherwise made available after that date? Yes. The Commission FAQ explains that individual products placed on the market before 11 December 2027 do not need to be brought into CRA conformity simply because they remain in the distribution chain after that date. Sources for this answer: - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - sections 1.4, 7.2 and 7.5 - [Blue Guide 2022](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52022XC0629%2804%29&ref=sorena.io) - sections 2.2 and 2.3 ## Do products have to reach the final user before 11 December 2027 in order to count as legacy products? No. The Commission FAQ gives a direct example: units already placed on the market before 11 December 2027 do not need to be brought into CRA compliance even if they have not yet reached the final user. The legal question is whether the individual product was placed on the market, not whether it was already sold to the final customer or put into service. Sources for this answer: - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 7.2 - [Blue Guide 2022](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52022XC0629%2804%29&ref=sorena.io) - sections 2.3 and 2.6 ## If a manufacturer designed a product type before the CRA applies, can it keep placing newly manufactured units of that type on the market after 11 December 2027? No, not unless those newly placed units comply with the CRA. The Commission FAQ stresses that Union harmonisation legislation, including the CRA, applies to individual products, not to abstract product types or models. So a product is not grandfathered just because an earlier unit of the same type was placed on the market before 11 December 2027. Sources for this answer: - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - sections 6.4 and 7.2 - [Blue Guide 2022](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52022XC0629%2804%29&ref=sorena.io) - sections 2.2 and 2.3 ## What happens if a pre-11 December 2027 product is substantially modified after that date? Then the CRA starts to apply to that product. Article 69(2) makes substantial modification the trigger. The CRA definition in Article 3(30) covers changes made after placing on the market that affect compliance with the essential cybersecurity requirements in Annex I Part I or change the intended purpose for which the product was assessed. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 69(2); Article 3(30); recital 41 - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 1.4 ## If a legacy product receives a bug-fix or security update after 11 December 2027, does that automatically bring the product into the CRA? No. The Commission FAQ gives a direct example: a smart TV placed on the market before 11 December 2027 does not become subject to full CRA requirements merely because it receives a later bug-fix update. Recital 39 of the CRA also says that a security update designed to decrease cybersecurity risk, without modifying intended purpose, is not considered a substantial modification. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - recital 39; Article 3(30); Article 69(2) - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 1.4 ## What is an example of a post-2027 change that would bring a legacy product into the CRA? The Commission FAQ gives an example where a smart TV placed on the market before 11 December 2027 later receives an update enabling smart-home control. The FAQ treats that as a substantial modification. That result is consistent with recital 39, which says feature updates that modify original intended functions or the type or performance of the product and increase cybersecurity risk should be treated as substantial modifications. Sources for this answer: - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 1.4 - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - recital 39; Article 3(30) ## Do maintenance, repair, or refurbishment of legacy products automatically count as substantial modifications under the CRA? No. Recital 42 says refurbishment, maintenance, and repair do not necessarily lead to a substantial modification. That will depend on whether the intended purpose and functionalities change and whether the level of risk remains unaffected. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - recital 42 ## If a legacy product becomes substantially modified, who is treated as the manufacturer of the modified product? The person who carries out the substantial modification and makes the product available on the market is treated as the manufacturer for CRA purposes. That can be the original manufacturer, but it can also be an importer, distributor, or another natural or legal person. Article 21 covers importers and distributors, and Article 22 covers other persons that substantially modify products and make them available on the market. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 21; Article 22(1) ## If a legacy product is substantially modified, does the CRA apply only to the changed feature or to the product more broadly? That depends on the impact of the modification. Article 22(2) says the person carrying out the substantial modification is subject to Articles 13 and 14 for the part of the product affected by the substantial modification or, if the substantial modification has an impact on the cybersecurity of the product as a whole, for the entire product. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 22(2) ## If a distributor is selling pre-11 December 2027 stock after the CRA applies, does the distributor have to bring that stock into compliance? No, not on that basis alone. The Commission FAQ says distributors are not required to bring into compliance products that were already placed on the market before 11 December 2027, unless they themselves carry out a substantial modification. Sources for this answer: - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 7.5 - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 21; Article 69(2) ## Do identical spare parts for legacy products fall outside the CRA? Often yes. Article 2(6) excludes spare parts made available on the market to replace identical components in products with digital elements where the spare parts are manufactured according to the same specifications as the components they are intended to replace. Recital 29 adds that this exemption is meant to cover spare parts used to repair legacy products made available before the CRA's date of application. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 2(6); recital 29 ## If the replacement part is not identical, is it automatically a substantial modification of the old product? Not automatically. Inference from the CRA text: Article 2(6) only answers whether the identical spare-parts exemption applies. Whether installing a non-identical replacement part becomes a substantial modification is a separate question that still turns on Article 3(30), meaning whether the change affects Annex I Part I compliance or changes the intended purpose for which the product was assessed. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 2(6); Article 3(30); recital 42 ## For CRA legacy products placed on the market before 11 December 2027, when do the reporting obligations start in practice? They start on 11 September 2026. That is the date Article 14 begins to apply under Article 71(2). The Commission FAQ confirms that, from that date, Article 14 applies even to in-scope products that had been placed on the market before 11 December 2027. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 69(3); Article 71(2) - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - sections 5.3 and 7.1 ## For those legacy products, do the early reporting rules mean the manufacturer must also bring the whole product into full CRA conformity? No. The Commission FAQ says that, for products placed on the market before 11 December 2027, manufacturers are required to comply with the Article 14 reporting obligations, but those products are not otherwise brought into the full CRA regime unless they are substantially modified. Article 69(3) is a derogation specifically for Article 14. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 69(2)-(3) - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - sections 1.4 and 5.3 ## If units were already manufactured before 11 December 2027 but were not first placed on the market until after that date, are they legacy products? No. The Commission FAQ says Union harmonisation legislation, including the CRA, applies to individual products, not abstract product types. It also says only individual products that have been placed on the market before 11 December 2027 escape the full CRA regime. So manufacturing, warehousing, or holding stock before that date is not enough by itself if the unit is first placed on the market on or after 11 December 2027. Sources for this answer: - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 7.2 - [Blue Guide 2022](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52022XC0629%2804%29&ref=sorena.io) - sections 2.2 and 2.3 ## If a legacy-era product was designed before the CRA applies but is first placed on the market after 11 December 2027, does the manufacturer have to recreate historical design and test files? No, not necessarily. The draft guidance says a product designed before the CRA's date of application can still be placed on the market after the CRA starts applying, provided the manufacturer can demonstrate current compliance through the cybersecurity risk assessment and technical documentation. Where it is not possible to show how the original design phase took the risk assessment into account, the manufacturer may document a current risk assessment and explain how the existing design mitigates the identified risks. The guidance expressly says the manufacturer is not required to recreate historical design or test documentation just for that purpose. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(2)-(4), Article 13(12), Annex VII - [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - section 2.6, points 34-36 ## For legacy products covered only by the Article 14 derogation, when does the reporting obligation arise in time? It applies from 11 September 2026 and, according to the Commission FAQ, upon becoming aware following that date. Article 71(2) brings Article 14 into application on 11 September 2026. The Commission FAQ then says that, for pre-11 December 2027 products, the obligation to notify applies upon becoming aware following the entry into application of the reporting requirements. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 69(3), Article 71(2) - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 5.3 ## If a legacy product is old enough that the manufacturer can no longer realistically investigate or patch it, what still has to be done under the CRA? The Commission FAQ still expects notification under Article 14 and user information where applicable, but not the full vulnerability-handling regime solely because of Article 69(3). The FAQ gives examples such as missing tooling, unavailable build environments, incompatible dependencies, or departed staff. In that situation, for products placed on the market before 11 December 2027, the manufacturer is still required to notify the vulnerability or incident and Article 14(8) may still require informing impacted users. But the FAQ also says those products are not required, on that basis alone, to comply with other CRA obligations such as vulnerability handling. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 14, Article 69(3), Article 71(2) - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 5.3 ## If legacy hardware remains outside full CRA application, can its firmware or software still fall under the CRA when placed on the market separately? Yes. The Commission FAQ's legacy-product example includes an explicit note that firmware referred to in those examples may still fall in scope when placed on the market separately. That reflects the CRA's product-by-product approach: a legacy hardware unit can stay outside the full CRA regime unless substantially modified, while separately marketed software or firmware may still be assessed on its own placement on the market. Sources for this answer: - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 1.4 and footnote 1 - [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - section 2.1, points 10-14 ## Topic Guides - [Applicability Test | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/applicability-test.md): Use this CRA applicability test to confirm product scope, exclusions, remote data processing boundaries, operator role, product classification. - [Checklist | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/checklist.md): Use this Cyber Resilience Act checklist to assign owners, deadlines, evidence, and release gates for scope, Annex I controls, support period operations. - [Compliance Program | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/compliance.md): Build a CRA compliance program that covers product scope, governance, engineering controls, support period operations, Article 14 reporting. - [Conformity Assessment and CE Marking | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/conformity-assessment-and-ce-marking.md): Choose the right CRA conformity route, prepare the declaration of conformity, structure the technical file. - [CRA Blue Guide Concepts FAQ | Placing on the Market, Making Available, Distance Sales](/artifacts/eu/cyber-resilience-act/faq/blue-guide-concepts.md): CRA FAQ on Blue Guide concepts used in Cyber Resilience Act interpretation: placing on the market, making available, putting into service, online sales. - [CRA CE Marking FAQ | Meaning, Placement Rules, Software Labeling, Notified Bodies](/artifacts/eu/cyber-resilience-act/faq/ce-marking.md): CRA CE marking FAQ covering what the mark means, when it is mandatory, software and website placement rules, packaging fallback, notified body numbers. - [CRA Component Due Diligence FAQ | Third-Party Components, FOSS, SBOM, Vulnerabilities](/artifacts/eu/cyber-resilience-act/faq/component-due-diligence.md): CRA component due diligence FAQ covering third-party components, FOSS, CE-marked components, SBOM review, risk-based checks, upstream vulnerability reporting. - [CRA Conformity Assessment Routes FAQ | Module A, Module B+C, Module H, Critical and Important Products](/artifacts/eu/cyber-resilience-act/faq/conformity-assessment-routes.md): CRA FAQ on conformity assessment routes covering module A, module B+C, module H, important and critical products, harmonised standards, certification schemes. - [CRA Core Functionality FAQ | Important Products, Critical Products, Classification](/artifacts/eu/cyber-resilience-act/faq/core-functionality.md): CRA FAQ on core functionality covering classification of important and critical products, ancillary functions, integrated components. - [CRA Cybersecurity Risk Assessment FAQ | Article 13, Threat Modelling, Variants, Constraints](/artifacts/eu/cyber-resilience-act/faq/cybersecurity-risk-assessment.md): CRA FAQ on cybersecurity risk assessment covering Article 13, threat modelling, intended purpose, foreseeable misuse, external dependencies, documentation. - [CRA Declaration of Conformity FAQ | Full vs Simplified, Languages, Updates, Duties](/artifacts/eu/cyber-resilience-act/faq/declaration-of-conformity.md): CRA FAQ on the EU declaration of conformity covering full and simplified formats, required contents, languages, updates, single declarations across EU laws. - [CRA Economic Operators FAQ | Manufacturers, Importers, Distributors, Authorised Representatives](/artifacts/eu/cyber-resilience-act/faq/economic-operators.md): CRA FAQ on economic operators covering manufacturer, authorised representative, importer, distributor, responsible operator rules, checks, traceability. - [CRA Essential Cybersecurity Requirements FAQ | Annex I Part I and Part II](/artifacts/eu/cyber-resilience-act/faq/essential-cybersecurity-requirements.md): CRA FAQ on the essential cybersecurity requirements covering Annex I Part I and Part II, applicability, evidence, interoperability constraints. - [CRA FAQ Hub | Blue Guide Concepts, CE Marking, Component Due Diligence](/artifacts/eu/cyber-resilience-act/faq.md): Browse the CRA FAQ hub for Blue Guide market-access concepts, CE marking, and component due diligence. - [CRA Hardware and Software Boundaries FAQ | Product Scope, Combined Products, Source Code](/artifacts/eu/cyber-resilience-act/faq/hardware-software-boundaries.md): CRA FAQ on hardware and software boundaries covering combined products, standalone software, source code, companion apps, remote data processing. - [CRA Harmonised Standards and Common Specifications FAQ | Presumption of Conformity, OJ Publication](/artifacts/eu/cyber-resilience-act/faq/harmonised-standards-and-common-specifications.md): CRA FAQ on harmonised standards, common specifications, and certification schemes covering presumption of conformity, Official Journal publication. - [CRA Important and Critical Products FAQ | Annex III, Annex IV, Core Functionality](/artifacts/eu/cyber-resilience-act/faq/important-and-critical-products.md): CRA FAQ on important and critical products covering Annex III and Annex IV classification, core functionality, conformity routes, FOSS rule limits. - [CRA Integrated Components and Dependencies FAQ | Due Diligence, RDPS, Third-Party Components](/artifacts/eu/cyber-resilience-act/faq/integrated-components-and-dependencies.md): CRA FAQ on integrated components and dependencies covering due diligence, third-party components, RDPS, cloud dependencies, upstream fixes, FOSS dependencies. - [CRA Interplay With Other EU Laws FAQ | RED, AI Act, GDPR, Data Act, EHDS, Machinery](/artifacts/eu/cyber-resilience-act/faq/interplay-with-other-eu-laws.md): CRA FAQ on interplay with other EU laws covering exclusions, overlap with RED, AI Act, GDPR, Data Act, EHDS, Machinery, GPSR, NIS2, aviation, marine. - [CRA Known Exploitable Vulnerabilities at Launch FAQ | Placement on the Market, CVEs, Late Discoveries](/artifacts/eu/cyber-resilience-act/faq/known-exploitable-vulnerabilities-at-launch.md): CRA FAQ on known exploitable vulnerabilities at launch covering the launch-time rule, exploitability, known vulnerabilities, CVEs, compensating controls. - [CRA Manufacturer Obligations FAQ | Article 13 Duties, Support Period, Reporting, Documentation](/artifacts/eu/cyber-resilience-act/faq/manufacturer-obligations.md): CRA FAQ on manufacturer obligations covering Article 13 duties, risk assessment, support periods, vulnerability handling, reporting, documentation. - [CRA Market Surveillance and Enforcement FAQ | Authorities, Safeguards, Sweeps, Formal Non-Compliance](/artifacts/eu/cyber-resilience-act/faq/market-surveillance-and-enforcement.md): CRA FAQ on market surveillance and enforcement covering authorities, investigations, safeguard procedures, formal non-compliance, sweeps, joint activities. - [CRA Module A FAQ | Internal Control, Self-Assessment, Eligibility, Documentation](/artifacts/eu/cyber-resilience-act/faq/module-a.md): CRA FAQ on module A covering internal control, eligible products, class I limits, FOSS exception, technical documentation, testing, CE marking. - [CRA Module B+C FAQ | EU-Type Examination, Conformity to Type, Notified Bodies](/artifacts/eu/cyber-resilience-act/faq/module-b-c.md): CRA FAQ on module B+C covering EU-type examination, conformity to type, notified-body role, certificate changes, production control, CE marking. - [CRA Module H FAQ | Full Quality Assurance, Notified Body Surveillance, CE Marking](/artifacts/eu/cyber-resilience-act/faq/module-h.md): CRA FAQ on module H covering full quality assurance, quality-system approval, notified-body surveillance, scope changes, CE marking, language rules, records. - [CRA Notified Bodies FAQ | Notification, Scope, NANDO, Independence, Competence](/artifacts/eu/cyber-resilience-act/faq/notified-bodies.md): CRA FAQ on notified bodies covering notification, competence, independence, NANDO scope, accreditation, cross-border choice, subcontracting. - [CRA Open-Source Software FAQ | FOSS, Commercial Activity, Stewards, Donations, Paid Editions](/artifacts/eu/cyber-resilience-act/faq/open-source-software.md): CRA FAQ on open-source software covering FOSS qualification, commercial activity, donations, paid support, stewards, contributors, repositories. - [CRA Over-the-Air Updates FAQ | OTA, Automatic Updates, Secure Distribution, Offline Paths](/artifacts/eu/cyber-resilience-act/faq/over-the-air-updates.md): CRA FAQ on over-the-air updates covering OTA versus automatic updates, secure distribution, screenless products, gateways, offline update paths. - [CRA Penalties and Fines FAQ | Fine Tiers, Turnover Caps, SME Carve-Outs, Stewards](/artifacts/eu/cyber-resilience-act/faq/penalties-and-fines.md): CRA FAQ on penalties and fines covering Article 64 fine tiers, turnover caps, SME carve-outs, steward exemptions, cumulative fines, criminal sanctions. - [CRA Product Families FAQ | Variants, Shared Assessments, Family Reuse, Conformity Scope](/artifacts/eu/cyber-resilience-act/faq/product-families.md): CRA FAQ on product families covering shared risk assessments, family-wide documentation reuse, cybersecurity-relevant variant differences. - [CRA Remote Data Processing Solutions FAQ | RDPS Scope, Cloud Services, SaaS Boundaries, Documentation](/artifacts/eu/cyber-resilience-act/faq/remote-data-processing-solutions.md): CRA FAQ on remote data processing solutions covering Article 3(2) RDPS tests, cloud-service boundaries, websites and portals, third-party SaaS, backend scope. - [CRA Repairs and Spare Parts FAQ | Repairs, Refurbishment, Spare-Part Exemption, Compatibility](/artifacts/eu/cyber-resilience-act/faq/repairs-and-spare-parts.md): CRA FAQ on repairs and spare parts covering substantial modification, Article 2(6) identical spare parts, non-identical replacements. - [CRA Reporting Obligations FAQ | Article 14 Deadlines, CSIRT Filing, User Notices, Legacy Products](/artifacts/eu/cyber-resilience-act/faq/reporting-obligations.md): CRA FAQ on reporting obligations covering Article 14 deadlines, actively exploited vulnerabilities, severe incidents, CSIRT routing, user notifications. - [CRA Scope FAQ | Products with Digital Elements, Connections, Software, Exclusions](/artifacts/eu/cyber-resilience-act/faq/scope-and-products-with-digital-elements.md): CRA FAQ on scope and products with digital elements covering software, firmware, components, direct and indirect connections, offline products, exclusions. - [CRA Secure-by-Default FAQ | Default Configuration, Auto Updates, Tailor-Made Limits](/artifacts/eu/cyber-resilience-act/faq/secure-by-default.md): CRA FAQ on secure by default covering Annex I default configuration, automatic security updates, opt-outs, components, inapplicability. - [CRA Security Updates vs Functionality Updates FAQ | Separation, Free Updates, Article 13(10)](/artifacts/eu/cyber-resilience-act/faq/security-updates-vs-functionality-updates.md): CRA FAQ on security updates versus functionality updates covering separation where technically feasible, free security updates, automatic updates. - [CRA Substantial Modification FAQ | Post-Market Changes, New Manufacturer, Legacy Products](/artifacts/eu/cyber-resilience-act/faq/substantial-modification.md): CRA FAQ on substantial modification covering Article 3(30), software updates, repairs, new manufacturer status, conformity reassessment. - [CRA Support Period FAQ | Placement on the Market, Unit-Level Timing, Update Availability](/artifacts/eu/cyber-resilience-act/faq/support-period.md): CRA FAQ on support periods covering Article 13(8), placement on the market timing, unit-level support periods, standalone software, update availability. - [CRA Tailor-Made Products FAQ | Business-User Exception, Paid Updates, Evidence](/artifacts/eu/cyber-resilience-act/faq/tailor-made-products.md): CRA FAQ on tailor-made products covering the narrow business-user carve-out, secure-by-default and paid-update deviations, required evidence. - [CRA Technical Documentation FAQ | Annex VII, Languages, Authority Access, Updates](/artifacts/eu/cyber-resilience-act/faq/technical-documentation.md): CRA FAQ on technical documentation covering Annex VII content, timing, languages, versioning, authority access, reused documentation, simplified formats. - [CRA Transition Period FAQ | Key Dates, Legacy Products, Pre-CRA Stock, RED Interplay](/artifacts/eu/cyber-resilience-act/faq/transition-period.md): CRA FAQ on the transition period covering entry into force, phased application dates, legacy products, stock and customs timing, standalone software. - [CRA Update Availability and Archives FAQ | Article 13(9), Archives, Historical Versions](/artifacts/eu/cyber-resilience-act/faq/update-availability-and-archives.md): CRA FAQ on update availability and software archives covering Article 13(9), Article 13(10), Article 13(11), retention of issued security updates. - [CRA User Information and Transparency FAQ | Annex II, Support Disclosure, User Notices](/artifacts/eu/cyber-resilience-act/faq/user-information-and-transparency.md): CRA FAQ on user information and transparency covering Annex II instructions, support-period disclosure, end-of-support notices, vulnerability notices. - [CRA vs RED Cybersecurity Delegated Act | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/cra-vs-red-cybersecurity-delegated-act.md): Compare the Cyber Resilience Act with the RED cybersecurity delegated act so you can decide which products fall under which rule, what dates apply. - [CRA vs UK PSTI Act | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/cra-vs-uk-psti-act.md): Compare the EU Cyber Resilience Act with the UK PSTI product security regime so your team can plan dual market compliance without mixing two different rule. - [CRA Vulnerability Handling FAQ | Lifecycle Duties, Components, Disclosure, Fix Sharing](/artifacts/eu/cyber-resilience-act/faq/vulnerability-handling.md): CRA FAQ on vulnerability handling covering Annex I Part II duties, component vulnerabilities, upstream reporting and fix sharing. - [Deadlines and Compliance Calendar | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/deadlines-and-compliance-calendar.md): Track the CRA entry into force date, the notified body date, the reporting start date, and the main application date. - [Essential Cybersecurity Requirements | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/essential-cybersecurity-requirements.md): Understand the CRA essential cybersecurity requirements in Annex I. - [Penalties and Fines | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/penalties-and-fines.md): Understand the CRA administrative fine tiers in Article 64, the conduct that attracts the highest penalties, and the evidence that reduces enforcement exposure. - [Products with Digital Elements Scope | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/products-with-digital-elements-scope.md): Understand what counts as a product with digital elements under the CRA, how remote data processing fits, and where the scope boundary usually causes mistakes. - [Reporting Obligations | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/reporting-obligations.md): Prepare for CRA Article 14 reporting, including the twenty four hour early warning, the seventy two hour notification, final reports, CSIRT routing. - [Requirements | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/requirements.md): Review the full CRA requirement set, including manufacturer duties, operator duties, support period rules, user information, corrective action, reporting. - [SBOM and Vulnerability Management Template | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/sbom-and-vulnerability-management-template.md): Use this CRA SBOM and vulnerability management template to structure dependency records, triage, remediation, advisory publication, and support period evidence. - [Technical Documentation and Audit File | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/technical-documentation-and-audit-file.md): Build a CRA technical documentation file that covers product definition, risk assessment, support period, Annex I mapping, standards use, test evidence. - [Vulnerability Handling and Disclosure | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/vulnerability-handling-and-disclosure.md): Build a CRA vulnerability handling system that covers SBOM, intake, triage, remediation, coordinated vulnerability disclosure, secure updates. *Recommended next step* *Placement: after key answers* ## Use EU Cyber Resilience Act FAQ Legacy Products as a cited research workflow Research Copilot can turn EU Cyber Resilience Act FAQ Legacy Products into a reusable cited workflow for teams implementing EU Cyber Resilience Act FAQ. - [Open Research Copilot](/solutions/research-copilot.md): Start from EU Cyber Resilience Act FAQ Legacy Products and move to source-backed decisions and evidence workflows. - [Talk through your EU Cyber Resilience Act FAQ implementation](/contact.md): Review evidence gaps, ownership, and next steps for EU Cyber Resilience Act FAQ. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/cyber-resilience-act/faq/legacy-products