--- title: "CRA Support Period FAQ" canonical_url: "https://www.sorena.io/artifacts/eu/cyber-resilience-act/faq/support-period" source_url: "https://www.sorena.io/artifacts/eu/cyber-resilience-act/faq/support-period" author: "Sorena AI" description: "CRA FAQ on support periods covering Article 13(8), placement on the market timing, unit-level support periods, standalone software, update availability." published_at: "2026-03-10" updated_at: "2026-03-10" keywords: - "CRA support period FAQ" - "CRA Article 13(8)" - "CRA placing on the market support period" - "CRA standalone software support period" - "CRA update availability Article 13(9)" - "CRA support period legacy products" - "Cyber Resilience Act" - "CRA FAQ" - "EU compliance" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # CRA Support Period FAQ CRA FAQ on support periods covering Article 13(8), placement on the market timing, unit-level support periods, standalone software, update availability. *FAQ* *EU* *Cyber Resilience Act* ## EU Cyber Resilience Act FAQ Support Period Use this CRA FAQ to understand how support periods are set, when they start, how they work for hardware and standalone software, and how they differ from update-retention and documentation-retention duties. Built for product, legal, engineering, and compliance teams setting support-period policies and placement-on-the-market rules under the CRA. The CRA support period is a vulnerability-handling obligation tied to placing a product on the market, not simply a warranty or manufacturing date. This FAQ explains how Article 13(8) works, how support periods are set for physical products and standalone software, how later placements and substantial modifications affect timing, and how support periods interact with update availability, documentation retention, and legacy products. ## What is the CRA support period? The CRA defines the support period as the period during which the manufacturer must ensure that vulnerabilities of a product with digital elements are handled effectively and in line with Annex I, Part II. This obligation applies to the product in its entirety, including integrated components. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 3(20), Article 13(8), recital 34 ## Is the support period always five years? No. Five years is the minimum in normal cases, not the automatic answer for every product. The CRA says the support period must be at least five years unless the product is expected to be in use for less than five years. If the product is reasonably expected to remain in use for longer than five years, the support period should be longer. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(8), recital 60 - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 4.5.2 - [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - points 114-115 ## What factors must a manufacturer consider when setting the support period? The CRA requires manufacturers to consider: - reasonable user expectations - the nature of the product, including its intended purpose - relevant Union law determining the product's lifetime The CRA also allows manufacturers to take into account: - support periods of similar products - availability of the operating environment - support periods of third-party integrated components that provide core functions - guidance from ADCO and the Commission These factors must be applied proportionately. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(8) - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 4.5.1 - [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - point 114 ## Does the CRA itself expressly say when the support period starts? Not in one sentence using the words "the support period starts on X date". But the combined reading of the CRA, the Commission FAQ, the draft guidance, and the Blue Guide points to placing on the market as the operative starting point. Why: - Article 13(8) requires vulnerability handling when placing the product on the market and for the support period. - Article 13(19) requires the end date to be disclosed at the time of purchase. - The Commission FAQ gives a hardware example counting from units placed on the market in January 2028 to January 2033. - The draft guidance gives an example of eight years from the date of placement on the market. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(8), Article 13(19) - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 4.5.3 - [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - Example 46 ## Is the support period tied to a product type or to each individual unit? For physical products, it is tied to each individual product, not to the abstract model or type. The Blue Guide says placing on the market refers to each individual product, not to a type of product, whether it is manufactured individually or in series. The Commission FAQ then applies that logic to CRA support periods for hardware. Sources for this answer: - [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3 - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - sections 4.5.3 and 7.2 ## If a manufacturer places more units of the same model on the market later, do the later units get their own support period? Yes. The Commission FAQ gives this directly. Units of a hardware model placed on the market in January 2028 with a five-year support period can remain supported until January 2033. If more units of the same model are placed on the market on 1 January 2030, the manufacturer must set the support period for those newly placed units too. Sources for this answer: - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 4.5.3 - [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3 ## Can units already placed on the market continue to be sold after their support period ends? Yes. The Commission FAQ says products already placed on the market can continue to be made available after the support period expires. But if new units of that product are placed on the market later, the manufacturer must set the support period for those newly placed units. Sources for this answer: - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 4.5.3 - [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - sections 2.2-2.3 ## Does the CRA support-period clock start on the manufacturing date? No. For physical products, manufacturing must be complete before placing on the market can happen, but manufacturing completion alone is not enough. There must also be a first supply for distribution or use on the Union market. For standalone software supplied digitally, the draft guidance also rejects manufacturing completion alone as enough. Placement occurs when the completed software is first supplied for distribution or use on the EU market. Sources for this answer: - [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3 - [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - points 13-14 ## Does placing on the market require physical handover? No. The Blue Guide says placing on the market requires an offer or agreement for transfer of ownership, possession, or another property right after manufacturing is complete. It expressly says physical handover is not required. Sources for this answer: - [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3 ## If the manufacturer first supplies the product to a distributor, is that the placing-on-the-market event? Usually yes. The Blue Guide says that when a manufacturer or importer first supplies a product to a distributor or an end-user, that first supply is placing on the market. Later transactions further down the chain are making available, not a new placing event. Sources for this answer: - [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3 ## If a distributor later sells the same unit to the final customer, does that create a new support-period start date? No. Once that individual unit has already been placed on the market, later distributor-to-distributor or distributor-to-end-user transactions are only later instances of making the product available on the market. Sources for this answer: - [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3 - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 4.5.3 ## Does the support clock start on first installation, activation, commissioning, or first use? No. The CRA support-period logic is anchored to placing on the market, not first use. The Blue Guide treats placing on the market and putting into service as different concepts. The CRA materials on support periods use placing on the market as the reference point. Sources for this answer: - [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - sections 2.3 and 2.6 - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(8) - [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - Example 46 ## Is putting into service the same thing as placing on the market for CRA support-period purposes? No. The Blue Guide treats them as distinct concepts. Some Union legislation uses both concepts, or treats own use as equivalent. The CRA support-period rules and the available Commission materials are built around placing on the market, not putting into service. Sources for this answer: - [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - sections 2.3 and 2.6 - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(8) ## Does a product get placed on the market separately in each Member State? No. The Blue Guide says placing on the Union market can happen only once for each individual product across the EU and does not happen separately in each Member State. Sources for this answer: - [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3 ## If a product is made only for the manufacturer's internal use, is that placing on the market? Generally no. The Blue Guide says placing on the market does not occur where a product is manufactured for one's own use, unless the relevant Union legislation also covers own use. Sources for this answer: - [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3 ## If a product is offered or contracted before manufacturing is complete, has it already been placed on the market? No. The Blue Guide says an offer or agreement concluded before manufacture is finalised cannot be treated as placing on the market. Manufacturing must be complete first. Sources for this answer: - [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3 ## What if the product is already manufactured and a direct customer order is confirmed for that specific unit for CRA placing-on-the-market purposes? That can be the placing-on-the-market event. The Blue Guide explains that for direct distance sales from outside the EU to an EU end user, the product is placed on the market when the order is placed and confirmed for a specific product that is already manufactured and ready to be shipped. Sources for this answer: - [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3 ## How do warehouses, fulfilment centres, and distance selling affect placing on the market? They can change the answer. The Blue Guide says: - products offered online to EU end users are deemed made available if the offer targets the Union - but the actual placing-on-the-market event depends on the distribution chain - if products are shipped into the EU and stored with a fulfilment service provider for EU delivery, they are considered placed on the market when released for free circulation - if a specific already-manufactured product is sold directly from outside the EU to an EU end user, placement occurs when the order is placed and confirmed for that specific product Sources for this answer: - [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - sections 2.3-2.4 - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 4.2.3 ## If products are in customs transit, free zones, temporary storage, or other special customs procedures, are they already placed on the EU market? No. The Blue Guide treats those situations as different from placing on the Union market. Compliance with Union product rules applies when the product is actually placed on the market. Sources for this answer: - [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3 ## If an online offer targets EU end users, is the product automatically placed on the market at that point? Not always. The Blue Guide distinguishes between: - being deemed made available for market-surveillance purposes when the offer targets EU end users, and - the actual placing-on-the-market event for the individual product, which depends on the distribution chain So the targeted offer matters, but the placement date still depends on how that individual product reaches the EU market. Sources for this answer: - [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.4 ## What if the product is placed on the market but stays in the distribution chain for months before the final user receives it for CRA support-period purposes? That does not delay the placement date. The Commission FAQ recognizes this situation directly. A product may sit in the manufacturer's distribution branch, in fulfilment arrangements, or on a retailer shelf before reaching the user. It was still placed on the market earlier. Sources for this answer: - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 4.2.3 - [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3 ## If a known exploitable vulnerability is discovered after placement on the market but before the final user receives the product, must the manufacturer re-open the placement decision? No. The Commission FAQ says the Article 13(1) obligation to deliver products without known exploitable vulnerabilities applies at the moment of placement on the market. Once the product has already been placed on the market, the manufacturer is not expected to fix newly discovered vulnerabilities before the product reaches the final user. But the manufacturer still has vulnerability-handling obligations during the support period and may need to provide a security update as soon as the product is put into operation by its user. Sources for this answer: - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 4.2.3 - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(1), Article 13(8) ## For hardware sold together with software, should the support period be analyzed per hardware unit or per separate software delivery date? Usually per combined product, not by a separate software-delivery date. The draft guidance says that where software is necessary for the hardware to perform its intended functions, the hardware and that software together constitute the product placed on the market. The key question is not how or when the software is delivered, but whether it is necessary for the product's intended functions. Sources for this answer: - [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - point 19 and Examples 3-4 ## If a driver, app, or configuration tool is downloaded later through another channel, can it still be part of the same product? Yes, if it is necessary to operate, configure, control, or meaningfully use the device. The draft guidance expressly says necessary software remains part of the same product even if it is obtained later through an app store, a download link, or another digital channel after the hardware has already been placed on the market. Sources for this answer: - [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - point 19 and Examples 3-4 ## Does the standalone-software timing rule apply to software that is necessary for a hardware product to function? No. The draft guidance says the special rule for standalone software supplied digitally applies only to standalone software. It does not apply where software is supplied on physical media or where software forms part of a combined hardware-software product. Sources for this answer: - [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - points 16 and 19 ## How is standalone software placed on the market if it is supplied digitally? Current Commission draft guidance says a standalone software product supplied digitally should be considered placed on the market when: - its manufacturing phase is complete, and - that software is first supplied for distribution or use on the EU market in the course of a commercial activity Sources for this answer: - [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - points 13-14 ## For standalone software, does each later download create a fresh support-period clock? Current Commission draft guidance says no. The draft says all copies of the same unchanged version are considered placed on the market at the same time, namely when that version is first offered on the EU market. Later downloads or remote access to that unchanged version are later instances of making it available. Sources for this answer: - [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - points 13-15 and Examples 1-2 ## If standalone software receives a minor update that is not a substantial modification, does that reset the support-period clock? No. The draft guidance says iterations that do not qualify as substantial modifications do not require a new conformity assessment and do not modify the software's placement date. Sources for this answer: - [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - point 15 and Example 2 ## If a software product is substantially modified, does that create a new placing-on-the-market event and a new support-period determination? Yes. Where a modification qualifies as a substantial modification, the modified product is treated as a new product for CRA purposes. That means a new placing-on-the-market event and a new support-period determination for that substantially modified version. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 3(30), recital 41 - [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - points 113, 117, and 120 ## For continuously evolving software, does each substantially modified version need its own declared support period? Current Commission draft guidance says yes. The draft guidance says each substantially modified version placed on the market must have a declared support period that complies with Article 13(8). Sources for this answer: - [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - point 117 and Example 47 ## Can a manufacturer stop patching earlier substantially modified software versions once a later version exists? Sometimes, but only within the conditions of Article 13(10). If the manufacturer has placed subsequent substantially modified versions of a software product on the market, it may comply with the remediation obligation in Annex I, Part II, point (2) only for the latest placed version, provided that users of earlier versions can access the latest version: - free of charge - without additional costs to adjust their hardware or software environment This does not remove the manufacturer's other vulnerability-handling obligations for the support period. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(10), recital 40 - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 4.3.2 - [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - points 118-120 ## If a hardware product cannot run the newest operating-system version, can the manufacturer stop supporting that hardware? Not automatically. Recital 40 says that where a hardware product is not compatible with the latest version of the operating system it was originally delivered with, the manufacturer must continue to provide security updates at least for the latest compatible version for the support period. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - recital 40 - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 4.3.2 - [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - Example 46 ## Can the support period ever be less than five years? Yes, but only where the product is expected to be in use for less than five years. This is an exception, not a business preference. The Commission materials give examples such as a contact-tracing application for a pandemic and some software that is no longer available and no longer in use once a subscription expires. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(8), recital 60 - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 4.5.2 - [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - point 115 ## Is five years a safe default for long-lived products if a manufacturer wants one simple rule? No. The Commission FAQ and the draft guidance both say five years is only a safeguard. It is not the default for products reasonably expected to be used longer. The Commission materials specifically mention longer-lived hardware components, network devices, software such as operating systems or video-editing tools, and industrial systems. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - recital 60 - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 4.5.2 - [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - point 115 ## Can the support period be defined solely by the support period of a key integrated component? No. The support period of integrated core components is only one factor the manufacturer may take into account. It does not automatically cap the manufacturer's support obligation for the finished product. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(8) - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - sections 4.3.7 and 4.5.1 ## What if an integrated component's support period ends before the finished product's support period ends? The finished-product manufacturer still remains responsible for the finished product. The Commission FAQ says the finished product must comply in its entirety during its own support period. If an integrated component is no longer supported and a vulnerability cannot be adequately handled by mitigations, the manufacturer of the finished product may need to switch out the component, develop a patch itself, disable compromised functions, or otherwise remediate by other means. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - recital 34, Article 13(8) - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - sections 4.3.6 and 4.3.7 ## Does the support period cover only the manufacturer's own code, or also integrated components? It covers the product in its entirety, including integrated components. The CRA and the Commission FAQ are explicit on this point. The manufacturer must handle vulnerabilities affecting the whole product, including vulnerabilities found in integrated third-party components. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - recital 34, Article 13(8) - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 4.3.6 ## If the integrated component was placed on the market separately under the CRA, can the finished-product manufacturer rely on the component manufacturer's support? Partly, but not completely. The Commission FAQ says the finished-product manufacturer may benefit from the component manufacturer's own CRA obligations, for example where the component manufacturer develops a security update. But the finished-product manufacturer still remains responsible for its own product's compliance and vulnerability handling. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(5)-(8) - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 4.3.6 ## If the integrated component was never placed on the market, or was placed before the CRA applies, does that remove the finished-product manufacturer's obligations? No. The Commission FAQ says that even where the component maker is not subject to CRA vulnerability-handling obligations, the integrating manufacturer must still ensure its own product complies in its entirety and must remediate vulnerabilities by other means if necessary. Sources for this answer: - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - sections 4.3.6 and 4.3.7 ## What must be disclosed to users about the support period? The manufacturer must clearly and understandably specify the end date of the support period, at least month and year, at the time of purchase, in an easily accessible manner. Where appropriate, this may also be shown on the product, the packaging, or by digital means. Where technically feasible, the manufacturer must also notify users when the product has reached the end of its support period. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(19), recital 56 - [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - point 116 ## Must the manufacturer document how it determined the support period? Yes. The CRA requires the manufacturer to include in the technical documentation the information taken into account to determine the support period. Annex VII expressly requires this information. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(8), Article 31, Annex VII point 4 - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 4.5.1 ## Must the technical documentation already exist when the product is placed on the market? Yes. The CRA requires the technical documentation to be drawn up before placement on the market and to be continuously updated where appropriate, at least during the support period. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(12), Article 31(1)-(2) ## Must technical documentation and user instructions be kept after placement on the market, and is that the same as the support period? They must be kept, but this is a separate retention rule. The CRA says technical documentation and the EU declaration of conformity must be kept for at least 10 years after placement on the market or for the support period, whichever is longer. It applies the same 10-years-or-support-period rule to user instructions and their online availability. This does not mean the support period is always 10 years. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(13), Article 13(18) ## Must each CRA security update remain available after it is issued? Yes. This is a separate rule from the length of the support period itself. Each security update made available during the support period must remain available for at least 10 years after issuance or for the remainder of the support period, whichever is longer. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(9) ## If the CRA support period is five years, can update availability still last longer than five years? Yes. Article 13(9) is separate from Article 13(8). A product might have a five-year support period, but updates issued during that period may still need to remain available for longer. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(8)-13(9) ## What happens to products placed on the market before 11 December 2027? As a rule, they are subject to the CRA only if they undergo a substantial modification on or after 11 December 2027. Article 14 reporting obligations are the main express exception and apply more broadly. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 69(2)-(3) - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 1.4 - [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - points 111-113 ## If a manufacturer developed a product type before 11 December 2027, can it keep producing identical new units after that date without CRA compliance? No. The Commission FAQ says the CRA applies to individual units placed on the market after the application date. Old product types or models are not grandfathered for newly placed units. Sources for this answer: - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 7.2 - [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3 ## If units of a pre-CRA product were already placed on the market before 11 December 2027 but are still in the channel afterward, do they have to be retrofitted to CRA requirements? Generally no. If those units were already placed on the market before 11 December 2027, they are not subject to the CRA cybersecurity requirements merely because they remain in distribution afterward, unless they are substantially modified. Reporting obligations are the main exception. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 69(2)-(3) - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - sections 1.4 and 7.2 ## Do reporting obligations still apply to products placed on the market before 11 December 2027? Yes. Article 69(3) makes Article 14 apply to in-scope products placed on the market before that date as well. The Commission FAQ says manufacturers must notify actively exploited vulnerabilities and severe incidents for those legacy products even though other CRA obligations may not apply to them. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 69(3) - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 5.3 ## Can software sold on a subscription basis ever have a support period below five years? Yes. The CRA and the Commission FAQ allow support periods below five years where the product is genuinely expected to be in use for less than five years. Recital 60 gives software that becomes unavailable and no longer in use once the subscription expires as an example of that kind of case. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(8), Article 13(19), recital 60 - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 4.5.2 - [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - point 115 ## What is the cleanest practical rule for manufacturers when determining the CRA support period? Use this rule set: - For physical products, including hardware plus software that is part of that product, determine the support period at the level of each individual unit when that unit is first placed on the EU market. - Do not use manufacturing date as the support-period start date. - Do not use later distributor sale, activation, installation, or first use as the support-period start date. - Treat stock already in the distribution chain as already placed if the first EU supply event has already occurred. - For direct online sales, determine the placement date from the actual distribution model, not from marketing language alone. - For standalone software delivered digitally, the current Commission draft guidance points to the first EU offering of the unchanged version as the placement date. - If a software or product change is a substantial modification, treat the modified product as a new product with a new placement event and a new support-period determination. - Track component support periods, but do not treat them as automatic caps on the finished product's support period. - Track Article 13(9) separately: each security update issued during the support period must remain available for at least 10 years after issuance or for the remainder of the support period, whichever is longer. - Record in the technical documentation exactly what factors were used to justify the support period. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(8)-13(10), Article 13(19) - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - sections 4.2.3, 4.5.1, 4.5.3, 7.2 - [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - points 13-19 and 114-120 - [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - sections 2.3-2.4 ## Can a product be placed on the market even if it is supplied free of charge or under loan, hire, lease, or gift arrangements? Yes. The Blue Guide says the transfer can be for payment or free of charge and gives sale, loan, hire, leasing, and gift as examples. What matters is the first making available on the Union market after manufacture is complete. Sources for this answer: - [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - sections 2.2-2.3 ## Does repeated renting or leasing of the same unit create a new placing-on-the-market event each time? No. The Blue Guide says repeated renting of the same product does not create a new placing-on-the-market event. The relevant compliance moment remains the first placing-on-the-market event for that unit. Sources for this answer: - [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3 ## Is a transfer from a third-country manufacturer to its authorised representative in the Union a placing-on-the-market event? No. The Blue Guide expressly says placing on the market does not take place where a product is transferred from the manufacturer in a third country to an authorised representative in the Union engaged to help ensure compliance. Sources for this answer: - [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3 ## Are products that are still in the manufacturer's, authorised representative's, or importer's stock already placed on the market? No, not if they have not yet been supplied for distribution, consumption, or use. The Blue Guide says products in those stocks are not yet placed on the market where they are not yet made available. Sources for this answer: - [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3 ## Are trade-fair, exhibition, demonstration, or pre-production test units automatically considered placed on the market? No. The Blue Guide says products displayed or operated under controlled conditions at trade fairs, exhibitions, or demonstrations are not placed on the market. The same is true for transfers for testing or validating pre-production units that are still in the stage of manufacture. Sources for this answer: - [Blue Guide 2022](https://ec.europa.eu/docsroom/documents/44906/attachments/2/translations/en/renditions/native?ref=sorena.io) - section 2.3 ## Is the support period the same thing as a product's abstract lifetime or physical durability? No. Under the CRA, the support period is a cybersecurity support obligation: it is the period during which vulnerabilities must be handled effectively. It is not simply another label for abstract product lifetime, physical durability, or a general commercial warranty period. But the manufacturer must set the support period so that it reflects how long the product is expected to be in use. Expected use and product lifetime therefore matter because they are inputs into the support-period decision. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(8), Article 3(20) - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - sections 4.1.6 and 4.5.1 ## Does the expected-use analysis affect only the support period, or also the cybersecurity risk assessment? It affects both. Article 13(3) requires the cybersecurity risk assessment to take into account the length of time the product is expected to be in use. The Commission FAQ then links that same expected-use analysis to the support period under Article 13(8). Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(3), Article 13(8) - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 4.1.6 ## Must the manufacturer think about expected use and lifetime already at the design and development stage? Yes. The Commission FAQ says the manufacturer should consider the product's lifetime during design and development and prepare the product so that vulnerabilities, including component vulnerabilities, can be handled effectively throughout the support period. Sources for this answer: - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 4.1.6 - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(8), Annex I Part II ## If the risk assessment depends on user instructions or operating assumptions, must those materials be updated during the support period? Yes, where appropriate. The CRA requires the risk assessment to be documented and updated where appropriate during the support period. The Commission FAQ adds that where the risk assessment relies on information and instructions to users to address certain risks, those materials should be updated accordingly. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(7), Article 31(2) - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 4.1.6 ## Can relevant Union law affect the support period even if the manufacturer would otherwise choose a shorter period? Yes. Article 13(8) expressly requires the manufacturer to take into account relevant Union law determining the lifetime of products with digital elements. So the support-period analysis is not based only on internal policy or market preference. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(8) - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 4.5.1 ## What happens if a manufacturer stops operating before the support period ends? The CRA does not let the manufacturer stay silent. If a manufacturer ceases operations and therefore cannot comply with the CRA, it must inform the relevant market surveillance authorities before the cessation takes effect and must also inform users of the affected products, by any available means and to the extent possible. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(23) ## Can market surveillance authorities review whether a manufacturer's support period is too short? Yes. The CRA says market surveillance authorities must monitor how manufacturers applied the Article 13(8) criteria when determining support periods. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 52(16) ## Will there be public CRA support-period benchmarks by product category? Yes. The CRA says ADCO must publish relevant statistics on categories of products with digital elements, including average support periods determined by manufacturers, and provide guidance with indicative support periods for product categories. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 52(16) ## Can the Commission later set minimum support periods for specific product categories? Yes. Article 13(8) allows the Commission to adopt delegated acts specifying minimum support periods for specific product categories where market-surveillance data suggests inadequate support periods. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(8) ## Can the manufacturer disclose the support period only as "five years from purchase" or another relative formula instead of a fixed end date? No. Article 13(19) requires the end date of the support period to be specified at the time of purchase, including at least the month and year. So the disclosure has to give users an actual end date, not only a relative formula such as "five years from purchase" or "five years from activation". Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(19) - [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - point 116 ## Must the manufacturer simply set the support period equal to the expected use time in every case? No. Article 13(8) says the support period must reflect the length of time during which the product is expected to be in use, but the January 2026 Commission FAQ adds that manufacturers are not expected to apply that as a simple one-factor shortcut. Except where the expected use time is less than five years, the manufacturer must determine the support period by taking the Article 13(8) criteria into account proportionately. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(8) - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 4.5.1 ## If the product is genuinely expected to be in use for less than five years, must the manufacturer still weigh the other Article 13(8) factors to set a longer support period? No. The January 2026 Commission FAQ says that where the product is expected to be in use for less than five years, the support period must correspond to that expected use time without further consideration of the other criteria listed in Article 13(8). That is the CRA's specific exception to the normal five-year minimum. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(8), recital 60 - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 4.5.2 ## Do ADCO averages or indicative support periods automatically become binding legal minimums? No. Article 52(16) says ADCO publishes statistics, including average support periods, and guidance with indicative support periods for product categories. Those are not themselves the same thing as binding minimum support periods. Binding category-specific minimums arise only if the Commission later adopts a delegated act under Article 13(8). Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(8), Article 52(16) ## What if free and open-source software placed on the market is monetised only through paid support subscriptions? The January 2026 Commission FAQ treats that as a specific support-period scenario. The FAQ says that some free and open-source software placed on the market may be monetised only through paid support services offered on a subscription basis. Because that software may remain in use after the user stops paying for support, the FAQ says the manufacturer is required to ensure a support period equal to the duration of the active subscription. Sources for this answer: - [European Commission CRA FAQs (January 2026)](https://ec.europa.eu/newsroom/dae/redirection/document/122331?ref=sorena.io) - section 4.5.2 - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(8), recital 60 ## Can Article 13(10) leave an earlier substantially modified software version with a shorter effective support period than a later one? Yes. The March 2026 draft guidance says that for continuously evolving software, the manufacturer may rely on Article 13(10) to stop addressing and remediating vulnerabilities for earlier substantially modified versions once users can upgrade to a later version free of charge and without additional costs. The guidance expressly notes that this may result in a shorter effective support period for those earlier versions, while the other vulnerability-handling obligations still continue. Sources for this answer: - [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Article 13(10), recital 40 - [Draft Commission guidance on the CRA (March 2026 draft)](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en?ref=sorena.io) - points 118-120 ## Topic Guides - [Applicability Test | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/applicability-test.md): Use this CRA applicability test to confirm product scope, exclusions, remote data processing boundaries, operator role, product classification. - [Checklist | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/checklist.md): Use this Cyber Resilience Act checklist to assign owners, deadlines, evidence, and release gates for scope, Annex I controls, support period operations. - [Compliance Program | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/compliance.md): Build a CRA compliance program that covers product scope, governance, engineering controls, support period operations, Article 14 reporting. - [Conformity Assessment and CE Marking | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/conformity-assessment-and-ce-marking.md): Choose the right CRA conformity route, prepare the declaration of conformity, structure the technical file. - [CRA Blue Guide Concepts FAQ | Placing on the Market, Making Available, Distance Sales](/artifacts/eu/cyber-resilience-act/faq/blue-guide-concepts.md): CRA FAQ on Blue Guide concepts used in Cyber Resilience Act interpretation: placing on the market, making available, putting into service, online sales. - [CRA CE Marking FAQ | Meaning, Placement Rules, Software Labeling, Notified Bodies](/artifacts/eu/cyber-resilience-act/faq/ce-marking.md): CRA CE marking FAQ covering what the mark means, when it is mandatory, software and website placement rules, packaging fallback, notified body numbers. - [CRA Component Due Diligence FAQ | Third-Party Components, FOSS, SBOM, Vulnerabilities](/artifacts/eu/cyber-resilience-act/faq/component-due-diligence.md): CRA component due diligence FAQ covering third-party components, FOSS, CE-marked components, SBOM review, risk-based checks, upstream vulnerability reporting. - [CRA Conformity Assessment Routes FAQ | Module A, Module B+C, Module H, Critical and Important Products](/artifacts/eu/cyber-resilience-act/faq/conformity-assessment-routes.md): CRA FAQ on conformity assessment routes covering module A, module B+C, module H, important and critical products, harmonised standards, certification schemes. - [CRA Core Functionality FAQ | Important Products, Critical Products, Classification](/artifacts/eu/cyber-resilience-act/faq/core-functionality.md): CRA FAQ on core functionality covering classification of important and critical products, ancillary functions, integrated components. - [CRA Cybersecurity Risk Assessment FAQ | Article 13, Threat Modelling, Variants, Constraints](/artifacts/eu/cyber-resilience-act/faq/cybersecurity-risk-assessment.md): CRA FAQ on cybersecurity risk assessment covering Article 13, threat modelling, intended purpose, foreseeable misuse, external dependencies, documentation. - [CRA Declaration of Conformity FAQ | Full vs Simplified, Languages, Updates, Duties](/artifacts/eu/cyber-resilience-act/faq/declaration-of-conformity.md): CRA FAQ on the EU declaration of conformity covering full and simplified formats, required contents, languages, updates, single declarations across EU laws. - [CRA Economic Operators FAQ | Manufacturers, Importers, Distributors, Authorised Representatives](/artifacts/eu/cyber-resilience-act/faq/economic-operators.md): CRA FAQ on economic operators covering manufacturer, authorised representative, importer, distributor, responsible operator rules, checks, traceability. - [CRA Essential Cybersecurity Requirements FAQ | Annex I Part I and Part II](/artifacts/eu/cyber-resilience-act/faq/essential-cybersecurity-requirements.md): CRA FAQ on the essential cybersecurity requirements covering Annex I Part I and Part II, applicability, evidence, interoperability constraints. - [CRA FAQ Hub | Blue Guide Concepts, CE Marking, Component Due Diligence](/artifacts/eu/cyber-resilience-act/faq.md): Browse the CRA FAQ hub for Blue Guide market-access concepts, CE marking, and component due diligence. - [CRA Hardware and Software Boundaries FAQ | Product Scope, Combined Products, Source Code](/artifacts/eu/cyber-resilience-act/faq/hardware-software-boundaries.md): CRA FAQ on hardware and software boundaries covering combined products, standalone software, source code, companion apps, remote data processing. - [CRA Harmonised Standards and Common Specifications FAQ | Presumption of Conformity, OJ Publication](/artifacts/eu/cyber-resilience-act/faq/harmonised-standards-and-common-specifications.md): CRA FAQ on harmonised standards, common specifications, and certification schemes covering presumption of conformity, Official Journal publication. - [CRA Important and Critical Products FAQ | Annex III, Annex IV, Core Functionality](/artifacts/eu/cyber-resilience-act/faq/important-and-critical-products.md): CRA FAQ on important and critical products covering Annex III and Annex IV classification, core functionality, conformity routes, FOSS rule limits. - [CRA Integrated Components and Dependencies FAQ | Due Diligence, RDPS, Third-Party Components](/artifacts/eu/cyber-resilience-act/faq/integrated-components-and-dependencies.md): CRA FAQ on integrated components and dependencies covering due diligence, third-party components, RDPS, cloud dependencies, upstream fixes, FOSS dependencies. - [CRA Interplay With Other EU Laws FAQ | RED, AI Act, GDPR, Data Act, EHDS, Machinery](/artifacts/eu/cyber-resilience-act/faq/interplay-with-other-eu-laws.md): CRA FAQ on interplay with other EU laws covering exclusions, overlap with RED, AI Act, GDPR, Data Act, EHDS, Machinery, GPSR, NIS2, aviation, marine. - [CRA Known Exploitable Vulnerabilities at Launch FAQ | Placement on the Market, CVEs, Late Discoveries](/artifacts/eu/cyber-resilience-act/faq/known-exploitable-vulnerabilities-at-launch.md): CRA FAQ on known exploitable vulnerabilities at launch covering the launch-time rule, exploitability, known vulnerabilities, CVEs, compensating controls. - [CRA Legacy Products FAQ | Pre-2027 Products, Reporting, Grandfathering, Substantial Modification](/artifacts/eu/cyber-resilience-act/faq/legacy-products.md): CRA FAQ on legacy products covering pre-11 December 2027 products, Article 14 reporting, continued sale, substantial modification, spare parts, old designs. - [CRA Manufacturer Obligations FAQ | Article 13 Duties, Support Period, Reporting, Documentation](/artifacts/eu/cyber-resilience-act/faq/manufacturer-obligations.md): CRA FAQ on manufacturer obligations covering Article 13 duties, risk assessment, support periods, vulnerability handling, reporting, documentation. - [CRA Market Surveillance and Enforcement FAQ | Authorities, Safeguards, Sweeps, Formal Non-Compliance](/artifacts/eu/cyber-resilience-act/faq/market-surveillance-and-enforcement.md): CRA FAQ on market surveillance and enforcement covering authorities, investigations, safeguard procedures, formal non-compliance, sweeps, joint activities. - [CRA Module A FAQ | Internal Control, Self-Assessment, Eligibility, Documentation](/artifacts/eu/cyber-resilience-act/faq/module-a.md): CRA FAQ on module A covering internal control, eligible products, class I limits, FOSS exception, technical documentation, testing, CE marking. - [CRA Module B+C FAQ | EU-Type Examination, Conformity to Type, Notified Bodies](/artifacts/eu/cyber-resilience-act/faq/module-b-c.md): CRA FAQ on module B+C covering EU-type examination, conformity to type, notified-body role, certificate changes, production control, CE marking. - [CRA Module H FAQ | Full Quality Assurance, Notified Body Surveillance, CE Marking](/artifacts/eu/cyber-resilience-act/faq/module-h.md): CRA FAQ on module H covering full quality assurance, quality-system approval, notified-body surveillance, scope changes, CE marking, language rules, records. - [CRA Notified Bodies FAQ | Notification, Scope, NANDO, Independence, Competence](/artifacts/eu/cyber-resilience-act/faq/notified-bodies.md): CRA FAQ on notified bodies covering notification, competence, independence, NANDO scope, accreditation, cross-border choice, subcontracting. - [CRA Open-Source Software FAQ | FOSS, Commercial Activity, Stewards, Donations, Paid Editions](/artifacts/eu/cyber-resilience-act/faq/open-source-software.md): CRA FAQ on open-source software covering FOSS qualification, commercial activity, donations, paid support, stewards, contributors, repositories. - [CRA Over-the-Air Updates FAQ | OTA, Automatic Updates, Secure Distribution, Offline Paths](/artifacts/eu/cyber-resilience-act/faq/over-the-air-updates.md): CRA FAQ on over-the-air updates covering OTA versus automatic updates, secure distribution, screenless products, gateways, offline update paths. - [CRA Penalties and Fines FAQ | Fine Tiers, Turnover Caps, SME Carve-Outs, Stewards](/artifacts/eu/cyber-resilience-act/faq/penalties-and-fines.md): CRA FAQ on penalties and fines covering Article 64 fine tiers, turnover caps, SME carve-outs, steward exemptions, cumulative fines, criminal sanctions. - [CRA Product Families FAQ | Variants, Shared Assessments, Family Reuse, Conformity Scope](/artifacts/eu/cyber-resilience-act/faq/product-families.md): CRA FAQ on product families covering shared risk assessments, family-wide documentation reuse, cybersecurity-relevant variant differences. - [CRA Remote Data Processing Solutions FAQ | RDPS Scope, Cloud Services, SaaS Boundaries, Documentation](/artifacts/eu/cyber-resilience-act/faq/remote-data-processing-solutions.md): CRA FAQ on remote data processing solutions covering Article 3(2) RDPS tests, cloud-service boundaries, websites and portals, third-party SaaS, backend scope. - [CRA Repairs and Spare Parts FAQ | Repairs, Refurbishment, Spare-Part Exemption, Compatibility](/artifacts/eu/cyber-resilience-act/faq/repairs-and-spare-parts.md): CRA FAQ on repairs and spare parts covering substantial modification, Article 2(6) identical spare parts, non-identical replacements. - [CRA Reporting Obligations FAQ | Article 14 Deadlines, CSIRT Filing, User Notices, Legacy Products](/artifacts/eu/cyber-resilience-act/faq/reporting-obligations.md): CRA FAQ on reporting obligations covering Article 14 deadlines, actively exploited vulnerabilities, severe incidents, CSIRT routing, user notifications. - [CRA Scope FAQ | Products with Digital Elements, Connections, Software, Exclusions](/artifacts/eu/cyber-resilience-act/faq/scope-and-products-with-digital-elements.md): CRA FAQ on scope and products with digital elements covering software, firmware, components, direct and indirect connections, offline products, exclusions. - [CRA Secure-by-Default FAQ | Default Configuration, Auto Updates, Tailor-Made Limits](/artifacts/eu/cyber-resilience-act/faq/secure-by-default.md): CRA FAQ on secure by default covering Annex I default configuration, automatic security updates, opt-outs, components, inapplicability. - [CRA Security Updates vs Functionality Updates FAQ | Separation, Free Updates, Article 13(10)](/artifacts/eu/cyber-resilience-act/faq/security-updates-vs-functionality-updates.md): CRA FAQ on security updates versus functionality updates covering separation where technically feasible, free security updates, automatic updates. - [CRA Substantial Modification FAQ | Post-Market Changes, New Manufacturer, Legacy Products](/artifacts/eu/cyber-resilience-act/faq/substantial-modification.md): CRA FAQ on substantial modification covering Article 3(30), software updates, repairs, new manufacturer status, conformity reassessment. - [CRA Tailor-Made Products FAQ | Business-User Exception, Paid Updates, Evidence](/artifacts/eu/cyber-resilience-act/faq/tailor-made-products.md): CRA FAQ on tailor-made products covering the narrow business-user carve-out, secure-by-default and paid-update deviations, required evidence. - [CRA Technical Documentation FAQ | Annex VII, Languages, Authority Access, Updates](/artifacts/eu/cyber-resilience-act/faq/technical-documentation.md): CRA FAQ on technical documentation covering Annex VII content, timing, languages, versioning, authority access, reused documentation, simplified formats. - [CRA Transition Period FAQ | Key Dates, Legacy Products, Pre-CRA Stock, RED Interplay](/artifacts/eu/cyber-resilience-act/faq/transition-period.md): CRA FAQ on the transition period covering entry into force, phased application dates, legacy products, stock and customs timing, standalone software. - [CRA Update Availability and Archives FAQ | Article 13(9), Archives, Historical Versions](/artifacts/eu/cyber-resilience-act/faq/update-availability-and-archives.md): CRA FAQ on update availability and software archives covering Article 13(9), Article 13(10), Article 13(11), retention of issued security updates. - [CRA User Information and Transparency FAQ | Annex II, Support Disclosure, User Notices](/artifacts/eu/cyber-resilience-act/faq/user-information-and-transparency.md): CRA FAQ on user information and transparency covering Annex II instructions, support-period disclosure, end-of-support notices, vulnerability notices. - [CRA vs RED Cybersecurity Delegated Act | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/cra-vs-red-cybersecurity-delegated-act.md): Compare the Cyber Resilience Act with the RED cybersecurity delegated act so you can decide which products fall under which rule, what dates apply. - [CRA vs UK PSTI Act | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/cra-vs-uk-psti-act.md): Compare the EU Cyber Resilience Act with the UK PSTI product security regime so your team can plan dual market compliance without mixing two different rule. - [CRA Vulnerability Handling FAQ | Lifecycle Duties, Components, Disclosure, Fix Sharing](/artifacts/eu/cyber-resilience-act/faq/vulnerability-handling.md): CRA FAQ on vulnerability handling covering Annex I Part II duties, component vulnerabilities, upstream reporting and fix sharing. - [Deadlines and Compliance Calendar | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/deadlines-and-compliance-calendar.md): Track the CRA entry into force date, the notified body date, the reporting start date, and the main application date. - [Essential Cybersecurity Requirements | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/essential-cybersecurity-requirements.md): Understand the CRA essential cybersecurity requirements in Annex I. - [Penalties and Fines | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/penalties-and-fines.md): Understand the CRA administrative fine tiers in Article 64, the conduct that attracts the highest penalties, and the evidence that reduces enforcement exposure. - [Products with Digital Elements Scope | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/products-with-digital-elements-scope.md): Understand what counts as a product with digital elements under the CRA, how remote data processing fits, and where the scope boundary usually causes mistakes. - [Reporting Obligations | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/reporting-obligations.md): Prepare for CRA Article 14 reporting, including the twenty four hour early warning, the seventy two hour notification, final reports, CSIRT routing. - [Requirements | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/requirements.md): Review the full CRA requirement set, including manufacturer duties, operator duties, support period rules, user information, corrective action, reporting. - [SBOM and Vulnerability Management Template | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/sbom-and-vulnerability-management-template.md): Use this CRA SBOM and vulnerability management template to structure dependency records, triage, remediation, advisory publication, and support period evidence. - [Technical Documentation and Audit File | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/technical-documentation-and-audit-file.md): Build a CRA technical documentation file that covers product definition, risk assessment, support period, Annex I mapping, standards use, test evidence. - [Vulnerability Handling and Disclosure | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/vulnerability-handling-and-disclosure.md): Build a CRA vulnerability handling system that covers SBOM, intake, triage, remediation, coordinated vulnerability disclosure, secure updates. *Recommended next step* *Placement: after key answers* ## Use EU Cyber Resilience Act FAQ Support Period as a cited research workflow Research Copilot can turn EU Cyber Resilience Act FAQ Support Period into a reusable cited workflow for teams implementing EU Cyber Resilience Act FAQ. - [Open Research Copilot](/solutions/research-copilot.md): Start from EU Cyber Resilience Act FAQ Support Period and move to source-backed decisions and evidence workflows. - [Talk through your EU Cyber Resilience Act FAQ implementation](/contact.md): Review evidence gaps, ownership, and next steps for EU Cyber Resilience Act FAQ. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/cyber-resilience-act/faq/support-period