Innovation Law Insights

Privacy and cybersecurity

EU Cyber Resilience Act: Commission publishes draft guidance to support companies on compliance

The European Commission has just published feedback on its long-awaited draft guidance to assist companies in applying the Cyber Resilience Act (CRA), a landmark EU regulation aiming to strengthen cybersecurity across the digital product landscape. The draft guidance is now open for stakeholder input until 31 March 2026 and seeks to clarify key implementation questions to ensure consistency and effectiveness in enforcement across the European Union.

The CRA is one of the most ambitious pieces of cybersecurity legislation enacted by the EU, mandating robust security requirements for products with digital elements, from connected devices to embedded software. As firms prepare for the CRA’s phased rollout – with reporting obligations beginning in September 2026 and full application by December 2027 – the guidance plays a critical role in translating regulatory text into practical compliance pathways.

What is the Cyber Resilience Act?

At its core, the Cyber Resilience Act (EU Regulation 2024/2847) imposes horizontal cybersecurity requirements on products with digital elements (PDEs) sold or made available in the EU. It requires manufacturers, importers, and distributors to ensure that products are secure by design and maintained throughout their lifecycle. The CRA introduces lifecycle-wide obligations, such as vulnerability handling, incident reporting, and security updates, aimed at reducing systemic risk in an increasingly connected digital ecosystem.

Unlike previous frameworks that primarily addressed organizational cybersecurity, the CRA directly targets products – from smart wearables and IoT devices to embedded software components – making cyber resilience a precondition for market access and CE marking in the EU.

Purpose and scope of the CRA Draft Guidance

The Commission’s draft guidance focuses on clarifying several complex elements of the CRA to support both micro, small and medium-sized enterprises (SMEs) and large manufacturers in understanding their obligations. It’s designed to help stakeholders – from software developers and hardware manufacturers to conformity assessment bodies – by highlighting interpretative issues and practical compliance questions.

Significant areas addressed in the guidance include:

• Scoping and applicability
  
  Understanding when and how products are considered to be “placed on the market” under the CRA is a foundational compliance issue. The guidance offers clarity on this principle, including how it applies to products developed before the CRA’s application date and the interpretation of key concepts such as products with digital elements.

• Remote data processing solutions
  
  As cloud connectivity becomes ubiquitous, the draft guidance provides interpretative help on how remote data processing solutions fall within the CRA’s scope, including how functional dependency tests should be applied to determine whether a product with remote elements must comply.

• Free and Open-Source Software (FOSS)
  
  One of the most debated topics is the treatment of free and open-source software. The guidance outlines when open source might be in scope – particularly when it’s monetised or distributed commercially – and discusses responsibilities for open source stewards contributing to products subject to the CRA.

• Support periods
  
  The CRA requires manufacturers to provide security updates for a defined support period. The guidance addresses how to interpret and implement these support obligations, a practical challenge for product teams planning release schedules and long-term maintenance strategies.

• Substantial modifications and spare parts
  
  Clarification is provided on what constitutes a substantial modification, which impacts whether a product needs to be re-assessed for CRA conformity after significant changes.

• Reporting and interaction with other legislation
  
  The guidance touches on reporting duties for exploited vulnerabilities and security incidents, and how the CRA interacts with other EU cyber and digital legislation such as NIS2 and the forthcoming European cybersecurity standards framework.

Why this guidance matters

The draft guidance not only supports compliance but also reduces fragmentation in how the CRA is implemented across member states and market surveillance authorities. By clarifying concepts and outlining practical examples, it helps stakeholders manage compliance risk and prepare for upcoming CRA milestones – including the launch of the Single Reporting Platform by ENISA for coordinated vulnerability and incident reporting.

For manufacturers and technology vendors, this guidance is particularly relevant as the CRA transitions from regulatory text to real-world implementation. The guidance is expected to shape conformity assessment procedures, supplier obligations, and compliance documentation practices in 2026 and beyond.

Next steps and how to engage

Feedback on the draft guidance can be submitted until 31 March 2026. Companies and industry associations are encouraged to participate actively in the consultation, providing insights on parts of the draft that may be ambiguous or challenging to implement. Stakeholder input will be instrumental in refining the guidance before its final adoption.

As the CRA’s implementation timeline accelerates, organisations should:

• establish internal cross-functional compliance teams;
• review product portfolios and development pipelines against CRA requirements;
• assess whether current update and support practices align with expected CRA support periods; and
• prepare for early reporting duties starting in September 2026.

Conclusion

The draft guidance on the EU Cyber Resilience Act is a significant milestone in the CRA’s implementation journey. It reflects the EU’s commitment to harmonizing cybersecurity requirements and equipping companies with the interpretative tools needed to comply effectively with one of the most comprehensive cybersecurity product laws in the world.

As cybersecurity continues to rise in strategic importance, proactive engagement in the guidance process will help organisations shape practical and aligned regulatory outcomes – ensuring secure digital products for European consumers and businesses alike.

Read this article on the same topic “The EU Parliament approved the Cyber Resilience Act: what obligations lie ahead for manufacturers, importers and distributors?“.

Author: Giulio Coraggio

 

Intellectual Property

More guidance on inventive step: The person skilled in the art and common general knowledge according to the UPC

In its decision of 16 January 2026, the Paris Local Division provided more detailed clarification on the concepts of “person skilled in the art” and “common general knowledge”. The decision was issued in main proceedings concerning the validity and infringement of a patent relating to a locking device for vehicle doors.

According to the ruling, a “person skilled in the art“ is someone who works in the technical field in which the technical problem that the invention aims to solve arises. The person skilled in the art has basic technical knowledge and medium-level skills and has undergone average training and gained average practical skills and experience. They can perform routine tasks in line with their general knowledge of the relevant field, and the relevant state of the art.

But, as already clarified by the Court of Appeal in a previous and relevant ruling, a person skilled in the art doesn’t have inventive capacity of their own, but generally needs an indication or motivation guiding them towards the invention covered by the patent beginning from a realistic starting point.

As for the notion of “common general knowledge”, according to the court, this includes knowledge that an expert in the field is supposed to possess or can obtain from reliable sources commonly used in the technical field, such as manuals, scientific texts, encyclopaedias or specialist databases in current use. It doesn’t include any confidential documents, such as industrial designs that aren’t accessible to the public, or products whose functioning cannot be easily understood without further operations, such as disassembly.

The decision also confirmed what had previously been stated by the Central Division in Paris, namely that “common general knowledge” doesn’t necessarily coincide with everything that’s publicly accessible (public knowledge). Public knowledge may also include knowledge that goes beyond information available from common sources or even beyond the relevant technical field.

With regard to the burden of proof, the court reaffirmed the principle that it’s up to the party invoking certain knowledge to prove that it actually belonged to the common technical knowledge at the date of filing of the patent application or any relevant priority date.

In the case at hand, the claimant had unconditionally limited the claims of the asserted patent by introducing additional features in the course of the proceedings.

Based on the then limited claims and applying the principles summarized above, and the additional criteria previously developed by the Court of Appeal for assessing inventive step, the court found the patent to be valid and infringed.

Author: Camila Francesca Crisci

Overall impression and design invalidity: The LEGO case

In its judgment in Case T-628/24, the General Court of the European Union provided a further and significant clarification of the criteria governing the assessment of individual character under Regulation (EC) No 6/2002, applicable ratione temporis as the proceedings were initiated in 2021.

The ruling remains fully relevant under the current Regulation (EU) 2024/2822, which recasts the framework for EU designs without altering the substantive test based on the “overall impression” produced on the informed user.

On the merits, the General Court upheld the invalidity of a registered design owned by LEGO A/S relating to a modular building element.

The dispute originated from an application for a declaration of invalidity filed before the EUIPO by a competitor in the modular toy sector, seeking a finding that the registered design lacked individual character. EUIPO upheld the application, concluding that the contested design didn’t produce, in comparison with a prior design already disclosed, a different overall impression on the informed user. Seised of the appeal, the General Court fully confirmed that conclusion.

The judgment follows established case law and restates, in a clear and structured manner, the methodological sequence governing the assessment of individual character. The examination requires:

• first, identifying the sector to which the products concerned belong;
• second, defining the informed user, having regard to the product’s function and the degree of knowledge of the prior art;
• third, determining the designer’s degree of freedom, whose impact on individual character is inversely proportional; and
• fourth, carrying out – where possible by means of a direct comparison – an assessment of the overall impressions produced by the contested design and by each relevant prior design.

It’s at this final stage that the decision proves decisive.

The registered design displayed certain differences compared to the earlier design: different proportions, a different number of cylindrical studs, and some variations in the lower part. However, according to the General Court, those differences weren’t sufficient to alter the overall perception of the product.

What matters isn’t the mere identification of descriptive differences, but their perceptual weight. In this case, the visually dominant features – the general block shape, the regular arrangement of the protruding elements, and the configuration of the interlocking system – were substantially similar. The global impression conveyed by the two designs was the same.

The court further clarified that marginal details or parts not normally visible during ordinary use cannot, when considered in isolation, establish individual character if the overall formal configuration is unchanged. The assessment must be synthetic and global, not fragmented.

The judgment reaffirms a fundamental principle in EU design law: it’s not sufficient to establish objective differences between two designs; those differences must meaningfully affect the perception of the informed user and result in a genuinely different overall impression. The validity of a design is grounded not in the mere enumeration of formal divergences, but in the cumulative visual effect produced by the design as a whole.

Author: Rebecca Rossi

 

Technology

Public consultation launched by AGCom for the update of the regulatory framework on mobile number portability

With Resolution No. 3/26/CIR, published on 18 February, AGCom launched a public consultation concerning the update of the regulatory framework governing number portability for mobile and personal communication services (Mobile Number Portability – MNP), as set out in Annex 1 to Resolution No. 147/11/CIR (MNP Regulation).

This initiative follows the proceedings initiated by Resolution No. 12/25/CIR, in which the Authority set out its positions on the same issues, now submitted for public consultation, and forms part of the implementation of Article 98-duodecies, paragraph 1-bis, of the Electronic Communications Code (Legislative Decree No. 259/2003, as amended – ECC).

That provision – as amended by Law No. 193 of 16 December 2024 (Annual Law for the Market and Competition 2023) – prohibits providers of electronic communications networks or services from using information obtained through the mobile number portability database to make offers to end users with differentiated conditions based on the originating operator, and assigns AGCom the task of updating the MNP Regulation by introducing mechanisms for monitoring and supervising the database.

With reference to the prohibition established by the above provision, the Authority considers it necessary to clearly define its scope and field of application. The Authority proposes introducing a monitoring activity to be carried out by periodically collecting reports containing informational elements submitted directly by operators. From these elements it may be possible to identify – including on a statistical basis – any potential use of portability-related information for the promotion of commercial offers differentiated according to the originating operator.

The consultation document also sets out proposals to amend and supplement the MNP Regulation. The Authority provides for:

• the introduction of an express reference, within the general provisions, to the prohibition on the use for commercial purposes of information relating to the portability process;
• the establishment of specific monitoring within the framework of MNP data communications, taking into account portability flows to ensure that the mobile number portability database is used in compliance with the above-mentioned paragraph 1-bis.

Lastly, the consultation document highlights the intention to launch a technical working group with operators, coordinated by AGCom. In this group it will be possible to examine in greater depth the effectiveness of the measures already adopted and to assess the economic sustainability aspects of any new measures.

Interested parties can submit their comments and assessments regarding the Authority’s positions and proposed amendments or additions until 20 March 2026.

Authors: Massimo D’Andrea, Matilde Losa, Arianna Porretti

 

---

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo Bardelli, Carolina Battistella, Noemi Canova, Gabriele Cattaneo, Giovanni Chieco, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Enila Elezi, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Giulio Napolitano, Andrea Pantaleo, Deborah Paracchini, Maria Vittoria Pessina, Tommaso Ricci, Marianna Riedo, Rebecca Rossi, Roxana Smeria, Massimiliano Tiberio, Federico Toscani, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna, Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer”, the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as Diritto Intelligente, a monthly magazine dedicated to AI, here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.