Cyber Resilience Act: Commission unveils draft implementation guidance

As the first operational milestones under the Cyber Resilience Act (CRA) draw closer, the European Commission has now issued draft guidance to support economic operators and market surveillance authorities in applying the Regulation.

Published on 3 March 2026, the draft is meant to clarify how some of the CRA’s most consequential provisions should work in practice. The Regulation sits within the broader EU product-law framework and introduces mandatory cybersecurity requirements that will affect a very large share of hardware and software products placed on the EU market.

This publication matters because early implementation work has already shown that there are still legal uncertainties, especially around scope, qualification of software, support obligations, and the interaction between the CRA and other EU rules.

The Commission’s draft guidance is an important interpretive step. While it doesn’t replace the Regulation itself, it gives businesses and regulators a clearer sense of how the Commission currently understands several pivotal concepts and obligations. Once finalized, it’s likely to become a key practical reference point for CRA compliance.

 

Regulatory background

The CRA, formally Regulation (EU) 2024/2847, lays down essential cybersecurity requirements for “products with digital elements” and imposes obligations on multiple categories of economic operators, including manufacturers, importers and distributors, when such products are made available on the EU market. Its broader purpose is to improve the cybersecurity of connected products and software throughout their lifecycle, while also strengthening the functioning of the internal market.

Although the Regulation will apply in full from 11 December 2027, some provisions take effect earlier. First, the framework relating to notifying conformity-assessment bodies applies from 11 June 2026. Second, the obligations to report actively exploited vulnerabilities and severe incidents start to apply from 11 September 2026. The rest of the main compliance architecture becomes fully applicable from 11 December 2027.

Before releasing this draft guidance, the Commission had already begun publishing implementation materials, including FAQ and explanatory resources. Even so, several practical questions remained open:

• Which products fall within the CRA’s perimeter?
• How should remote data processing solutions be treated?
• How do the rules apply to free and open-source software (FOSS)?
• How should support periods be determined?
• How do some of the Regulation’s concepts translate to software products, which are not tangible goods in the traditional sense?

That’s why additional guidance from the Commission had been widely expected. After indicating that further material would arrive in early 2026, the Commission opened this draft for public consultation on 3 March 2026 and invited feedback until 31 March 2026.

 

What the draft guidance focuses on

Rather than attempting to restate the entire Regulation, the draft guidance concentrates on a number of especially sensitive or difficult issues. According to the Commission, the document is designed to help manufacturers, developers and other stakeholders understand their obligations and promote a more consistent approach across the EU. The themes highlighted by the Commission include remote data processing solutions, free and open-source software, support periods and the interplay between the CRA and other EU legislation.

A first major area concerns the scope of the CRA. The guidance addresses foundational notions such as “placing on the market,” including in relation to products designed before the date of full application.

For software, this issue is especially important because the product is intangible, yet can still be made available in the EU through download, remote access or other digital distribution models. The draft also examines the perimeter of software products, the CRA’s “data connection” requirement and the criteria for assessing whether integrated hardware-software systems should be treated as a product for the purposes of the Regulation. These issues are consistent with the structure and terminology of the CRA itself, which applies to products with digital elements and gives special attention to software made available on the market.

A second core topic is FOSS and open-source software stewards. Here, the draft seeks to clarify when FOSS should be regarded as being placed on the market in the course of a commercial activity and when it remains outside that logic. It also elaborates on the role of the open-source software steward, a figure expressly recognized by the CRA and defined in the Regulation as a legal person, other than a manufacturer, that systematically supports the development and viability of certain FOSS products intended for commercial activities. This area has been singled out by the Commission as one of the draft’s main priorities.

The draft also addresses substantial modifications, repairs and spare parts. In practical terms, this is crucial because a product that undergoes a substantial modification may be treated as though it were being placed on the market again, which can trigger a fresh set of CRA obligations for the person carrying out or commissioning the modification. The Regulation itself reflects this logic, and the Commission’s draft appears intended to offer more operational criteria for distinguishing ordinary repair or maintenance from a change that materially affects compliance. On the same basis, legacy products already on the market before 11 December 2027 may still come within the CRA if they’re substantially modified after that date.

Another significant section deals with the support period. The draft makes clear that five years should not be read as a one-size-fits-all benchmark for every product. Instead, the support period must reflect the product’s reasonably foreseeable period of use. The CRA requires manufacturers to determine a support period and to indicate its end date clearly to users, and the Commission has specifically identified support periods as one of the matters requiring additional explanation. The draft also suggests that, where software is released in successive versions, each version placed on the market should have its own declared support period.

The guidance further discusses important and critical products, indicating that classification should depend on the main functionality of the product as a whole rather than on the isolated qualification of individual embedded components. This is particularly relevant because product classification may affect the available conformity-assessment route under the CRA. The Regulation provides for different pathways, including internal control, notified-body involvement and, where applicable, European cybersecurity certification schemes recognised for CRA purposes.

A separate strand of the draft concerns the cybersecurity risk assessment that manufacturers must carry out. The CRA requires that this assessment inform the design, development, production, delivery and maintenance of the product, and that it be reflected in the technical documentation. The Commission’s draft appears to expand on the practical content of that assessment, including intended use, reasonably foreseeable misuse, threat scenarios, mitigation measures and the handling of third-party and open-source components. This is fully aligned with the legislative text and the Commission’s own summary materials, which stress due diligence when integrating third-party components so they don't compromise the product’s cybersecurity.

One of the most delicate sections concerns remote data processing solutions (RDPS). According to the Commission’s announcement, RDPS is one of the headline themes of the draft guidance. The draft reportedly develops a more structured way to assess when remote processing should fall within the CRA framework, focusing in substance on whether the remote functionality is integral to the product, whether the product depends on that functionality and whether the remote software is developed by the manufacturer or under its responsibility. Even where the draft provides more detail than the Commission’s announcement itself, that approach is broadly consistent with the official implementation materials.

The draft also covers reporting and vulnerability handling. On this point, the legal framework is already clear. From 11 September 2026, manufacturers have to report actively exploited vulnerabilities and severe incidents affecting the security of products with digital elements. The applicable deadlines include an early warning within 24 hours of becoming aware, a full notification within 72 hours, and a final report no later than 14 days after a corrective measure is available for actively exploited vulnerabilities; for severe incidents, the final report must be submitted within one month from the 72-hour notification. The Commission has also clarified that these reports are to be submitted through the CRA Single Reporting Platform managed by ENISA.

Lastly, the draft explains the interaction between the CRA and other EU legislation. This too is one of the areas expressly highlighted by the Commission in launching the consultation. The issue is especially relevant where products may fall under sector-specific regimes or where components are intended to be integrated into exempt products. The draft guidance is therefore likely to be particularly useful for companies operating in regulated or cross-regulatory environments, where the boundaries between horizontal product rules and sectoral legislation need to be mapped carefully.

 

Next steps

The guidance remains in draft form, and stakeholders have been invited to submit comments by 31 March 2026. For businesses already working on CRA-readiness programmes, the text is a valuable planning tool. At the same time, caution remains necessary: the final version may differ from the draft now under consultation, and guidance will not have the same binding legal force as the Regulation itself. Ultimately, authoritative interpretation of EU law rests with the Court of Justice of the European Union.

In practical terms, companies should continue preparing for the nearer-term 2026 milestones, above all the start of the reporting regime on 11 September 2026, while keeping in view the broader compliance trajectory leading to full application of the CRA on 11 December 2027.