The European Commission has published FAQs on the Cyber Resilience Act (CRA), thereby addressing key questions regarding the practical application of the new regulatory framework for the first time.
The CRA aims to establish a uniform cybersecurity regime for “products with digital elements,” in particular connected hardware, software, and certain related remote data processing solutions. The CRA requirements will be phased in gradually until the end of 2027. In practice, however, significant uncertainties have so far existed in many areas regarding interpretation and implementation.
The newly published FAQs seek to address these issues. They provide answers to frequently asked questions on the CRA and offer companies an initial, reliable basis for practical implementation. The European Commission itself describes the document as a “living document” that will be continuously updated.
The FAQs are particularly helpful where they clarify previously unresolved interpretative issues. This applies in particular to questions concerning the scope of application of the CRA and the concept of “products with digital elements,” the requirements for cybersecurity risk assessments, the principle of “secure by default,” the handling of vulnerabilities in integrated third-party components, and the duration of support periods. Of practical relevance are also the explanations regarding security updates and the handling of open-source and third-party components.
The FAQs also provide important guidance on the timeline. The obligations under the CRA will generally apply from 11 December 2027. However, the rules on reporting actively exploited vulnerabilities and severe security incidents will already apply from 11 September 2026.
Companies should take the publication of the FAQs as an opportunity to assess at an early stage whether they are affected and their current state of implementation. This includes, in particular, determining whether their products fall within the scope of application, how vulnerability management, update processes, and technical documentation are organised, and whether third-party components, including open-source software, are adequately reviewed and documented. The FAQs now published provide an important initial working basis in this regard.
We would be pleased to assist you with any questions relating to the CRA as well as with the assessment and implementation of the new requirements.
March 31, 2026
