The EU Commission has published FAQs on the Cyber Resilience Act (CRA), addressing key questions regarding the practical application of the new legal framework for the first time.
The CRA aims to create a uniform cybersecurity regime for “products with digital elements,” specifically for connected hardware, software, and certain associated remote processing solutions. The requirements of the CRA will be implemented in stages until the end of 2027. In practice, however, there has been significant uncertainty regarding interpretation and implementation in many areas.
This is where the newly published FAQs come in. They answer frequently asked questions about the CRA and provide companies with initial reliable guidance for practical implementation. The EU Commission describes the document itself as a “living document” that will be continuously updated.
The FAQs are particularly helpful where they provide clarity on previously unresolved questions of interpretation. This applies in particular to questions regarding the scope of the CRA and the definition of “products with digital elements,” requirements for cybersecurity risk assessments, the “secure by default” principle, the handling of vulnerabilities in integrated third-party components, and the duration of the support period. The explanations regarding security updates and the handling of open-source and third-party components are also highly relevant in practice.
The FAQs also provide important information regarding the timeline. The obligations of the CRA generally apply from December 11, 2027. However, the regulations for reporting obligations regarding actively exploited vulnerabilities and serious security incidents will already take effect from September 11, 2026.
Companies should take the publication of the FAQs as an opportunity to assess their exposure and implementation status at an early stage. This includes, in particular, the question of whether their own products fall within the scope, how vulnerability management, update processes, and technical documentation are organized, and whether third-party components, including open source, are reliably audited and documented. The newly published FAQs provide an important initial working basis for this.
We would be pleased to assist you with questions regarding the CRA as well as with the review and implementation of the new requirements.
March 31, 2026
