Overview
On March 3, 2026, the European Commission published draft guidance on the Cyber Resilience Act (CRA), which is open to public consultation until March 31, 2026. The CRA sets strict cybersecurity requirements for products with digital elements (with limited exceptions, such as medical devices). Its objective is clear: ensuring that such products, when placed or made available on the market, are secure by design and by default and, and remain secure throughout their lifecycle (Please see our full analysis of the CRA here.)
The publication of the European Commission's draft guidance serves as a timely reminder of the rapidly approaching compliance deadlines under this landmark regulation, and the ongoing public consultation provides an opportunity for manufacturers, importers, and distributors to clarify grey areas, shape implementation, and begin preparing for compliance.
By When Do Organizations Need to Comply With the Cyber Resilience Act?
As a reminder, while most CRA obligations will apply from December 11, 2027, some requirements will take effect sooner. Specifically, Article 14 of the CRA concerning manufacturers' reporting obligations will become applicable from September 11, 2026. Under this provision, manufacturers must report any actively exploited vulnerability in products with digital elements, as well as any severe incident impacting product security, to the Computer Security Incident Response Teams (CSIRT) and to the European Union Agency for Cybersecurity (ENISA). They must also inform impacted users.
All other obligations under the CRA will become fully applicable starting December 11, 2027. For example, manufacturers of products with digital elements' obligations include:
- meeting essential cybersecurity requirements;
- performing cybersecurity risk assessments;
- drawing up and maintaining technical documentation;
- demonstrating conformity (including where relevant via third‑party assessment) and affixing CE-marking;
- handling any vulnerability across product's lifecycle; and
- implementing secure-by-design processes.
It must be noted that the CRA has an extraterritorial effect and it applies to any company that manufactures, imports, or distributes on the EU market products with digital elements, irrespective of its location or establishment. Importers, distributors, and open-source software stewards should also be aware of their responsibilities and obligations.
What Does the European Commission's Guidance Provide?
The European Commission's draft guidance is intended to help organizations understand how to apply some of the CRA's more complex requirements in practice. It offers clarification on which products fall within scope, including how the CRA applies to remote data processing solutions and free and open‑source software, and explains how companies should determine the required support period during which security updates and vulnerability handling must be maintained. The guidance also addresses how organizations should assess whether changes to a product constitute a "substantive modification," which may trigger renewed conformity assessment obligations. It further aims to help businesses navigate the overlap between the CRA and other EU legislation, such as Network and Information Security Directive 2022/2555 (NIS 2), the Cybersecurity Act, and the General Data Protection Regulation (GDPR), so that compliance efforts can be aligned. Finally, it provides additional interpretation on day‑to‑day compliance obligations, including incident reporting, vulnerability management, risk assessments, and technical documentation, with the aim of supporting both large organizations and SMEs as they prepare for the upcoming deadlines.
How and by When Can Organizations Share Their Views on the European Commission's Draft Guidance?
Businesses, industry associations, and technical experts can provide feedback on the draft guidance until March 31, 2026 by completing the form available here. Such feedback will be taken into account by the European Commission in the finalization of the guidance. This is a unique opportunity for stakeholders to raise their concerns, and share insights into practical challenges and market realities.
