Cyber Resilience Act: Recent Developments and New Guidance for Businesses

With the Cyber Resilience Act (CRA), the European Union has introduced new mandatory cybersecurity requirements for products with digital elements. For manufacturers, this marks the end of the previously largely voluntary standards-based regulatory landscape, which is now replaced by a harmonised European legal framework. In light of the reporting obligations for actively exploited vulnerabilities and serious security incidents taking effect from 11 September 2026, as well as the full applicability of the CRA from 11 December 2027, practical preparations for the new obligations are becoming increasingly important. In particular, businesses are called upon to adapt their product development, vulnerability management, and compliance processes to the CRA requirements at an early stage. At the same time, numerous interpretive questions are being progressively clarified by the European Commission and national authorities. This article provides an overview of the current state of regulatory clarification and identifies which guidance tools are already available to help businesses implement the CRA.

I. Key Content of the CRA

The CRA applies to all economic operators that make products with digital elements available on the Union market. It covers manufacturers, importers, and distributors in particular, with the primary focus of regulation on manufacturers. The term “manufacturer” encompasses not only traditional hardware producers, but also software providers and companies marketing products under their own brand. They are responsible for compliance with the comprehensive cybersecurity requirements of the CRA throughout the entire product lifecycle (as reported in Data Protection Update No. 243).

At the core of the Regulation are requirements for the secure development and design of products, the performance of cybersecurity risk assessments, and the establishment of effective vulnerability management. Manufacturers must, in particular, document and remediate security vulnerabilities and provide security updates during a defined support period. These obligations are supplemented by conformity assessment, documentation, and reporting duties, particularly in respect of actively exploited vulnerabilities and serious security incidents. Importers and distributors, by contrast, are primarily subject to verification, monitoring, and cooperation obligations to ensure that only CRA-compliant products are made available on the Union market.

II. Clarifications by the European Commission

Since the CRA entered into force, the European Commission has begun to clarify key interpretive questions through supplementary documents and legal acts.

The CRA FAQ represent the most comprehensive practical interpretive guidance issued by the Commission to date. Although they are not legally binding, they are intended to be continuously updated as a “living document” and are therefore likely to acquire considerable practical significance for market surveillance authorities and businesses alike. The FAQ clarify, in particular, the material scope of the CRA and confirm that standalone software, firmware, and a wide range of hardware products may all be covered. At the same time, the Commission makes clear that pure websites and standalone SaaS offerings generally do not fall within the scope of the CRA, provided they do not constitute a remote data processing solution forming part of a product with digital elements. Further important clarifications concern the concept of a substantial modification, the requirements for cybersecurity risk assessments, and vulnerability handling. Of particular practical relevance is the statement that manufacturers are not obliged to remediate every vulnerability by means of a patch; rather, risk-based alternative mitigation measures may also be considered. The FAQ also elaborate on the obligations relating to the integration of third-party components and open-source elements. For businesses, however, the question remains open as to what specific requirements will be imposed in future regarding documentation of the risk assessment and the exercise of the requisite due diligence obligations.

Even greater practical impact is likely to result from Implementing Regulation (EU) 2025/2392. The CRA refers, in relation to “important” and “critical” products with digital elements, to Annexes III and IV without further defining the product categories listed therein. The Implementing Regulation now provides, for the first time, detailed technical descriptions of these categories, thereby specifying when more stringent conformity assessment procedures apply. Of particular significance is the “core function” criterion highlighted by the Commission. According to this criterion, the mere integration of a critical or important component does not automatically result in the overall product being classified as an important or critical product. Rather, what remains decisive is the primary function of the overall product. While this resolves numerous demarcation issues, it simultaneously creates new challenges for multifunctional products and complex software solutions. Manufacturers will increasingly need to document why they consider a particular function to be the defining core function. It remains open, in particular, how market surveillance authorities will classify borderline cases, such as AI-powered platforms or integrated security solutions.

The Delegated Regulation (EU) 2026/881 concerns the reporting obligations under Articles 14 and 16 CRA. It establishes the conditions under which a competent CSIRT (Computer Security Incident Response Team; national cybersecurity emergency teams of the EU Member States) may temporarily postpone the dissemination of reports on actively exploited vulnerabilities or serious security incidents. The rationale is the concern that premature disclosure of particularly sensitive information could itself create additional cybersecurity risks. Postponement may be considered, in particular, where a patch or other effective risk mitigation measure is expected to be deployed in the short term, where the reported information could be directly used to develop an exploit, or where a coordinated vulnerability disclosure process is still ongoing. For manufacturers, the Regulation thus provides greater legal certainty in handling sensitive vulnerability reports. At the same time, new practical questions arise regarding coordination with the competent CSIRTs and the delineation of cases in which a legitimate confidentiality interest genuinely prevails.

Finally, the Commission is currently working on the guidelines provided for under Article 26 CRA (as reported in Data Protection Update No. 243). According to the drafts published to date, these guidelines are intended in particular to assist small and medium-sized enterprises with the practical implementation of the Regulation and to provide further clarification on key interpretive questions, such as risk assessment, substantial modifications to products, support periods, and vulnerability handling. Particularly in the area of “substantial modifications,” there is currently considerable legal uncertainty, as this concept determines whether products already placed on the market are once again subject to the CRA requirements. The guidelines could therefore become one of the most important instruments for the practical application of the CRA. At the same time, it remains to be seen whether the Commission merely clarifies existing ambiguities or effectively formulates new requirements. Businesses should therefore closely monitor further developments and continuously adapt their compliance measures.

III. BSI Technical Guidelines

The German Federal Office for Information Security (BSI) is also supporting the implementation of the CRA through its Technical Guideline series TR-03183. The guidelines are intended to provide manufacturers with concrete technical and organisational assistance for the practical implementation of the CRA requirements, partly bridging the gap until harmonised European standards become available.

The parts of the guideline series published to date address, in particular, the requirements for secure development processes, Software Bill of Materials (SBOM), vulnerability management, and reporting and disclosure processes. Specifically, TR-03183-3 elaborates on the requirements for handling vulnerability reports and for Coordinated Vulnerability Disclosure (CVD) procedures. It sets out, inter alia, requirements for establishing appropriate security contact points, for publishing a “security.txt” file, and for the organisational design of reporting and communication processes for security researchers and authorities.

With the Technical Guideline TR-03183-H, published on 30 May 2026, the BSI has for the first time issued implementation guidance for conformity assessment under the Module H (“Full Quality Assurance”) procedure. Module H is one of the conformity assessment procedures envisaged under the CRA and focuses not on the individual product but on the manufacturer’s processes. In particular, it examines whether the manufacturer has an appropriate quality and security management system in place that ensures ongoing compliance with the CRA requirements during development, production, and vulnerability handling.

TR-03183-H describes an approach in which an existing information security management system (ISMS) pursuant to ISO/IEC 27001 is supplemented with CRA-specific requirements. The focus is on continuous risk assessment, secure development processes, security testing, change management, and structured vulnerability management throughout the entire product lifecycle.

Although the BSI guidelines do not constitute harmonised standards and do not give rise to a direct presumption of conformity, they are already acquiring considerable practical significance. They provide manufacturers with a concrete framework for the design of CRA-compliant processes and are also likely to indicate the requirements that notified bodies and market surveillance authorities will apply when assessing CRA compliance in the future.

IV. Conclusion and Outlook

With the European Commission’s FAQ, the legal acts adopted to date, and the BSI’s technical guidelines, initial important clarifications of the CRA are now available. Nevertheless, the Regulation remains in a transitional and clarification phase. In particular, the still outstanding harmonised European standards will be of central importance for practical implementation and the demonstration of conformity.

Initial standardisation results are already expected for the third quarter of 2026, including both horizontal and product-specific standards. These are intended to translate the general CRA requirements into concrete technical and organisational measures and to facilitate manufacturers’ demonstration of conformity in the future. For the fourth quarter of 2026, the European Commission has also announced a delegated act establishing the conditions for a presumption of conformity on the basis of the European cybersecurity certification system EUCC (European Cybersecurity Certification Scheme on Common Criteria). This could further increase the significance of existing cybersecurity certifications within the framework of CRA compliance.

Regardless of these further clarifications, affected businesses should make active use of the remaining transitional period. In view of the reporting obligations taking effect from 11 September 2026, it is particularly advisable to establish processes for vulnerability handling, incident response, and regulatory reporting at an early stage. By the time of the CRA’s full applicability on 11 December 2027, product development, documentation, and compliance processes should also be reviewed and adapted to the CRA requirements. Given the ongoing clarification of the regulatory requirements, there is much to be said for beginning implementation now rather than waiting for all standards and guidelines to be finalised.

This article was created in collaboration with our student employee Emily Bernklau.