01What this is
The Regulation sets the obligations; Commission guidance explains how to apply them in practice. Guidance is non-binding and does not change the law, but market surveillance authorities and notified bodies look to it for a consistent interpretation, so it is the natural companion to the Art. 1 text.
Read guidance alongside the article it interprets. Where guidance and your own reading differ, the binding reference is always the text of the Regulation and, ultimately, the courts.
02The Commission FAQ
The Commission maintains a frequently-asked-questions document that consolidates the most common interpretation questions: scope edge-cases, the treatment of spare parts and components, and how the timeline applies to products already on the market. First published in December 2025, it is a “living document” that is updated as new questions arise.
Read the Commission's FAQ on CRA implementation: Cyber Resilience Act implementation: frequently asked questions ↗
03Scope clarifications
Much of the guidance addresses scope, the single most asked-about area. It clarifies what counts as a “product with digital elements”, how remote data-processing solutions are treated, and where the boundary sits with sector-specific legislation. Art. 2
- Data connection; a direct or indirect logical or physical connection is enough to bring a product into scope.
- Excluded sectors; medical devices, motor vehicles and civil aviation remain under their own frameworks.
- SaaS; standalone services are generally outside the CRA, but processing necessary for a product to function is treated as part of the product. Art. 3
04Open-source software
Guidance explains the tailored, lighter regime for open source. Non-commercial open-source software developed outside a commercial activity is largely outside scope; “open-source software stewards” have a defined, proportionate set of duties.
The trigger is commercial activity. A component supplied free of charge but in the course of a commercial activity can still fall within scope.
05Support period & updates
Guidance indicates how to set a defensible support period: it must reflect how long the product is reasonably expected to be in use, and should generally be at least five years unless the expected use is shorter. Security updates must be free and provided separately from feature updates. Art. 13
06Reporting & ENISA
Reporting runs through the single reporting platform that ENISA is establishing under Art. 16. On becoming aware of an actively exploited vulnerability, or a severe incident affecting the product's security, a manufacturer notifies ENISA and the national CSIRT through that platform on a 24-hour / 72-hour / 14-day timeline. Guidance sets out what each of the early warning, the notification and the final report should contain. Art. 14
The reporting obligations become enforceable on 11 September 2026, and ENISA's single reporting platform is intended to be operational by that date.
07Harmonised standards
The essential requirements in Annex I are expressed in outcome terms. Harmonised standards, once cited in the Official Journal, give a presumption of conformity for products that follow them.
The Commission's standardisation request M/606 was accepted by CEN, CENELEC and ETSI in 2025 and covers around 41 standards: roughly 15 horizontal (product-agnostic) and the remainder vertical (product-specific). The two core horizontal standards, on secure development and on vulnerability handling, are expected by 30 August 2026; the vertical standards by 30 October 2026; and the remaining horizontal standards by 30 October 2027, about a year before full application.
Until standards are cited, conformity must be demonstrated directly against the Annex I requirements. Once a relevant standard is cited, following it is the simplest route to a presumption of conformity.