Resources for the EU Cyber Resilience Act
Episode 62: Better Built By Burkhard
Dear Reader,
A LinkedIn contact recently asked me in a private message: “Do you consult legal advice to get this clear understanding, or do you research this on your own?”
I haven’t consulted any legal advice for the EU CRA yet. I’ll probably do this in the future, as I have done for tricky licensing questions. As many of you probably know, I advise companies on license compliance for embedded Linux systems.
My work on FOSS licenses (especially, using Qt under LGPL) makes it easier for me to find my way through the EU CRA. In the end, my understanding of the EU CRA comes from a lot of research, from discussions with other people and from feedback on my posts. It’s a learning process for me. I will get things wrong on the way, but I am happy to correct my mistakes. So, keep your questions, comments and criticism coming.
In this newsletter, I want to give you some pointers about my resources for the EU CRA. The most important resource is unsurprisingly the legal text of the EU CRA. If I don’t understand a term or concept of the EU CRA, I’ll have a look at the Blue Guide. Germany’s Federal Office for Information Security has a lot of useful information about the EU CRA and cyber security topics. Last but not least, there are the blog posts, the LinkedIn posts and the newsletter of Sarah Fluchs. She is an invaluable source about the EU CRA and the bigger picture of worldwide cyber security regulations.
I’m sure that I’ll find more resources over time. I’ll let you know.
Have a great summer,
Burkhard 💜
My Content
EU CRA: Start, Length and End of Support Period
Manufacturers must satisfy the essential requirements related to product properties and vulnerability handling (Annex I) during the entire support period of their products. The support period starts when an individual product is placed on the EU market. When, for example, a German manufacturer sells a combine harvester to a French farmer, it places the harvester on the market.
Whether a product is placed on the market before, during or after the transitional period (11 December 2024 - 10 December 2027) and whether the product has been substantially modified after the transitional period decides, if the EU CRA applies to the product or not.
Products that are placed on the market after the transitional period must fully comply with the EU CRA.
Products that are placed on the market during the transitional period and are subject to a substantial modification after the transitional period must fully comply with the EU CRA.
(???) Do products that were placed on the market before the transitional period have to comply with the EU CRA,
if they are subject to substantial modifications after the transitional period?
if they are not subject to substantial modifications after the transitional period?
Clause 1 holds for all products - no matter when they were manufactured. Clause 2 follows from Article 69(2).
Article 69(2) could also be valid for products placed on the market before the transitional period, as it refers to products placed on the market before 11 December 2027. This would include “all products placed on the market before or during the transitional period”.
The crucial question is: Can the EU CRA - an EU law - be applied retrospectively to products placed on the EU market before it entered into force? I am pretty sure that the answer is no.
Saying yes would violate two articles of the German constitution. Article 20(3) grants the certainty of law and Article 103(2) prohibits law to take retrospective effect. You will find similar laws in the constitutions of the other EU countries and in EU treaties. The certainty of law ensures that a legal sale in, say, 2022 cannot become illegal in 2025.
The legislator took the certainty of law into account when granting a 3-year transitional period. The Blue Guide confirms this (emphasis mine).
The aim of the transitional period is to allow manufacturers […] to adjust gradually to the conformity assessment procedures and the essential or other legal requirements set up by a new or a revised piece of legislation, and, thus, to avert the risk of blocking production. Further, manufacturers […] need to be given time to exercise any rights they have acquired under any pre-existing, national or EU rules, for example to sell their stocks of products manufactured in line with the pre-existing rules.
Blue Guide: Section 2.10. Transitional periods in the case of new or revised EU rules
The Blue Guide gets more specific about products that are placed on the market before 11 December 2027 but follow the pre-CRA regulations. These products most likely violate the CRA.
After the transitional period, products manufactured before or during this period, in line with the legislation to be repealed, may no longer be placed on the market. A product, which is placed on the market before the end of the transitional period, should be allowed to be made available on the market or put into service. Nevertheless, specific Union harmonisation legislation could forbid the making available of such products if this is deemed necessary for safety reasons or other objectives of the legislation.
Blue Guide: Section 2.10. Transitional periods in the case of new or revised EU rules
The first sentence corroborates Clause 1. The EU CRA forbids manufacturers to place products on the market after 11 December 2027, if these products follow pre-CRA regulations.
The second sentence allows end users to operate products after 11 December 2027, if the products were placed on the market before that date. It also gives manufacturers a way to sell legacy products after 11 December 2027. Here are two examples from the Blue Guide:
The manufacturer sells several units of a product to a distributor before 11 December 2027. The distributor stores the units in a warehouse and sells its stock after 11 December 2027. (See footnote 100)
Even if the distributor belongs to the manufacturer, the units are placed on the market when they are sent to the internal distributor. (See example 2.12.3)
The third sentence can restrict the scope of the second sentence under certain conditions. Such a restriction needs a very good reason like consumers’ health and safety, as it also limits the certainty of law. Furthermore, such restrictions are easier to justify for higher-risk important and critical products than for lower-risk default products.
So far, the argument could be summarised as follows:
Legacy Products - Variant 1: Products placed on the market before or during the transitional period would be exempted from the EU CRA - unless these products carry high risks like those for the health and safety of end users.
However, this interpretation would contradict Article 69(2), which restricts the products exempted from the EU CRA even further. Only products that were not substantially modified after the transitional period (that is, after 11 December 2027) are exempted from the EU CRA.
Legacy Products - Variant 2: Products that are placed on the market before or during the transitional period and are subject to substantial modifications must comply with the EU CRA.
Article 69(2) is the third restriction of the certainty of law, a constitutional right, for legacy products.
Products manufactured before 11 December 2027 must not be placed on the market after that date.
Products placed on the market before 11 December 2027 and carrying a high risk can be pulled from the market after that date.
Products placed on the market before 11 December 2027 and subject to substantial modifications after that date must suddenly comply with the CRA.
I think that the first two restrictions will hold up in court, but I am sceptical about the third. The first restriction is OK, because manufacturers have the 3-year transitional period to sell off their inventory. If manufacturers move their inventory to a distributor before 11 December 2027, the distributor can sell the inventory even after that date. The second restriction is also OK, because health and safety of human beings is ranked higher in the constitution than the certainty of law.
The third restriction would prevent manufacturers from updating and maintaining their products according to pre-CRA regulations. New functionality or non-trivial bug fixes easily become substantial modifications and force legacy products to follow CRA regulations. That would be a heavy restriction of the certainty of law and the prohibition of law taking retrospective effect. I could imagine the following compromise:
Products that are placed on the market during the transitional period and are subject to substantial modifications after that period must full comply with the CRA.
Products that were placed on the market before the transitional period must not comply with the CRA.
But be careful: I am speculating here how courts could decide. I might be wrong. And any lawyer telling you this or that might be wrong, too.
The safe way is to handle products placed on the market before the transitional period in the same way as products placed on the market during the transitional period. Wait for a big company with deep pockets to take the EU Commission to court or wait for the EU Commission to clarify the EU CRA. Until then, follow these two rules.
Products that are placed on the market after the transitional period must fully comply with the EU CRA.
Products that are placed on the market before or during the transitional period and are subject to a substantial modification after the transitional period must fully comply with the EU CRA.
My explanation, whether the EU CRA applies to legacy products, was triggered by a discussion on LinkedIn. Harald Fischer, Security Aspect Lead at Balena, challenged a statement in my original post and rightly so: “The EU CRA does not apply to products placed on the market before 11 December 2024.”
Resources for the EU Cyber Resilience Act
The Legal Text of the EU CRA
The official name of the EU CRA is Regulation (EU) 2024/2847. The EU CRA is available in English, German, French, Spanish, Italian and all the other official languages of the EU. The following articles are a good starting point for manufacturers.
If you don’t understand any terms while reading the EU CRA, you have a good chance to find a brief explanation in Article 3: Definitions. This article defines terms like product with digital elements, manufacturer, placing on the market, making available on the market, substantial modification, conformity assessment, software bill of materials and many others.
Article 6, Article 7 (Annex III) and Article 8 (Annex IV) define the risk categories of products: default, important and critical products. Critical products have the highest cybersecurity risk and default products the lowest risk. Higher risk means higher damage caused by a vulnerability and higher likelihood of a vulnerability being exploited. Manufacturers must perform a self assessment for default products. Important and critical products require notified bodies like the TÜV being involved in the conformity assessment. You find more information in my post Critical, Important and Default Products.
Article 13: Obligations of manufacturers directs manufacturers to other relevant articles and annexes. The article makes very clear that your embedded devices must satisfy the essential requirements of Annex I during the support period. It also requires from manufacturers technical documentation (Annex VII) including a software bill of materials, a risk assessment, a description of the process for handling vulnerabilities and an assessment how the embedded device satisfies the essential requirements related to product properties.
Annex I Part I and II are the centrepiece of the EU CRA. If manufacturers violate any of these requirements, they may face heavy penalties.Annex I Part I: Essential requirements related to product properties lays down the confidentiality, integrity and availability requirements that every device must satisfy. The first requirement (2a) demands that releases must not contain any known exploitable vulnerabilities in the manufacturer’s and third-party software and hardware components. Any violation of the following 12 requirements (2b-m) is considered an exploitable vulnerability. Any known exploitable vulnerability shipped with a device may lead to heavy penalties. I explain Annex I Part I in detail in my post EU CRA: Essential Requirements Related to Product Properties.
Annex I Part II: Essential requirements related to vulnerability handling defines the basic process how manufacturers must identify, address and remediate vulnerabilities in their own and third-party components and how they must provide fixes with secure updates in a timely fashion. Manufacturers must publish fixed vulnerabilities as security advisories on their web sites. They must also have a coordinated vulnerability (CVD) policy so that other people can tell them about discovered vulnerabilities. I explain Annex I Part II in detail in my post EU CRA: Essential Requirements Related to Vulnerability Handling.
Article 14: Reporting obligations of manufacturers rules that manufacturers must notify the national and EU authorities about actively exploited vulnerabilities and severe incidents without delay. ENISA - the EU Agency for Cybersecurity - will provide a platform for the notifications (see Article 16). Note that manufacturers must start reporting according to Article 14 from 11 September 2026 (see Article 71(2)).
The Blue Guide
The ‘Blue Guide’ on the implementation of EU product rules 2022, as the Blue Guide is called officially, helped me understand terms like making available on the market, placing on the market, substantial modification and intended purpose in my recent post about the support period. I’d like to draw your extension to two interesting sections of Chapter 2 When does Union harmonisation legislation on products apply.
Section 2.10 Transitional periods in the case of new or revised EU rules explains whether products placed on the market before, during or after the transitional period (11 December 2024 - 10 December 2027) must conform to the EU CRA or not.
Section 2.12 Summary examples gives several examples how to determine when a product was placed on the EU market.
Chapter 5 Conformity Assessment sheds more light on the conformity assessment procedures mentioned in Annex VIII of the EU CRA.
You’ll find a lot more interesting information in the Blue Guide. When you don’t understand a term in the EU CRA, have a look into the Blue Guide.
Germany’s Federal Office for Information Security (BSI)
Technical Guidelines BSI TR-03183
Germany’s Federal Office for Information Security (BSI) has published several technical guidelines BSI TR-03183 about crucial parts of the EU CRA.
Part 1: General requirements explains the essential requirements related to product properties and vulnerabilities of Annex I in detail. This guideline helped me understand the vaguely formulated requirements of Annex I. It was the basis for my posts EU CRA: Essential Requirements Related to Product Properties and EU CRA: Essential Requirements Related to Vulnerability Handling.
Part 2: Software Bill of Materials (SBOM) defines the admissible formats for the SBoM (CycloneDX 1.5 or higher and SPDX 2.2.1 or higher), the required contents and types of SBoM. Manufacturers create the SBoM for their own software components and consume the SBoM for third-party components. The SBoM allows manufacturers to check whether any components have vulnerabilities. Manufacturers must decide themselves whether the vulnerabilities are exploitable in their products.
Part 3: Vulnerability Reports and Notifications specifies what the manufacturer’s Coordinated Vulnerability Disclosure (CVD) Policy should contain. The CVD policy defines a process how entities – users, customers, security researchers, white-hat hackers, individuals and groups – can report vulnerabilities to a manufacturer and how the manufacturer should respond to such reports. The policy is described in the plain-text file
security.txtbased on RFC 9116: A File Format to Aid in Security Vulnerability Disclosure.
IT Security Requirements and Conformity Assessment for the IT Security Label
The IT Security Label is a voluntary conformity assessment and helps manufacturers prepare for the EU CRA. Manufacturers must demonstrate how they satisfy the essential requirements related to product properties (EU CRA Annex I Part I) to get the IT Security Label, which is similar to a CE label.
The page IT Security Requirements and Conformity Assessment links to test specifications of conformity assessments for five product categories: broadband router, e-mail services, mobile devices, smart consumer devices and video conferencing services.
I found the test specification for broadband routers very interesting, as routers have similar security requirements as telematics units of agricultural and construction machines. The test specification lists acceptance tests for each security requirement given in the standardised technical specification. If the router passes all tests, it conforms with the IT security requirements.
The EU Commission will provide test specifications - called harmonised standards in the EU CRA - for different product categories in the future. If a product complies with the relevant harmonised standard, it will comply with the essential requirements of Annex I. According to Sarah Fluchs, such Type-C standards for critical products (Annex IV) and important products (Annex III) will be available by 30 October 2026. Manufacturers shouldn’t expect any harmonised standards for default products before 11 December 2027 (the penalty date). Most manufacturers must create their own test specifications to demonstrate conformity with the essential requirements.
Sarah Fluchs: An Invaluable Source for Cyber Security Regulations
Sarah Fluchs writes regular posts on her blog FluchsFriction and on LinkedIn in English and in German. She also publishes a monthly newsletter Security-Briefing für Hard Hats (German only). She provides invaluable information about the EU CRA and related cyber security standards.
Sarah is a type-A member of the Expert Group on Cybersecurity with Digital Elements. As an individual expert, she advises the EU Commission on how to best implement the EU CRA. She provides summaries of the group’s meetings. You can find the much longer meeting minutes on the tab Meetings of the group’s home page.
By following Sarah, you can get first-hand information about what is cooking in the EU CRA cauldrons. The already mentioned article about harmonised standards - featured in more detail next - is a good example.
Cyber Resilience Act: When will requirements finally get more specific?
The essential requirements of Annex I are admittedly pretty vague. BSI’s Technical Guidelines BSI TR-03183 (see also summary above) make the requirements more accessible. I have added further examples and explanations to the BSI’s guidelines in my posts about essential requirements related to product properties and vulnerability handling. Still, both the BSI and I are interpreting the EU CRA. We might get some parts wrong. It is important that the EU Commission provides official interpretations.
The EU CRA mandates that the EU Commission provides harmonised standards and additional guidance. There are three different types of harmonised standards.
“Type A standards define principles, terms or framework conditions. They apply to all products, but do not specify any CRA requirements […]”. A type-A standard explaining risk management during the lifetime of a product will be published by 30 August 2026.
“Type B standards specify product-agnostic CRA requirements. These can be requirements where it is not necessary to differentiate between different products, or a larger class of similar products is grouped together.”
A type-B standard describing the process how to handle vulnerabilities (Annex I, Part II) will be published by 30 August 2026.
A type-B standard explaining the essential requirements related to product properties (Annex I, Part I) in more detail will also be published by 30 October 2027. This is just 6 weeks shy of the date (11 December 2027), when the EU can punish manufacturers with heavy penalties for violations of the EU CRA. Manufacturers must have done their CRA homework long before this type-B standard comes out.
“Type C standards specify CRA requirements for a specific product category — ideally all CRA requirements.” If a product satisfies all the acceptance criteria for a CRA requirement listed in the standard, the product automatically conforms with the CRA requirement. If the standard gives criteria for all requirements, the product automatically conforms with all essential requirements of the EU CRA. In the section about the IT Security Label, the test specification of the broadband router is such a type-C standard.
A type-C standard for important products (Annex III) and critical products (Annex IV) will be published by 30 August 2026.
The EU Commission must publish guidance about the support period, substantial modifications and the interaction with other EU legislation, but the date is not set yet. It could happen towards the end of 2025.
Manufacturers of default products, which are more than 90% of all manufacturers, will have to perform a conformity assessment without a harmonised standard and without an official clarification of the essential requirements related to product properties. I agree with Sarah that these manufacturers should regard this lack of standards as a chance.
This way, they are allowed to interpret CRA requirements for their own products in a practical, sensible way — based on risk. For sustainable, responsible cybersecurity decisions, these are the best circumstances that can happen to you. You don’t have to struggle with standard requirements that don’t work for your product. You can find some that work — as long as they reduce risk and align with the CRA’s essential requirements.
Sarah Fluchs, Cyber Resilience Act: When will requirements finally get more specific?
A lot of useful information will become available over the course of the next year - even for manufacturers of default products. These manufacturers can use the type-C standards for important and critical products as an upper bound for their conformity assessment. They can decide which criteria are too strong and can be weakened or even ignored for default products. They can also take the conformity assessments for the IT security label as guidance. You’ll find more good reasons Why the EU Cyber Resilience Act is Important in an earlier newsletter.