On December 3, 2025, the European Commission published its first set of technical FAQs on the EU Cyber Resilience Act (‘CRA’). The CRA is an EU-wide law which lays down cybersecurity requirements for ‘products with digital elements’ (‘PDEs’), including IoT devices, hardware components, and certain software. It becomes fully applicable on December 11, 2027, with reporting obligations (for actively exploited vulnerabilities and significant incidents) kicking in earlier – from September 11, 2026.
The FAQs are designed to help manufacturers, importers, and other supply chain stakeholders understand and implement the CRA’s obligations. They reflect recurring questions collected by the Commission since the CRA entered into force (see our advisory published here for more details on the CRA).
The FAQs address a range of topics, including:
- The circumstances in which a PDE falls within the CRA’s scope. In particular, a PDE falls within the CRA’s scope if it features a direct or indirect logical or physical data connection to a device or network. The FAQs note that a logical connection will be direct when a PDE (e.g.,) initiates or manages communication with other devices or networks – such as a browser establishing a HTTPS session to access a website. By contrast the connection will be indirect (e.g.,) when a PDE does not itself initiate the communication, but runs on a host system that does. An example of this latter could include an offline text editor or a calculator that is indirectly connected to devices or networks via an operating system.
- The interplay between the CRA and other EU legislation, such as the Machinery Regulation, the GDPR, and the Data Act. For example, the FAQs confirm that the CRA and Data Act are applicable to a similar (and in some cases overlapping) set of products. A PDE falling within the scope of the CRA may therefore also be subject to obligations under the Data Act to make data available to users or third parties (see here for more information on the Data Act). The FAQs indicate that manufacturers of PDEs should take into account Data Act-related sharing obligations when assessing cybersecurity risk. Given the – in some cases significant – overlap between the EU’s digital laws, this guidance merits careful consideration.
- Factors that manufacturers should take into account when carrying out cybersecurity risk assessments. The CRA requires manufacturers to undertake an assessment of the cybersecurity risks associated with a PDE, which must inform how the manufacturer complies with essential cybersecurity requirements. The FAQs provide further detail on how that assessment is impacted by the PDE’s ‘intended purpose’ and ‘reasonably foreseeable use’. For example, the FAQs underscore that ‘a [PDE] designed and intended to be used by professionals only (such as an industrial IoT sensor or virtual private network), might eventually also be used by non-professionals; consequently, the design and instructions accompanied must take this possibility into account’. By contrast, other scenarios may entail ‘reasonably foreseeable misuse’: ‘if the information and instructions to the user mentions that the [PDE] must be deployed on a secure network, deploying it on an insecure network might constitute a reasonably foreseeable misuse.’ Risks concerning reasonably foreseeable misuse must be communicated in the information and instructions to the user of the PDE.
Other sections of the FAQs cover adjacent CRA-related topics, such as manufacturer’s vulnerability reporting obligations, conformity assessment requirements, and transition periods.
Manufacturers selling PDEs on the EU market should review the FAQs to check whether their compliance program, procedures and disclosures align with the Commission’s views on the CRA’s requirements. The Commission will be publishing additional guidance in the coming months targeted at microenterprises and SMEs, which will assist smaller organizations to comply with the CRA’s requirements.
