Commission publishes for feedback draft guidance to assist companies in applying the Cyber Resilience Act

The European Commission has published for feedback draft guidance to assist companies in meeting the obligations of the Cyber Resilience Act (CRA).

AdobeStock © ipopba

The draft guidance clarifies the obligations and the scope of the rules with a particular focus on facilitating compliance by microenterprises and small and medium-sized enterprises.

Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security and Democracy, said:

With today's guidelines, the Commission supports the effective application of the Cyber Resilience Act. From baby monitors to smart watches, digital elements are part of our daily lives, and we will make sure all digital products on the EU market are safe from cyber threats.

The draft guidance focuses on remote data processing solutions and free and open-source software, the notion of 'support periods' as well as the interplay between the CRA and other EU legislation.

As part of the broader simplification exercise, the Commission is consulting stakeholders until 31 March to ensure alignment with implementation efforts, practical challenges, and market realities.

The CRA entered into force on 10 December 2024. The main obligations introduced by the Act will apply from 11 December 2027, with reporting obligations to apply as of 11 September 2026.

The Commission is actively working to strengthen the EU's cybersecurity resilience and capabilities. A new cybersecurity package was proposed on 20 January 2026.

Related topics