The European Commission seeks feedback on draft guidance for implementing the Cyber Resilience Act

The European Commission has published draft guidance intended to assist companies in understanding and applying the requirements of the Cyber Resilience Act (CRA). Stakeholders are invited to provide feedback on the document until 31 March 2026.

The guidance clarifies the scope of the regulation and the obligations placed on manufacturers and providers of products with digital elements. Particular attention is given to supporting microenterprises and small and medium-sized enterprises in meeting the new compliance requirements.

It also addresses specific issues raised during the early implementation phase, including the treatment of remote data processing solutions, the role of free and open-source software, and the definition of product support periods. The document further explains how the CRA interacts with other EU legislation affecting cybersecurity and digital products.

The Cyber Resilience Act entered into force on 10 December 2024. While the main obligations will apply from 11 December 2027, reporting requirements will start earlier, from 11 September 2026.

According to the Commission, the consultation aims to ensure that the guidance reflects practical implementation challenges and aligns with broader efforts to strengthen cybersecurity resilience across the EU.