The European Commission has opened a public consultation on draft guidance for the Cyber Resilience Act (CRA). The consultation allows companies, developers, and industry stakeholders to provide feedback on how the regulation should be interpreted and implemented before the guidance is finalized.

The consultation is available through the European Commission’s “Have Your Say” portal:
https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en

Stakeholders have until 31 March to submit feedback.

The purpose of this consultation is to ensure that the guidance supporting the Cyber Resilience Act is clear and practical for the organizations responsible for implementing it.

The Cyber Resilience Act

The Cyber Resilience Act, formally Regulation (EU) 2024/2847, establishes cybersecurity requirements for products with digital elements that are placed on the European Union market.

The regulation entered into force on 10 December 2024.

The CRA introduces horizontal cybersecurity obligations that apply to a wide range of digital products, including software, connected devices, and embedded systems. Manufacturers and software providers must ensure that products are developed and maintained according to defined cybersecurity requirements throughout their lifecycle.

These requirements include vulnerability management, secure product design, documentation, and ongoing security updates.

The regulation also introduces reporting obligations for actively exploited vulnerabilities.

CRA Implementation Timeline

The regulation includes a phased implementation schedule that provides time for organizations to prepare for compliance.

Key milestones include:

• Certain provisions of the regulation begin applying on 11 June 2026
• Vulnerability reporting obligations under Article 14 apply from 11 September 2026
• The regulation becomes fully applicable on 11 December 2027

These deadlines mean that manufacturers and software providers must begin aligning development and security processes well before the regulation reaches full application.

Purpose of the Draft Guidance

Article 26 of the Cyber Resilience Act requires the European Commission to publish guidance to help economic operators apply the regulation.

The objective of this guidance is to support organizations as they prepare for CRA compliance. The guidance is intended to be particularly helpful for microenterprises and small and medium sized companies that may have fewer regulatory resources.

The document currently under consultation explains how certain regulatory concepts should be interpreted and how organizations may approach practical implementation.

After the consultation period ends, the Commission will review feedback and finalize the guidance before formal adoption.

Topics Addressed in the Draft Guidance

The draft guidance addresses several areas where companies have raised questions about how the CRA should be applied in practice.

Free and Open Source Software

The treatment of free and open source software is one of the most widely discussed aspects of the regulation.

Open source software is widely used within commercial products. The guidance examines how CRA obligations apply when open source components are incorporated into products that are placed on the market.

The draft clarifies the distinction between non commercial open source development and commercial products that integrate open source components.

Manufacturers remain responsible for managing the cybersecurity risks associated with components used within their products.

Remote Data Processing Solutions

The guidance also discusses remote data processing solutions.

Many digital products rely on backend services, cloud platforms, or remote infrastructure to deliver functionality. These services may affect the cybersecurity posture of the product.

The draft guidance examines how such remote elements should be considered when evaluating whether a product meets CRA cybersecurity requirements.

Core Functionality

Another concept addressed in the draft guidance is core functionality.

Determining whether a vulnerability affects the core functionality of a product can influence how it is evaluated under the regulation. Vulnerabilities that affect essential product capabilities may require different handling than issues affecting non essential components.

The guidance discusses how organizations may determine whether functionality should be considered core to the product.

Placing Products on the Market

The CRA applies when a product with digital elements is placed on the European market.

The draft guidance discusses how this concept should be interpreted in practice, including situations where software is distributed digitally or updated remotely after release.

Clarifying this concept is important for organizations distributing software through online platforms or delivering functionality through updates.

Vulnerability Reporting

The regulation introduces obligations to report actively exploited vulnerabilities.

Manufacturers must notify relevant authorities when such vulnerabilities are identified. These reporting requirements begin applying in September 2026.

The draft guidance provides additional explanation regarding how organizations should approach vulnerability reporting obligations.

Why the Consultation Matters

Public consultations are an important part of the European regulatory process. They allow regulators to collect feedback from the organizations responsible for implementing new rules.

Guidance documents influence how regulators interpret compliance requirements and how companies structure internal security processes.

If guidance is unclear or impractical, it can create uncertainty across the market.

For this reason, the European Commission is encouraging industry stakeholders to review the draft guidance and submit feedback before the consultation closes.

Organizations that develop or distribute digital products in the European market have a direct interest in ensuring that the final guidance reflects real world development practices.

Preparing for CRA Compliance

Although the guidance is still under consultation, the direction of the regulation is already clear.

Organizations will need stronger visibility into the software components used in their products, including open source dependencies and third party libraries.

Companies must also implement structured processes for identifying, assessing, and remediating vulnerabilities.

Manufacturers will need to maintain documentation demonstrating that cybersecurity risks are managed throughout the product lifecycle.

These capabilities will become essential as the CRA implementation deadlines approach.

How C2A Security Can Help

Meeting the requirements of the Cyber Resilience Act requires organizations to operationalize product cybersecurity across development, architecture, and lifecycle management.

C2A Security helps organizations translate regulatory cybersecurity requirements into structured engineering and governance processes.

The C2A EVSec platform enables manufacturers to analyze software components, map vulnerabilities to system architecture, and continuously assess cybersecurity risk across connected products.

This approach helps organizations prioritize vulnerabilities based on product context and generate evidence that supports regulatory compliance.

Organizations preparing for CRA implementation can benefit from assessing their current readiness and identifying gaps in their product cybersecurity processes.

Schedule a CRA readiness consultation here.

Organizations that begin preparing early will be better positioned as CRA requirements begin to take effect across the European digital product market.