EU Cyber Resilience Act (CRA) Draft is out, what is Expected from the Organisations!

On 3 March 2026, the European Commission released its initial draft guidance on the Cyber Resilience Act (CRA), formally known as Regulation (EU) 2024/2847. This draft is now available for public consultation, which will remain open until 31 March 2026.  There are key objectives to achieve before the release like –

  • Collect feedback from stakeholders (manufacturers, software vendors, SMEs, open-source communities, conformity assessment bodies, market surveillance authorities, etc.) on whether the draft is clear, workable, and complete in real-world scenarios.
  • Identify ambiguities and unintended consequences before the guidance is finalised, especially on difficult topics the draft focuses on.
  • Improve consistency of enforcement across EU by stress-testing Commission’s interpretations with those who will apply and enforce them, reducing divergent national interpretations later.
  • Support smoother implementation ahead of upcoming CRA milestones by giving industry a chance to flag timing/feasibility issues and suggest clarifications.

The draft outlines are anticipated to have a significant impact on how market surveillance authorities enforce the CRA. By setting out concrete examples and scenarios, the guidance will likely shape interpretation and compliance expectations across the European Union. Stakeholders are encouraged to review the draft and provide feedback during the consultation period, as their input could influence the final guidance and its application in practice.

Key Highlights:

  • Remote Data Processing Solutions: Guidance clarifies how CRA applies to products whose core security features rely on remote or cloud-based processing, and addresses division of responsibilities between products and their supporting services.
  • Free and Open-Source Software (FOSS): Offers additional interpretation to help determine when open-source software falls within the CRA’s scope, and how obligations may differ depending on how the software is supplied, integrated, or commercialised.
  • Support periods: Explains requirements around the duration for handling vulnerabilities and issuing security updates, with advice on defining and communicating product support periods for digital elements.
  • Interplay with other EU legislation: Describes how CRA requirements interact with other relevant EU legal frameworks to help prevent duplication or conflicting compliance approaches.
  • Reduces uncertainty before implementation: Initial interpretations from the Commission offer clarity on complex topics like cloud-backed products and open source software.
  • Helps organisations plan compliance: Assists with decisions on product scope, lifecycle support, documentation, and vulnerability handling in line with likely regulatory expectations.
  • Stakeholder feedback opportunity: Consultation is open until 31/03/2026, allowing stakeholders to provide feedback and examples to help shape clearer, more practical final guidance.

CRA obligations primarily attach to organisations that place products with digital elements on the EU market (or otherwise make them available for distribution or use in the EU) during a commercial activity. That means the CRA is most directly relevant to manufacturers (including software vendors, device makers, and organisations distributing in-house products externally), but it also creates defined duties for importers bringing products into the EU and distributors making them available on the market.

The draft guidance also highlights the CRA’s relevance to certain open-source software stewards, legal persons providing sustained support for specific FOSS intended for commercial activities. Even where an organisation is not an economic operator under the CRA, there is an indirect impact for enterprise buyers and integrators, who will increasingly need supplier security evidence, clear support commitments, and stronger component governance to avoid procuring or deploying non-compliant products.

What EU organisations should do to meet CRA Obligations:

  • Build an inventory of in-scope products and product functions (include cloud-backed functions that may qualify as RDPS and identify integrated third-party/SaaS dependencies).
  • Classify products as default / important (class I or II) / critical based on core functionality to determine the likely conformity route and evidence needed.
  • Stand up or harden vulnerability handling: intake, triage, remediation SLAs, coordinated disclosure policy, security update pipeline, and upstream reporting/fix-sharing for components.

 

Function CRA Expectations
Legal / Compliance Determine role(s) per product; confirm scope position (incl. RDPS and FOSS scenarios); define support period disclosures; align contracts and product terms; manage consultation feedback.
Product Management Define intended purpose and expected use time; decide support periods; align roadmap to “secure by design/default”; ensure security requirements are prioritised and funded.
Engineering Implement secure development practices; maintain update mechanisms; manage versioning and changes that might constitute substantial modifications; maintain technical documentation inputs.
Security (AppSec / PSIRT) Run/own vulnerability handling (CVD), triage, remediation SLAs; define reporting workflow for exploited vulns/severe incidents; coordinate user communications and upstream reporting/fix sharing.
Procurement / Supplier Management Strengthen component and supplier due diligence; request security evidence and support commitments; ensure contracts enable timely vuln disclosure and patch delivery.
Operations / Support Operationalise security updates, incident response interfaces, and customer notifications; ensure capability to deliver support obligations through end-of-support.

 

  • Design a CRA reporting playbook for exploited vulnerabilities and severe incidents (who decides “we are aware”, who notifies, what evidence is kept, how user communications are managed).
  • Define and approve support period policy and ensure support commitments are operationally achievable (engineering capacity, dependency management, end-of-life process).
  • Update supplier and component governance: require SBOM/third-party component visibility where appropriate, security assurance evidence, and contractual commitments that support your due diligence obligations.
  • Prepare technical documentation and audit trail: risk assessment outputs, security requirements, test evidence, and release governance sufficient to support conformity assessment and market surveillance questions.

The journey towards CRA readiness unfolds across several key milestones. On 11 June 2026, the process begins with the introduction of rules governing the notification and designation of conformity assessment bodies, laying the groundwork for robust regulatory oversight. Just a few months later, from 11 September 2026, organisations will need to start reporting vulnerabilities and incidents to the relevant authorities, marking a significant step in transparency and accountability. The transition culminates on 11 December 2027, when the full suite of CRA obligations comes into force for products containing digital elements, ensuring that comprehensive cybersecurity requirements are firmly embedded throughout the supply chain. These dates signal a structured progression, urging organisations to prepare early and adapt their processes to meet evolving regulatory expectations.

In summary, EU organisations must adopt a proactive and structured approach to CRA readiness, focusing not only on compliance but also on robust cybersecurity practices throughout the supply chain. By establishing clear ownership across legal, product, engineering, and security functions and maintaining comprehensive documentation, organisations will be well-positioned to meet regulatory expectations and respond effectively to evolving threats. Early engagement with the consultation process and ongoing refinement of due diligence and reporting processes will further enhance resilience, ensuring organisations are ready to demonstrate both compliance and operational maturity when assessed. Remaining adaptable and informed will be key to facing future requirements with confidence.

Disclaimer :

“The views and opinions expressed by Kavitha in this article are solely her own and do not represent the views of her company or her customers.”

Name – Kavitha Srinivasulu

Company – TCS

Designation – Program Director–Cyber Security & Data Privacy

About the Author-

Senior cyber risk and resilience executive with over 22 years of global leadership experience advising Boards and Executive Committees across Financial Services, Healthcare, Retail, Technology, and regulated industries. Delivered and led large-scale, regulator-driven cybersecurity, AI driven, PCI, and SOC transformations for Tier-1 banks, global healthcare organisations, and highly regulated enterprises operating across the UK, EU, USA, APAC, and ANZ. Trusted advisor to Boards, C-suite, regulators, and global enterprises, consistently delivering resilient, compliant, and scalable cyber operating models.