CRA Substantial Modification — When to Re-assess

The three legal coordinates

Art. 3(30)

Substantial modification — the definition

Art. 22

Modifier becomes the manufacturer of the modified version

Art. 13(14)

Manufacturer must adapt to changes in design and standards

Six concrete scenarios — substantial or not?

Each example below maps to a clear rule from the article text or the recitals. Use them as anchors when you assess a specific change.

Security patch closing a known CVE — NOT substantial

Recital 39: ‘Where a security update which is designed to decrease the level of cybersecurity risk of a product with digital elements does not modify the intended purpose of a product with digital elements, it is not considered to be a substantial modification.’ Includes minor source-code adjustments that modify functions for the sole purpose of decreasing cybersecurity risk.

New language pack or visual enhancement — NOT substantial

Recital 39: ‘A minor functionality update, such as a visual enhancement or the addition of new pictograms or languages to the user interface, should not generally be considered to be a substantial modification.’ The intended purpose and the assessed essential requirements are untouched.

New feature that adds an input element — typically SUBSTANTIAL

Recital 39: a feature update that modifies the original intended functions or the type or performance of the product, and broadens the attack surface, is substantial — ‘for example, this could be the case where a new input element is added to an application, requiring the manufacturer to ensure adequate input validation’.

Hardware refurbishment / maintenance / repair — typically NOT substantial

Recital 42: refurbishment, maintenance and repair as defined in Article 2 of Regulation (EU) 2024/1781 do not necessarily lead to a substantial modification — provided the intended purpose and functionalities are not changed and the level of risk is unaffected.

Manufacturer-led upgrade altering performance — SUBSTANTIAL

Recital 42: an upgrade by the manufacturer that leads to changes in the design and development — affecting intended purpose or compliance with the essential requirements — is substantial. New conformity assessment required, and if a notified body was previously involved, it must be notified of the change (Recital 41).

Importer or distributor modifies the product — modifier becomes manufacturer

Article 21 + Article 22: an importer or distributor that places a product on the market under its own name or trademark, or carries out a substantial modification, is treated as the manufacturer. All Article 13 and Article 14 obligations transfer to them, for the part affected (Art. 22(2)) — or for the entire product if the modification affects the cybersecurity of the whole.

Common mistakes

❌

PATCH OVERREACTION

“Every CVE fix means a new conformity assessment”

Wrong by Recital 39. A security update that only decreases the cybersecurity risk and does not modify intended purpose is not substantial. You still document the change in your technical documentation under Article 13(14) and inform users via your CVD policy and Annex II information — but the EU declaration of conformity and CE marking do not need to be re-issued.

❌

FEATURE CREEP DENIAL

“We added a third API endpoint, but no formal change”

If the new endpoint extends the intended purpose or adds input that requires validation, Recital 39 treats this as substantial. The original risk assessment did not anticipate the new endpoint; you must update the risk assessment, possibly re-run conformity assessment, and — if a notified body was involved — notify them under Recital 41.

❌

MODIFIER MISATTRIBUTION

“Our distributor customised the firmware — still our liability”

Article 22 reassigns liability for the modified version to the modifier. Article 22(2) makes the modifier subject to Articles 13 and 14 for the part affected by the substantial modification, or for the entire product if the modification has an impact on the cybersecurity of the product as a whole. The original manufacturer remains liable for the unmodified part.

Does the CRA apply to your product?

Four-question self-check. If you answer YES to all four, your product is in scope of Regulation (EU) 2024/2847.

Does the change alter the intended purpose of the product (as documented at placing on market)?

Art. 3(30) — first limb of the definition

Does the change affect compliance with any essential requirement in Annex I, Part I?

Art. 3(30) — second limb of the definition

Does it broaden the attack surface (new inputs, new endpoints, new interfaces)?

Recital 39 — feature update triggering substantial status

Is it more than a security update or minor UI / language change?

Recital 39 — carve-outs from substantial modification

Take the full product classification test →

Choose your licence

One-time payment. No subscription. The downloaded dossier is yours forever.

1 PRODUCT

149 €

/ product

8-document CRA dossier (ZIP)
Product Classifier + Technical Documentation
Risk Assessment + User Information
10 regenerations · 30 days
1 licence = 1 product

Buy licence →

PROFESSIONAL PACK

1,199 €

70 generations · 1 key

For multi-product catalogues

70 generations with a single key
70 complete dossiers (8 documents each)
Switch product between generations
Ideal for importers with large catalogues
For consultants billing CRA compliance

Buy Professional Pack →

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Determines whether your product is Default, Important Class I, Important Class II (Annex III) or Critical (Annex IV). Documents the rationale and the applicable conformity assessment procedure under Article 32.

Technical Documentation

Article 31 + Annex VII dossier. Product description, design and development, vulnerability handling processes, risk assessment, list of harmonised standards applied, conformity solutions.

Cybersecurity Risk Assessment

Annex I, Part I analysis. Intended purpose, reasonably foreseeable use, operational environment, applicability of each essential requirement, mitigation measures.

User Information & Instructions

Annex II. Manufacturer details, single point of contact, intended purpose, support period end date, secure decommissioning, automatic-update opt-out instructions.

EU Declaration of Conformity

Article 28 + Annex V. Pre-structured with your classification, applicable conformity module, harmonised standards or certificates relied on, notified body number when applicable.

Coordinated Vulnerability Disclosure Policy

Annex I, Part II, point (5). Single point of contact, intake workflow, triage and remediation timeline, public disclosure rules.

ENISA Notification Template

Article 14 reporting. Pre-filled 24h early warning, 72h vulnerability/incident notification, 14-day final report templates.

Obligations Calendar

Personalised milestones: Article 14 reporting starts 11 September 2026, full application 11 December 2027, document retention 10 years, support period (Art. 13(8)) end date.

See before you buy — Download sample dossier (PDF, fictional company). Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🔄 RE-ASSESSMENT WITH NOTIFIED BODY

€8,000–€40,000

Re-engagement with the notified body for Module B addition (Annex VIII, Part II, point 7), update of the EU-type examination certificate, additional surveillance audit under Module H. Required when the modification is substantial.

CRACHECK — SAME OUTPUT

€149

CRACheck regenerates the dossier for the modified version at no additional cost during licence validity. Updated risk assessment, updated Annex VII, updated EU DoC.

Legal sources

Every article and recital cited on this page comes from the official text of Regulation (EU) 2024/2847 (Cyber Resilience Act), published in the Official Journal of the European Union on 20 November 2024 (ELI: data.europa.eu/eli/reg/2024/2847/oj).

→ Full text on EUR-Lex (CELEX 32024R2847)
→ HTML version (article-by-article)
→ Official PDF (81 pages)
→ All 24 EU language versions

Related: Regulation (EU) 2019/881 (Cybersecurity Act, EUCC) · Directive (EU) 2022/2555 (NIS2) · Regulation (EU) 2019/1020 (market surveillance) · Regulation (EU) 2024/1689 (AI Act).

Important notice

This is not legal advice. CRACheck is structured self-assessment software based on Regulation (EU) 2024/2847. The dossier you download is structured documentation, not a third-party audit or certification.

Class II and Critical products still need a notified body. CRACheck prepares the dossier that the notified body will examine — it does not replace the third-party conformity assessment required by Article 32(3) and Article 32(4).

Maximum liability: the amount you paid for the licence. Always verify your specific situation with your legal counsel.

Frequently asked questions

Is a CVE fix a substantial modification?

No, in the normal case. Recital 39: a security update designed to decrease the level of cybersecurity risk that does not modify the intended purpose is not a substantial modification — even where it entails source-code changes. The fix is still documented in technical documentation, communicated via Annex II information and the CVD policy, and notified under Article 14 if the underlying vulnerability was actively exploited.

If I bundle a security patch with a new feature, is the whole release substantial?

If the new feature meets the Recital 39 test — modifies original intended functions, broadens the attack surface, or changes performance — then the release is substantial. Recital 39 is explicit that whether the feature is shipped separately or bundled with a security update does not change the analysis. Best practice: ship security updates separately whenever technically feasible (Annex I, Part II, point 2).

What does Article 22 mean for an integrator or VAR?

Article 22 makes anyone who carries out a substantial modification of a product on the market — and then makes it available again — subject to Articles 13 and 14 for the part affected, or for the whole product if cybersecurity is affected globally. An integrator who re-brands and reconfigures an OEM product crosses this line whenever the change is substantial. Article 21 catches the simpler case of putting the integrator’s own name or trademark on the product.

Does software-only iteration trigger Article 22?

Yes, if the iteration is substantial. Recital 39 applies the same test to software changes as to physical changes. A feature update that modifies intended purpose or broadens attack surface, packaged as an over-the-air update and made available on the market, is substantial — and the entity making it available becomes the manufacturer of the new version under Article 22.

Is this a subscription?

No. One-time payment. 30-day editing window. 10 regenerations. The PDF dossier is yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, the act of licence activation constitutes express consent for immediate digital content generation, which removes the right of withdrawal. Refunds are issued only for reproducible technical failures.

What if the regulation changes before I file my dossier?

Regenerate at no additional cost during your licence validity. Substantive amendments to Regulation (EU) 2024/2847 are tracked weekly from EUR-Lex; if a clause you cited is amended, you can regenerate the affected sections.

Substantial modification under Article 3(30) of Regulation (EU) 2024/2847: which changes force a new conformity assessment, and which are just maintenance