CRA Transitional Period — Existing Products

Three transitional rules everyone confuses

Art. 69(1)

EU type-examination certificates valid until 11 June 2028

Art. 69(2)

Pre-Dec-2027 products NOT covered — unless substantially modified

Art. 69(3)

Article 14 reporting applies to ALL in-scope products, even legacy

Mapping every legacy scenario

Each scenario maps to a specific transitional rule. If your product fits more than one row, apply the most demanding regime.

Product placed on the market before 10 December 2024

Outside the regulation entirely from the substantive side (Art. 69(2)). But if it is in scope of the CRA and still in use after 11 September 2026, you must comply with Article 14 reporting (Art. 69(3)) — 24h/72h/14-day notifications for any actively exploited vulnerability.

Product placed between 10 December 2024 and 11 December 2027

Same regime: Art. 69(2) substantive carve-out, Art. 69(3) Article 14 reporting from 11 September 2026. Note: ‘placed on the market’ = first making available on the Union market (Art. 3(21)). Subsequent units of an already-placed product type may continue.

Existing certificate under other Union harmonisation legislation

Art. 69(1): EU type-examination certificates and approval decisions issued regarding cybersecurity requirements in Union harmonisation legislation other than the CRA remain valid until 11 June 2028 — unless they expire earlier, or unless their parent legislation specifies otherwise.

Spare part to replace identical components

Out of scope (Art. 2(6)): spare parts manufactured to the same specifications as the components they replace. Covers spare parts for legacy products and for new products that have already undergone conformity assessment.

Substantial modification of a legacy product after 11 December 2027

Triggers Article 22: the modifier (manufacturer or other) is treated as the manufacturer of the modified version and must comply with Articles 13 and 14 in full. Definition of substantial modification: Art. 3(30) — affects compliance with essential requirements or changes the intended purpose.

Subsequent units placed after 11 December 2027

Even if the product line was first placed earlier, a new unit placed from 11 December 2027 must comply with the full CRA regime — each individual product is assessed at the time of placing on the market (Recital 38).

Re-baselining via a software update

A security update that does not modify the intended purpose and only decreases cybersecurity risk is NOT a substantial modification (Recital 39). A feature update that changes intended purpose or increases attack surface IS substantial. The Commission is to issue guidance (Recital 39).

Common mistakes

❌

GRANDFATHER MYTH

“Our legacy product is forever exempt”

Only partly. Article 69(2) exempts the substantive regime, not Article 14. From 11 September 2026, any actively exploited vulnerability in your legacy in-scope product must be notified within 24 hours to the relevant CSIRT designated as coordinator and to ENISA (Art. 14(2)(a) + Art. 69(3)). And the moment you substantially modify the product, the full regime kicks in.

❌

UPDATE AS SUBSTANTIAL

“Every patch triggers re-certification”

False. Recital 39 is explicit: a security update designed to decrease cybersecurity risk and not modifying the intended purpose is not a substantial modification. Minor functionality updates — a visual enhancement, a new language — are generally not substantial. Feature updates that change the intended purpose or broaden the attack surface are.

❌

CERTIFICATE EXTENSION ASSUMPTION

“Our RED Article 3(3) certificate covers CRA forever”

Article 69(1) gives the EU type-examination certificate validity until 11 June 2028 at the latest, unless it expires earlier. From 11 June 2028, the CRA regime applies in full to any new units placed on the market — even if your underlying RED process was previously sufficient.

Does the CRA apply to your product?

Four-question self-check. If you answer YES to all four, your product is in scope of Regulation (EU) 2024/2847.

Was the product placed on the market before 11 December 2027?

Art. 69(2) — substantive carve-out

Is it still in scope of the CRA (within the Article 2 scope and not excluded)?

Art. 2 + Art. 3(1)

Will it be in use, or supported, after 11 September 2026?

Art. 69(3) — Article 14 still applies

Will it remain unmodified after 11 December 2027? (no substantial modification under Art. 3(30))

Art. 69(2) + Art. 22

Take the full product classification test →

Choose your licence

One-time payment. No subscription. The downloaded dossier is yours forever.

1 PRODUCT

149 €

/ product

8-document CRA dossier (ZIP)
Product Classifier + Technical Documentation
Risk Assessment + User Information
10 regenerations · 30 days
1 licence = 1 product

Buy licence →

PROFESSIONAL PACK

1,199 €

70 generations · 1 key

For multi-product catalogues

70 generations with a single key
70 complete dossiers (8 documents each)
Switch product between generations
Ideal for importers with large catalogues
For consultants billing CRA compliance

Buy Professional Pack →

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Determines whether your product is Default, Important Class I, Important Class II (Annex III) or Critical (Annex IV). Documents the rationale and the applicable conformity assessment procedure under Article 32.

Technical Documentation

Article 31 + Annex VII dossier. Product description, design and development, vulnerability handling processes, risk assessment, list of harmonised standards applied, conformity solutions.

Cybersecurity Risk Assessment

Annex I, Part I analysis. Intended purpose, reasonably foreseeable use, operational environment, applicability of each essential requirement, mitigation measures.

User Information & Instructions

Annex II. Manufacturer details, single point of contact, intended purpose, support period end date, secure decommissioning, automatic-update opt-out instructions.

EU Declaration of Conformity

Article 28 + Annex V. Pre-structured with your classification, applicable conformity module, harmonised standards or certificates relied on, notified body number when applicable.

Coordinated Vulnerability Disclosure Policy

Annex I, Part II, point (5). Single point of contact, intake workflow, triage and remediation timeline, public disclosure rules.

ENISA Notification Template

Article 14 reporting. Pre-filled 24h early warning, 72h vulnerability/incident notification, 14-day final report templates.

Obligations Calendar

Personalised milestones: Article 14 reporting starts 11 September 2026, full application 11 December 2027, document retention 10 years, support period (Art. 13(8)) end date.

See before you buy — Download sample dossier (PDF, fictional company). Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

📜 LEGAL OPINION ON LEGACY PRODUCT STATUS

€4,000–€12,000

External counsel mapping each SKU in your legacy catalogue to Article 69 and Article 22. Justified for high-revenue legacy lines.

CRACHECK — SAME OUTPUT

€149

CRACheck Obligations Calendar flags the Article 14 retroactive duty for in-scope legacy products and identifies which SKUs trigger Article 22 on next substantial modification.

Legal sources

Every article and recital cited on this page comes from the official text of Regulation (EU) 2024/2847 (Cyber Resilience Act), published in the Official Journal of the European Union on 20 November 2024 (ELI: data.europa.eu/eli/reg/2024/2847/oj).

→ Full text on EUR-Lex (CELEX 32024R2847)
→ HTML version (article-by-article)
→ Official PDF (81 pages)
→ All 24 EU language versions

Related: Regulation (EU) 2019/881 (Cybersecurity Act, EUCC) · Directive (EU) 2022/2555 (NIS2) · Regulation (EU) 2019/1020 (market surveillance) · Regulation (EU) 2024/1689 (AI Act).

Important notice

This is not legal advice. CRACheck is structured self-assessment software based on Regulation (EU) 2024/2847. The dossier you download is structured documentation, not a third-party audit or certification.

Class II and Critical products still need a notified body. CRACheck prepares the dossier that the notified body will examine — it does not replace the third-party conformity assessment required by Article 32(3) and Article 32(4).

Maximum liability: the amount you paid for the licence. Always verify your specific situation with your legal counsel.

Frequently asked questions

If my product was placed on the market in 2023, do I need a CRA dossier?

Not for the substantive obligations — Article 69(2) carves out products placed before 11 December 2027. But you do need an Article 14 capability: from 11 September 2026, any actively exploited vulnerability must be notified within 24 hours, with 72-hour follow-up and 14-day final report (Art. 14(2) + Art. 69(3)). The moment you substantially modify the product, the full CRA regime applies.

What counts as a ‘substantial modification’?

Article 3(30) defines it as a change to the product after placing on the market that affects compliance with the essential cybersecurity requirements in Annex I, Part I, or that results in a modification to the intended purpose for which the product was assessed. Recital 39 clarifies that security updates that only decrease cybersecurity risk and do not modify intended purpose are not substantial, while feature updates that broaden the attack surface typically are.

What happens to my existing RED Article 3(3) compliance?

Article 69(1) gives EU type-examination certificates and approval decisions issued under other Union harmonisation legislation — including Delegated Regulation (EU) 2022/30 under Directive 2014/53/EU — a validity window until 11 June 2028, unless they expire earlier. Recital 30 says the Commission will provide transitional guidance for manufacturers subject to both regimes.

Does the Article 14 retroactivity apply to micro and small enterprises?

Yes — Article 69(3) does not exempt micro or small enterprises. However, Article 64(10)(a) derogates the financial penalty for micro and small enterprises that miss the Article 14(2)(a) or 14(4)(a) 24-hour deadline. The reporting obligation itself still stands.

Is this a subscription?

No. One-time payment. 30-day editing window. 10 regenerations. The PDF dossier is yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, the act of licence activation constitutes express consent for immediate digital content generation, which removes the right of withdrawal. Refunds are issued only for reproducible technical failures.

What if the regulation changes before I file my dossier?

Regenerate at no additional cost during your licence validity. Substantive amendments to Regulation (EU) 2024/2847 are tracked weekly from EUR-Lex; if a clause you cited is amended, you can regenerate the affected sections.

Article 69 of Regulation (EU) 2024/2847: products placed on the EU market before 11 December 2027 are not retroactively covered — except for Article 14 vulnerability reporting, which applies to all in-scope legacy products