← Back to CRA Insights
Scope

CRA Transitional Provisions: Do You Have to Re-Certify Products Already on the Market?

Generated image

If you manufacture, import, or distribute connected products and you're already selling into the EU, the Cyber Resilience Act probably feels like a problem you can defer. You're not launching a new product. You're not redesigning anything. You just want to know whether the stock in your warehouse - or the devices already in customers' hands - suddenly needs to be re-certified.

The short answer is: probably not. But there is one obligation that catches every product on the EU market, regardless of when it was placed there, and it kicks in on 11 September 2026 - not December 2027.

This post explains the transitional regime cleanly, without rehashing the full compliance roadmap. It focuses on the question that actually keeps product managers and compliance leads up at night: do I have to redo everything for products I'm already selling?

This post is for general information only and does not constitute legal advice. Consult a qualified legal professional for advice specific to your situation.


Key points at a glance
  • Full CRA requirements (Annex I security-by-design, conformity assessment, CE marking, EU Declaration of Conformity) apply from 11 December 2027.
  • Products placed on the market before that date are subject to those requirements only if they undergo a substantial modification on or after 11 December 2027. Genuinely unchanged legacy products are largely grandfathered.
  • 'Placed on the market' means the first time a specific unit enters the EU supply chain — a one-time event per unit. It is not the same as 'making available on the market', which covers every subsequent transaction.
  • The grandfathering does not extend to reporting. From 11 September 2026, the Article 14 duty to report actively exploited vulnerabilities and severe incidents to ENISA applies to all in-scope products — including those placed on the market years ago.
  • New units of the same model placed on the market on or after 11 December 2027 must be fully CRA-compliant, even if earlier units of the same model were grandfathered.

The two concepts you need to understand first

The transitional regime only makes sense once you understand the distinction between two terms the CRA defines precisely.

Placing on the market means the first time a specific product unit is made available in the EU supply chain. It is a one-time event per unit. Once a unit has been placed on the market - typically when the manufacturer or importer first supplies it to a distributor or customer - it cannot be "placed on the market" again. Every subsequent transaction in the chain (distributor to retailer, retailer to end user) is something different.

Making available on the market is that something different: any supply of a product for distribution or use in the EU in the course of a commercial activity, whether for payment or free of charge. It covers every step after the first one.

Why does this matter? Because EU product law attaches compliance obligations to the moment of placing, not to every subsequent making available. As the EU Blue Guide confirms, placing on the market "refers to each individual product, not to a type of product, and whether it was manufactured as an individual unit or in series." Placing on the Union market can only happen once for each individual product across the EU.

This is the legal mechanism that makes the transitional rule work.


What Article 69 actually says

Article 69(2) of Regulation (EU) 2024/2847 states that products with digital elements placed on the market before 11 December 2027 are subject to the CRA's requirements only if, from that date, they are subject to a substantial modification.

In plain English: if a unit was placed on the EU market before 11 December 2027, and nothing substantial changes about it after that date, it does not need to be brought into full CRA conformity. No new conformity assessment. No CE marking. No EU Declaration of Conformity. The unit is grandfathered.

This is confirmed by the Commission's own FAQ guidance, which makes clear that individual products placed on the market before 11 December 2027 do not need to be brought into CRA conformity simply because they remain in the distribution chain after that date.

Distributors are equally off the hook: they are not required to bring such products into compliance on or after 11 December 2027, unless they carry out a substantial modification themselves.

The unit-level rule - and why it matters for new production runs

Here is the catch that trips up many manufacturers. The grandfathering applies to individual units, not to product types or models.

Products manufactured according to a type that is not compliant with the CRA cannot be placed on the market on or after 11 December 2027, even if the first instance of that product type was placed on the market before that date.

The Commission FAQ gives a direct example: a manufacturer that places 10,000 routers on the market before 11 December 2027 does not need to bring those units into CRA compliance - even if they have not yet reached the end user. But that same manufacturer may not produce a further 5,000 copies of the same non-compliant router and place them on the market after 11 December 2027.

So the question is not just "when was my product designed?" It is "when was each unit first placed on the EU market?"


The critical exception: reporting applies to everyone, now

This is the part that catches even the most thoroughly grandfathered legacy product.

Article 69(3) creates a specific derogation from the grandfathering rule: the obligations laid down in Article 14 apply to all products with digital elements within the scope of the CRA that have been placed on the market before 11 December 2027.

And Article 14 applies from 11 September 2026 - not December 2027.

From that date, manufacturers are required to report actively exploited vulnerabilities and severe incidents impacting the security of their products with digital elements, submitting an early warning within 24 hours of becoming aware, and a full notification within 72 hours. A final report follows no later than 14 days after a corrective measure is available for actively exploited vulnerabilities, or within one month for severe incidents.

Reports go to ENISA and the national CSIRT designated as coordinator, through a single reporting platform that ENISA is building and intends to have operational by 11 September 2026. You file once; the platform routes to the right authorities.

star Important

The reporting obligation is not limited to new products or current development projects. It covers legacy products placed on the EU market before the CRA applies in full. If you have a connected product available in the EU on 11 September 2026 and an actively exploited vulnerability surfaces, you must report it — regardless of when that product was first placed on the market.

This has a practical consequence that many manufacturers underestimate: you cannot report a vulnerability in 24 hours if you do not know what is inside your product. The reporting obligation creates an implicit requirement to have continuous visibility into your product's components - even for products you shipped years ago.


Two worked scenarios

Scenario A: The unchanged router still in the channel

A European distributor has 800 units of a Wi-Fi router in its warehouse. The manufacturer placed them on the EU market in Q3 2026 - before the 11 December 2027 cut-off. The router's firmware has not changed since then, and the manufacturer has no plans to update it.

What applies?

  • The full CRA product requirements (Annex I, conformity assessment, CE marking) do not apply to these 800 units. They were placed on the market before the cut-off and have not been substantially modified. The distributor can continue to sell them.
  • Article 14 reporting does apply. From 11 September 2026, if an actively exploited vulnerability is discovered in that router model, the manufacturer must notify ENISA and the relevant CSIRT within 24 hours. The fact that the units are grandfathered from the product requirements does not exempt the manufacturer from this duty.

Scenario B: The firmware overhaul that adds new features

The same manufacturer releases a major firmware update in early 2028. The update adds a new remote-management interface, changes the product's network-facing attack surface, and introduces capabilities not present in the original design. The manufacturer's own engineers assess that the update affects compliance with the Annex I essential cybersecurity requirements.

What applies?

  • This update is likely a substantial modification. A substantial modification is defined in Article 3(30) of the CRA as a change that affects the product's compliance with the essential cybersecurity requirements in Annex I, Part I, or leads to a change in the intended purpose for which the product was assessed.
  • From the point of that modification, the product re-enters full CRA scope. The manufacturer must treat the modified product as a new product for CRA purposes: conformity assessment, technical documentation, CE marking, and EU Declaration of Conformity are all required.
  • Routine security patches and minor bug fixes, by contrast, are not substantial modifications. The line is drawn at changes that meaningfully alter the security posture or the product's purpose.

Where the conformity assessment machinery stands right now

For products that do need full CRA conformity - either because they are being placed on the market for the first time after 11 December 2027, or because a substantial modification has triggered re-assessment - there is a practical complication worth knowing about.

Chapter IV of the CRA, which governs the notification of conformity assessment bodies, started applying on 11 June 2026. The rules are live. But as of late June 2026, the NANDO database - the EU's official register of notified bodies - lists effectively zero CRA-designated bodies. The designation process takes time, and the Commission's target of sufficient notified-body capacity by 11 December 2026 is a best-efforts goal, not a guarantee.

Similarly, as of early June 2026, no CRA harmonised standard has been approved or had its reference published in the Official Journal. Standards are in draft; the first are expected to be delivered in the second half of 2026, with Official Journal citation to follow. Until a standard is cited, the Article 27 presumption of conformity is not available.

For manufacturers of default-category products (roughly 90% of in-scope products), self-assessment remains available regardless of whether harmonised standards exist. For important Class I and Class II products, the absence of published standards and designated notified bodies is a real scheduling risk. If your product falls into those tiers, treat notified-body availability as a constraint to plan around now, not a detail to resolve later.


The practical checklist for legacy product holders

1
Confirm when each product line was placed on the EU market

The grandfathering applies to individual units, not product types. Document the date each batch or SKU was first placed on the EU market. Units placed before 11 December 2027 are grandfathered from the full product requirements; new units of the same model placed on or after that date are not.

2
Audit your update and modification roadmap

Review planned firmware updates, feature additions, and hardware revisions. Assess each against the Article 3(30) substantial modification definition. Changes that affect Annex I compliance or alter the intended purpose re-trigger full CRA conformity. Routine security patches do not.

3
Build your Article 14 reporting capability before 11 September 2026

This is the obligation that applies to all in-scope products regardless of when they were placed on the market. You need: a process to detect actively exploited vulnerabilities in your products; a designated reporter and escalation path; familiarity with the ENISA Single Reporting Platform; and draft templates for the 24-hour early warning and 72-hour notification. The clock starts the moment you become aware of an actively exploited vulnerability.

4
Map your product inventory against the CRA's scope

Not every connected product is in scope. Products without a direct or indirect logical or physical data connection to a device or network fall outside the CRA. Confirm scope before investing in compliance work.

5
Plan your conformity route for new placements after December 2027

If you will continue placing units on the market after 11 December 2027, those units must be fully CRA-compliant. Identify your product tier (default, important Class I/II, or critical), determine your conformity assessment route, and factor in the current scarcity of designated notified bodies and published harmonised standards.


The bottom line

The CRA's transitional provisions are genuinely protective for legacy inventory. Products placed on the EU market before 11 December 2027 are not retroactively pulled into the full compliance regime - provided they are not substantially modified after that date. That is a meaningful carve-out, and it is deliberate.

But "grandfathered" does not mean "exempt from everything." The Article 14 reporting obligation applies to all in-scope products from 11 September 2026, including products placed on the market years before the CRA existed. That obligation is live, it has enforcement teeth, and it requires operational readiness - detection processes, escalation paths, and reporting workflows - that cannot be assembled overnight.

The honest question for most organisations right now is not "will we be CE-marked by December 2027?" It is "if a critical vulnerability in our legacy product is actively exploited next month, can we file the early warning to ENISA in 24 hours?"

For more on what the reporting obligation requires in practice, see our post on the September 2026 deadline. For the question of what counts as a substantial modification - and how to assess firmware updates against that test - see our post on substantial modification and software updates.