Privacy & Cybersecurity Law Blog

On March 3, 2026, the European Commission published draft guidelines intended to clarify the application of the EU Cyber Resilience Act (“CRA”) and opened a public consultation to gather feedback from stakeholders. The CRA entered into force on December 10, 2024, and establishes European Union-wide cybersecurity requirements for products with digital elements.

The draft guidelines provide an overview of the CRA’s scope, confirming it applies to both hardware and software products, and elaborating on key compliance obligations such as risk assessments, reporting duties and procedures for vulnerability handling. The guidelines also seek to address how the rules will be applied in practice, including specific considerations for microenterprises and small and medium-sized enterprises (“SMEs”), which are a particular focus under Article 26 of the CRA. Read more information on what the CRA regulates.

The CRA is being implemented in phases: Chapter IV will apply from June 11, 2026; Article 14’s vulnerability reporting obligations take effect from September 11, 2026; and the CRA as a whole will apply from December 11, 2027. The guidelines are intended to help organizations prepare for these upcoming requirements and to facilitate harmonized enforcement by national market surveillance authorities across the European Union. According to the guidelines, the European Commission and the European Union Agency for Cybersecurity (“ENISA”) will provide ongoing support to operators and EU Member States as the CRA is rolled out.

While not legally binding, the guidelines aim to clarify the European Commission’s interpretation of the CRA and are designed to support organizations, especially SMEs, in achieving compliance. Further guidelines may be issued as the CRA is integrated with other European Union digital regulations.

The consultation for stakeholder feedback is open until March 31, 2026.

Read the press release and consultation.