Commission's Acts Under the CRA

The Cyber Resilience Act (CRA) mandates or allows the European Commission to adopt 19 potential acts. These acts fall into two categories: mandatory, where the Commission is required to adopt them, and optional, where the Commission is empowered to adopt them but not obligated to do so. The distribution of these acts is as follows:

• Mandatory - 4 in total: 2 Implementing Acts, 1 Delegated Act, 1 Guidance Document
• Optional - 15 in total: 6 Implementing Acts, 9 Delegated Acts

With only 4 mandatory acts, the Commission has significant discretion in shaping enforcement of the CRA.

A Closer Look at the 19 acts

Guidance under CRA

Guidance documents issued by the Commission serve to assist stakeholders in understanding and applying EU legislation. While not legally binding, they provide valuable interpretations and recommendations that facilitate compliance.

Under the CRA, the Commission is mandated to publish guidance to aid economic operators, especially small and medium-sized enterprises (SMEs), in implementing the regulation. This includes:

• clarifying the regulation's scope, particularly focusing on the remote data processing and free and open-source software
• explaining support periods for particular categories of products with digital elements (PDEs)
• elucidating concepts like substantial modification
• guidance for manufacturers subject to other EU legislation, including other harmonisation legislation

Given the significant questions raised by the guidance, which were a major point of debate during the negotiation of the CRA, it is likely to be one of the most anticipated documents (or, more likely, a set of documents) for economic operators and institutional players involved in the CRA.

Delegated Acts under CRA

Delegated acts are legal instruments that allow the European Commission to amend or supplement non-essential elements of a legislative act. The Commission prepares and adopts delegated acts after consulting expert groups, composed of representatives from each EU country.

The CRA includes ten delegated acts. While most of these acts are optional, a few have significant regulatory and industry implications, for instance:

• Amendment of Annex III (Product Categories). Allows the Commission to add, remove, or reclassify product categories based on risk assessments.
• Cybersecurity Certification for Critical Products. Determines which critical products require mandatory cybersecurity certification. Commission can amend Annex IV by adding or withdrawing categories of critical products with digital elements.
• Minimum Security Support Periods. Enables the Commission to set minimum security update periods for certain products.

The one mandatory delegated act (Article 14(9)) specifies conditions for delaying the dissemination of cybersecurity vulnerability notifications.

Implementing Acts under CRA

Implementing acts are designed to ensure uniform application of EU laws across all member states. The adoption of these acts involves the "comitology" process, wherein committees composed of member state representatives oversee the Commission's proposals.

The CRA includes eight implementing acts, two of which are mandatory and have significant regulatory implications:

• Technical Descriptions of Product Categories. Requires the Commission to define the technical specifications for digital product categories under Classes I and II (Annex III) and critical products (Annex IV).
• Simplified Technical Documentation for SMEs. Mandates the Commission to develop a streamlined documentation format for microenterprises and SMEs to comply with CRA requirements.

The optional implementing acts under the CRA provide the European Commission with flexibility to define technical and procedural details that enhance regulatory clarity and cybersecurity enforcement. Key acts, which may or may not be adopted, allow setting the format and elements of the Software Bill of Materials (SBOM), establishing the format of the notification procedures for actively exploited vulnerabilities and mandating recalls, withdrawals, or bans on non-compliant products, strengthening market oversight.

Timeline of Adoption

There is no fixed timeline for most delegated acts, implementing acts, and guidance under the CRA, with the exception of two mandatory acts below that must be adopted by 11 December 2025:

• Technical Descriptions of Product Categories.
• Conditions to Delaying Vulnerability Disclosure Notification.

All other optional acts and guidance provisions remain open-ended, allowing the Commission to introduce them as needed.

Implications for Economic Operators

Overall, the CRA’s approach, with the potential adoption of 19 delegated and implementing acts and guidance documents without concrete deadlines, reflects a dynamic regulatory strategy that prioritizes adaptability over immediate certainty. For economic operators, this means that while the core CRA framework is in place, many technical details shaping compliance obligations remain open-ended. Companies will need to closely monitor regulatory developments, stay agile in their compliance strategies, and allocate resources for future adjustments as new delegated and implementing acts are introduced.

Streamlex.eu will provide a one-stop-shop repository for all implementing and delegated acts, as well as guidance adopted under the CRA. Full text of the CRA, with articles conveniently linked to recitals and definitions highlighted throughout the text, is already available on Streamlex.