Cyber Resilience Act and Legacy Products

One of the frequently asked questions surrounding the Cyber Resilience Act (CRA) concerns legacy products. Manufacturers ask whether they can sell older products in the EU after 11 December 2027 without updates. This blog explores the issue amid evolving CRA standards and upcoming compliance deadlines.

CRA Scope and Market Placement

The CRA applies to products placed on the market from 11 December 2027 onward. The decisive factor is not the product model’s initial release date, but when each individual unit is placed on the market. Under EU product legislation, compliance obligations attach to each unit supplied for distribution or use in the Union. The Commission’s FAQ confirms this principle, reflecting long-standing guidance in  the Blue Guide on EU product rules. In other words, EU law regulates products as individual market events, not as abstract product types.

Placing on the Market

Under the CRA, a product’s support period starts on the date it is placed on the market, meaning the first sale of each unit. Section 2.3 of the Blue Guide clarifies that “placing on the market” applies to individual units, not to the product type, whether made as a single item or in series.

Implications for Products Before 11 December 2027

This distinction has major implications. Units placed on the market before 11 December 2027 do not need to retroactively meet the CRA’s essential cybersecurity requirements. Products already on the market do not need conformity assessment, CE marking, or updated documentation just because the CRA applies. Exception: From 11 September 2026, Article 14 reporting obligations apply to all in-scope products. If a manufacturer detects an actively exploited vulnerability or severe incident, they must notify authorities, regardless of when the product was first placed on the market.

Obligations for Products Placed on the Market After 11 December 2027

The situation changes fundamentally for any unit placed on the market on or after 11 December 2027. From that date forward, every new unit must comply with the CRA in full. This is true even if the product design has not changed since 2015 or earlier. The manufacturer must meet Annex I cybersecurity requirements, implement vulnerability handling, complete the conformity assessment, prepare technical documentation, affix the CE marking, issue an EU declaration of conformity, and define a compliant support period. The age of the product architecture does not provide an exemption.

Substantial Modifications: When Legacy Products Re-Enter Scope

Another important dimension concerns product modifications. The CRA distinguishes clearly between customization, minor updates, and substantial modifications, and this distinction directly affects whether the Regulation applies. Customer-specific customizations usually do not create a new product or change its purpose, so they do not trigger CRA. Minor updates, like visual improvements or new language support, also do not count as substantial modifications if they do not increase cybersecurity risk.

A software or feature update is substantial if it changes the product’s purpose, introduces new hazards, or raises cybersecurity risk. In such cases, even products placed on the market before 11 December 2027 fall under the CRA once the substantially modified version is released.

Cybersecurity through CRA

The CRA treats cybersecurity as a lifecycle obligation, not a one-time certification. Routers or products from ten years ago must meet current standards when new units enter the EU market after 2027. Legacy models are not exempt if manufacturers supply new units.

Compliance Horizon for Legacy Products

In practice, this creates a compliance horizon. Manufacturers must update legacy products for CRA compliance or stop selling new units in the EU. Compliance may require secure configurations, stronger authentication, update processes, or firmware redesign. For others, particularly those with hardware limitations or outdated architectures, technical retrofitting may be economically or practically unfeasible. In such cases, a controlled phase-out strategy aligned with the December 2027 deadline may be the more realistic path.

Guidance for Customers and Distributors

Customers and distributors should also prepare. Customers should ask manufacturers about CRA compliance roadmaps and support for products marketed beyond 2027. Units sold after the deadline must meet cybersecurity requirements, even if older designs persist. Understanding this distinction is critical for procurement planning, long-term maintenance strategies, and supply chain risk management.

CRA Focus on Market Placement

Ultimately, CRA regulates placement on the market. From 11 December 2027, all new units sold in the EU must meet modern cybersecurity standards, regardless of design age. Manufacturers of legacy products must prepare for compliance or adjust their market strategy now.

SBOMs and SCA as Essential Tools

The CRA does not exempt legacy product types, making SBOMs and Software Composition Analysis (SCA) essential tools. Manufacturers placing new units of older products on the EU market after 11 December 2027 must demonstrate full compliance with cybersecurity requirements, including vulnerability handling during the support period.

A well-maintained SBOM shows all integrated components, their versions, and support status. SCA tools allow continuous monitoring of new vulnerabilities in those components.

For legacy products, this visibility is critical. Without a structured SBOM and ongoing SCA, manufacturers may fail to assess risks from outdated architectures, dependencies, or unsupported components, potentially breaching CRA compliance.