This document is under active development and has not been finalised.
Skip to content

Clarifications & Misconceptions

Overview

This section collects clarifications for situations where a common assumption about market access diverges from how the Cyber Resilience Act (CRA) actually works. It is written above all for manufacturers entering the EU market from a certificate-based regulatory culture, where a product certificate is treated as a one-time entry ticket.

The CRA does not work that way. It is a lifecycle obligation, not a certificate you obtain once. Each clarification below isolates one frequent misunderstanding, explains why the CRA differs, and points to the operational chapters that show what to actually do.

WHO THIS IS FOR

Non-EU manufacturers of products with digital elements — especially industrial communication hardware (switches, gateways, routers) — who hold or plan to obtain an IEC 62443, ISO 9001 or ISO 27001 certificate and assume it already satisfies the CRA. It does not. This section explains why, and what is still required.

Clarifications in this section

#ClarificationIn one sentence
1Certificate vs. CRA LifecycleA certificate is a one-time gate; the CRA is a continuous, manufacturer-owned process for the whole product life.
2IEC 62443 & ISO vs. CRAIEC 62443 and ISO 9001 / 27001 overlap with the CRA but cover none of its ongoing operating and reporting duties.

This section grows over time. Further delineations (e.g. CRA vs. NIS2, or CRA vs. CE-marking-only thinking) will be added here as separate clarifications.

Documentation licensed under CC BY-NC 4.0 · Code licensed under MIT