Clarifications & Misconceptions
Overview
This section collects clarifications for situations where a common assumption about market access diverges from how the Cyber Resilience Act (CRA) actually works. It is written above all for manufacturers entering the EU market from a certificate-based regulatory culture, where a product certificate is treated as a one-time entry ticket.
The CRA does not work that way. It is a lifecycle obligation, not a certificate you obtain once. Each clarification below isolates one frequent misunderstanding, explains why the CRA differs, and points to the operational chapters that show what to actually do.
WHO THIS IS FOR
Non-EU manufacturers of products with digital elements — especially industrial communication hardware (switches, gateways, routers) — who hold or plan to obtain an IEC 62443, ISO 9001 or ISO 27001 certificate and assume it already satisfies the CRA. It does not. This section explains why, and what is still required.
Clarifications in this section
| # | Clarification | In one sentence |
|---|---|---|
| 1 | Certificate vs. CRA Lifecycle | A certificate is a one-time gate; the CRA is a continuous, manufacturer-owned process for the whole product life. |
| 2 | IEC 62443 & ISO vs. CRA | IEC 62443 and ISO 9001 / 27001 overlap with the CRA but cover none of its ongoing operating and reporting duties. |
This section grows over time. Further delineations (e.g. CRA vs. NIS2, or CRA vs. CE-marking-only thinking) will be added here as separate clarifications.
Related chapters
- Harmonised Standards (Art. 5–6) — which standards create a presumption of conformity
- Conformity Assessment — the assessment routes per product class
- ENISA Reporting Process — the 24 h / 72 h / 14 d reporting duty