CRA Draft Guidance: What the EU Consultation Until March 31 Means for Manufacturers
It's March 28, 2026. Your product manager sends you a link: "EU Commission seeking feedback on the Cyber Resilience Act — deadline March 31." Three days. Your company manufactures industrial robots with network connectivity. You fall under the CRA. And you've never heard of the Draft Guidance.
This scenario affects thousands of manufacturers in Germany. The EU Commission published draft guidance on the Cyber Resilience Act on March 3, 2026 — and simultaneously opened a public consultation with a deadline of March 31, 2026. Those who comment help shape the outcome. Those who remain silent must live with the results of others. This article explains what's in the Draft Guidance, who needs to act now, and what practically changes for manufacturers.
⚠️ Deadline: The consultation period for the CRA Draft Guidance ends on March 31, 2026. Manufacturers should submit feedback now and adjust their compliance strategy.
What the EU Commission Published on March 3, 2026
On March 3, 2026, the EU Commission published Draft Guidance on the Cyber Resilience Act — this was highly anticipated. Manufacturers had been demanding guidance documents for months, as the CRA regulation text leaves many operational questions open. The Commission simultaneously opened a public stakeholder consultation with a deadline of March 31, 2026.
What the Draft Guidance contains:
Clarifications on the product definition: Which products with "digital elements" fall under the CRA? The Guidance clarifies boundary questions — software, embedded systems, IoT devices, components. Particularly relevant: When is a product considered "critical" (Annex I) and when "highly critical" (Annex II), which means different conformity pathways.
Vulnerability management requirements: The Guidance specifies what "actively exploited vulnerabilities" means and how the 24-hour reporting obligation (from September 2026) is to be operationally implemented. What information must be included in the initial report? To whom is it reported (ENISA)?
Conformity assessment: Clarification of the various modules for the conformity assessment process. For most standard products: Self-assessment plus technical documentation. For critical products (Class I): Review by a third party or use of a harmonized standard. For highly critical products (Class II): Certification by an accredited body.
Lifecycle requirements: How long must manufacturers provide security updates? The Guidance clarifies: at least 5 years — or the expected product lifetime, if shorter.
What Practically Changes for Manufacturers
The Draft Guidance is not a new law — it explains and specifies the existing CRA regulation. But for manufacturers, it has significant practical consequences:
Review product classification: With the Guidance's clarifications, many manufacturers can now finally reliably assess which category their product falls into. This determines the conformity pathway — and thus costs and timeline.
Prepare reporting process for September 2026: The 24-hour reporting obligation for actively exploited vulnerabilities takes effect on September 11, 2026. The Guidance now provides concrete guidance on how to set up the process. Those who don't have one yet: start now.
Structure technical documentation: The Guidance provides clearer requirements for the technical documentation that manufacturers must maintain. This includes security tests, risk analyses, and vulnerability reports.
SBOM (Software Bill of Materials): The Guidance confirms that an SBOM is expected in the technical documentation — a complete list of all software components and their versions.
Supply chain security: Manufacturers must not only secure their own products but also ensure that third-party components used do not contain known vulnerabilities.
Until March 31: Who Can Comment, and How?
The public consultation is aimed at all affected stakeholders: manufacturers, importers, distributors, industry associations, research institutions, national authorities, and the general public. There is no formal restriction — individuals can also comment.
How does it work? Feedback is submitted via the "Have your say" portal of the EU Commission (digital-strategy.ec.europa.eu). The Commission has provided a structured feedback form. Comments can be submitted in English and all other official EU languages.
Why should manufacturers comment? The Draft Guidance is not yet a final document. Feedback from practice influences the final version. Those who have identified operational difficulties, ambiguities, or disproportionate requirements can now contribute — and thus help shape the compliance burden for the entire industry.
More on the specific reporting obligations from September: CRA Reporting Obligation from September 2026: What to Do Now. On the distinction between CRA, NIS2, and DORA: CRA, NIS2, DORA: Which Regulation Applies to Your Company?.
Frequently Asked Questions About the CRA Draft Guidance
Is the Draft Guidance already binding?
No. The Draft Guidance is a consultation document — not yet a final, binding document. The Commission will evaluate the feedback and publish final guidance. Nevertheless: Most requirements reflect the already binding CRA regulation text, just more precisely. Final document or not — manufacturers should use the Guidance as a planning basis.
My product is already on the market. Does the CRA still apply?
The CRA applies to products placed on the EU market from December 11, 2027. There is no retroactive effect for already sold products — but: If you further develop a product or bring a new version to market, the CRA applies in full to this new version. Security updates for existing products must also continue to be provided.
What is the difference between CRA Class I and Class II?
Class I ("critical products"): Higher security risk, e.g., routers, firewalls, operating systems, browsers, password managers. Conformity assessment by third party or harmonized standard. Class II ("highly critical products"): Very high risk, e.g., industrial control systems (SCADA/ICS), microcontrollers, smart cards. Certification by accredited body mandatory. All other products: Self-assessment possible.
What is an SBOM and do I really need one?
An SBOM (Software Bill of Materials) is a machine-readable list of all software components in your product — including open-source libraries, versions, and known vulnerabilities. The CRA does not require public publication of the SBOM, but it must be available as part of the technical documentation and be able to be presented to authorities upon request. For complex products, an SBOM is practically indispensable.
ADVISORI Advises You on CRA Implementation
CRA implementation is complex — especially for companies that have not previously had structured processes for cybersecurity in the product development cycle. ADVISORI supports manufacturers with product classification, technical documentation, vulnerability management, and preparation for the reporting obligation starting September 2026.
Contact our CRA advisory team — the deadline for the first compliance obligation is approaching.