CRA’s View on “The Product” and Placing it on the Market

 Posted on March 23, 2026  |  brian

The Cyber Resilience Act contains various chapters referring to products and when they were placed on the market. Here is a short insight into a tiny little pitfall that makes a big difference: The definition of “product”.

Article 69.2 of the Cyber Resiliance Act states:

2.   Products with digital elements that have been placed on the market before 11 December 2027 shall be subject to the requirements set out in this Regulation only if, from that date, those products are subject to a substantial modification.

On the first read, this seems pretty simple! I’ve got a product on the market, existing, running, so I’m safe. Thus, we have a proper form of protection for everything old, “Bestandsschutz”, as we call it in German.

Switching over to the BSI’s TR-03183-1 Paragraph 3.2.2 “Placing on the Market and Making available on the market” , “Cyber Resilience Requirements for Manufacturers and Products” sheds a different light:

The CRA applies to all PwDE that are “placed on the market” in the European Union. The definition originates from "The Blue Guide on implementation of EU product rules" [3] for European product legislation.
Definition: “Placing on the market” means the moment when a product is made available for the first time on the EU market. This is done by a manufacturer or an importer, and it refers to each individual product, not to a type or model. Once a product has been placed on the market, it can be resold or transferred further down the supply chain without being considered as “placed on the market” again. 
Example: A manufacturer in Germany produces a batch of smart thermostats. When these thermostats are sold for the first time to a distributor in France, they are “placed on the market.” 
Some requirements of the CRA also apply for products made available on the market after they have been placed on the market. This is referred to as “making available on the market.”

This small part changes everything: [...] it refers to each individual product, not to a type or model.

Going a little deeper into the referenced “The Blue Guide on implementation of EU product rules” , as the source / reference for the statement, confirms just this. Paragraph states 2.3:

As for ‘making available’, the concept of placing on the market refers to each individual product, not to a type of product, and whether it was manufactured as an individual unit or in series. Consequently, placing on the Union market can only happen once for each individual product across the EU and does not take place in each Member State. Even though a product model or type has been supplied before new Union harmonisation legislation laying down new mandatory requirements entered into force, individual units of the same model or type, which are placed on the market after the new requirements have become applicable, must comply with these new requirements.

Thus, what initially reads as “Bestandsschutz” is definitely not!

:)

Just a note, just a little something…