Glossary

Defined terms and concepts from the EU Cyber Resilience Act and related guidance.

A

Actively exploited vulnerability: A vulnerability in a product with digital elements where a malicious actor is actively using the flaw to breach the security of users or other affected persons. Discovery of an actively exploited vulnerability triggers mandatory notification to the relevant CSIRT and to ENISA within 24 hours (Art. 14(1)), with further notifications at 72 hours and on remediation.
Annex I — Essential cybersecurity requirements: The normative annex of the CRA containing the binding technical and process requirements that products with digital elements must satisfy. It is divided into Part I (11 security properties that products must have by design and by default) and Part II (8 vulnerability handling obligations applicable to manufacturers' development and maintenance processes).
Authorised representative: A natural or legal person established within the European Union who has received a written mandate from a manufacturer to act on the manufacturer's behalf in relation to specified tasks under the CRA. An authorised representative's minimum statutory tasks include keeping the EU DoC and technical documentation available, providing conformity information on request, and cooperating with market surveillance.

C

CE marking: The marking placed on a product by the manufacturer to indicate that the product has been assessed and meets all applicable Union harmonisation legislation, including the CRA's essential cybersecurity requirements. CE marking is required before a product with digital elements is placed on the EU market and must be affixed visibly, legibly, and indelibly.
Conformity assessment: The process by which a manufacturer demonstrates that a product with digital elements satisfies the essential cybersecurity requirements of Annex I. Article 32 establishes four available procedures: Module A (self-assessment), Module B+C, Module H, and EUCC certification. The required procedure depends on the product classification and whether harmonised standards are fully applied.
Critical product with digital elements: A product whose core functionality falls within Annex IV of the CRA. Currently the three categories are: hardware devices with security boxes, smart meter gateways, and smartcards/secure elements. Critical products face the most stringent conformity requirements and, once Commission delegated acts are in force, must obtain formal European cybersecurity (EUCC) certification.
Coordinated Vulnerability Disclosure (CVD) policy: A structured process through which vulnerabilities in a product can be reported to a manufacturer in a way that allows the manufacturer to diagnose and remediate them before detailed information is disclosed to third parties or the public. Manufacturers are required by Annex I Part II of the CRA to put in place and enforce a CVD policy.

D

Distributor: A natural or legal person in the supply chain, other than the manufacturer or importer, who makes a product with digital elements available on the EU market without affecting its properties. Distributors have lighter obligations than manufacturers or importers, but still must verify CE marking and basic compliance before supplying products.

E

Essential cybersecurity requirements: The binding security requirements set out in Annex I of the CRA, divided into two Parts. Part I specifies 11 security properties that products with digital elements must achieve by design and by default. Part II specifies 8 vulnerability handling obligations that manufacturers must implement as processes throughout the product lifecycle.
EU Declaration of Conformity (EU DoC): A formal document drawn up by the manufacturer before placing a product with digital elements on the market, in which the manufacturer declares that the product meets the essential cybersecurity requirements of Annex I and any other applicable Union harmonisation legislation. The EU DoC must follow the model structure in Annex V and contain all eight elements specified in Article 28.

F

Free and open-source software (FOSS): Software whose source code is made available with a licence granting users the rights to use, copy, modify, and distribute the software. FOSS components integrated into a commercial product are in scope of the CRA for the manufacturer integrating them. Non-commercial FOSS development and supply is generally out of scope; OSS stewards have a tailored regime.

H

Harmonised standard: A European standard developed by a European Standardisation Organisation (CEN, CENELEC, or ETSI) following a request from the European Commission. Where a manufacturer applies a harmonised standard that has been published in the Official Journal of the EU, it gains a presumption of conformity with the essential cybersecurity requirements covered by that standard, without needing to independently demonstrate compliance.

I

Important product with digital elements: A product whose core functionality falls within a category listed in Annex III of the CRA. Such products primarily perform functions critical to the cybersecurity of other products, networks, or services, or carry a significant risk of adverse effects if exploited. Important products are divided into Class I and Class II, with Class II attracting stricter conformity requirements.
Importer: A natural or legal person established in the European Union who places on the EU market a product with digital elements that bears the name or trademark of a natural or legal person established outside the Union.
In-scope product (CRA scope): A product with digital elements that falls within the scope of the CRA (Art. 2) and is therefore subject to its requirements. In-scope products are those that have a direct or indirect logical or physical data connection to a device or network and are made available on the EU market in the course of a commercial activity. Several product categories are explicitly excluded from CRA scope.

M

Making available on the market: Any supply of a product with digital elements for distribution, consumption, or use on the EU market in the course of a commercial activity, whether for payment or free of charge. Unlike "placing on the market" (which refers to the first supply), "making available" covers every subsequent supply in the supply chain, including by importers and distributors.
Manufacturer: A natural or legal person who develops or manufactures products with digital elements (or has them designed, developed, or manufactured), and markets them under their own name or trademark, whether for payment, monetisation, or free of charge. This is the primary role carrying obligations under the CRA.
Market surveillance authority: A national authority designated by a Member State to monitor and enforce the compliance of products with digital elements with the CRA on the market. Market surveillance authorities can request technical documentation, carry out audits and testing, and order corrective measures or market withdrawal for non-compliant products.

N

Notified body: An independent, accredited third-party organisation that has been designated by a Member State authority and notified to the European Commission to carry out third-party conformity assessment procedures under the CRA. Notified bodies evaluate whether important and critical products meet the essential cybersecurity requirements before CE marking is applied.

O

Open-source software steward: A legal person, other than a manufacturer, whose purpose or objective is to systematically provide support on a sustained basis for the development of specific free and open-source software products intended for commercial activities, and who ensures the viability of those products. OSS stewards have a lighter, tailor-made regulatory regime under the CRA.

P

Product with digital elements (PDE): Any software or hardware product, and its remote data processing solutions, whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network. The CRA applies to PDEs unless a sectoral carve-out applies (medical devices, motor vehicles, aviation, marine, etc.).
Placing on the market: The first making available of a product with digital elements on the EU market. A manufacturer places a product on the market when they supply it for the first time to a distributor, importer, or user in the EU, in the course of a commercial activity, whether for payment or free of charge. The date of first market placement determines when CRA obligations take effect for that product.

R

Remote data processing solution (RDPS): A remote service that is necessary for a product with digital elements to perform any of its functions. An RDPS is part of the PDE and therefore subject to the same CRA obligations as the product itself. The three-part test (at-a-distance, functional dependency, manufacturer responsibility) determines whether a remote service qualifies.

S

Software bill of materials (SBOM): A formal record of the components, libraries, and modules contained in a software product, drawn up in a commonly used and machine-readable format. Under Annex I Part II of the CRA, manufacturers must produce an SBOM covering at least the top-level dependencies of their product. The SBOM does not need to be made public but must be available to market surveillance authorities on reasoned request.
Severe incident having an impact on the security of a product: An incident that has an actual adverse effect on the security of a manufacturer's network and information systems used for the development, production, or maintenance of a product with digital elements. Discovery of such an incident triggers mandatory notification to the relevant CSIRT and ENISA within 24 hours, following the same three-stage notification timeline as actively exploited vulnerabilities.
Substantial modification: A modification to a product with digital elements, made after it has been placed on the market, that affects the product's compliance with the essential cybersecurity requirements in Annex I Part I, or that changes the intended purpose as declared by the manufacturer. A substantial modification triggers a new conformity assessment, effectively treating the modified product as a new product.
Support period: The period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are effectively handled in accordance with Annex I Part II. The support period must be at least five years, unless the product's expected useful life is shorter. Manufacturers must display the support end date at point of purchase.

T

Technical documentation: A comprehensive set of documentation that the manufacturer must draw up before placing a product on the market and maintain throughout the support period, containing all information demonstrating that the product and the manufacturer's processes comply with Annex I essential cybersecurity requirements. Annex VII specifies the minimum content. Must be kept for at least 10 years.

V

Vulnerability: A weakness in a product with digital elements that can potentially be exploited by a threat actor to breach the security of that product or connected systems. The CRA imposes extensive obligations on manufacturers to identify, remediate, and disclose vulnerabilities throughout the support period.