Substantial modification

Article 3(30) of Regulation (EU) 2024/2847 defines substantial modification as:

"a modification of the product with digital elements, occurring after that product has been placed on the market, that is not anticipated or planned by the manufacturer in the technical documentation, and as a result of which the compliance of the product with digital elements with the applicable essential cybersecurity requirements set out in Part I of Annex I is affected, or as a result of which the intended purpose for which the product with digital elements has been assessed is modified".

The key question is whether the modification:

1. Was not anticipated or planned by the manufacturer in the technical documentation; and either:
2. Affects Annex I Part I compliance (security properties of the product); or
3. Changes the intended purpose declared by the manufacturer

If the manufacturer has planned and documented the modification in advance (e.g. a modular product architecture that anticipates add-on components, or a software update framework that describes how new features will be added), that modification is not "substantial" under the CRA definition — it is within the scope of the original conformity assessment.

Under Article 22, any person (other than the original manufacturer, importer, or distributor acting in their supply chain role) who carries out a substantial modification and then places the product on the market is treated as the manufacturer for the modified product (or for the affected part if the product is separable).

An importer or distributor who carries out a substantial modification is also treated as the manufacturer under Art. 21.