EU Launches Draft Guidance on Cyber Resilience Act Ahead of 2028 Compliance

On March 3, 2026 the European Commission released draft guidance to help companies meet the Cyber Resilience Act’s requirements. The document clarifies obligations for SMEs and micro‑enterprises, addresses open‑source software and remote data processing, and opens a consultation until March 31.

The European Commission opened a consultation on March 3, 2026 by publishing draft guidance to help businesses comply with the Cyber Resilience Act (CRA). The CRA, which entered force in December 2024 and will impose its main obligations from December 11, 2027, aims to make all digital products sold in the EU market safe against cyber threats.

Key Focus Areas

The draft clarifies how micro‑enterprises and small and medium‑sized enterprises (SMEs) should navigate the new rules. It also tackles remote data processing solutions, free and open‑source software, and the concept of “support periods.”

Henna Virkkunen, Executive Vice‑President for Tech Sovereignty, Security and Democracy, said: With today's guidelines, the Commission supports the effective application of the Cyber Resilience Act. From baby monitors to smart watches, digital elements are part of our daily lives, and we will make sure all digital products on the EU market are safe from cyber threats.

Stakeholder Consultation

The guidance is open for feedback until March 31, giving companies a chance to shape the final rules. The Commission emphasised that this consultation aligns with broader simplification efforts and addresses practical challenges faced by firms.