← CRA Guide
Article 1

Subject Matter and Purpose of the Cyber Resilience Act

Article 1 establishes the overarching purpose of the EU Cyber Resilience Act: to ensure that products with digital elements placed on the EU market meet baseline cybersecurity requirements throughout their lifecycle. It sets the foundation for all subsequent obligations by defining what the regulation aims to achieve and why. Manufacturers, importers, and distributors operating in the EU single market must understand Article 1 as the lens through which all other provisions are interpreted.

Effective: September 2026Applies to: All manufacturers placing products with digital elements on the EU market
Free compliance portal →

What Article 1 Establishes

Article 1 defines the subject matter of the Cyber Resilience Act. The regulation lays down rules concerning the placing on the market, making available on the market, or putting into service of products with digital elements to ensure an adequate level of cybersecurity for those products.

The core objective is to address two distinct problems that the EU legislature identified in the digital product market. First, many products are placed on the market with inadequate security properties, leaving consumers and businesses exposed to preventable vulnerabilities. Second, manufacturers frequently fail to provide security updates throughout the reasonable lifetime of their products, leaving users unable to protect themselves after purchase.

Article 1 frames the CRA as a product regulation — meaning its primary enforcement mechanism is market access. Products that do not meet CRA requirements cannot lawfully bear the CE marking and cannot be placed on the EU market.

CRA reference:Article 1(1)

The Two Pillars of CRA Obligations

Article 1, read together with the regulation's recitals, establishes that CRA obligations fall into two broad categories. The first pillar covers security properties of products at the point of design and manufacture — these are the technical requirements in Annex I Part I, such as secure default configurations, minimal attack surfaces, and data protection by design.

The second pillar covers vulnerability handling obligations that persist after the product is placed on the market. These include the coordinated vulnerability disclosure requirements in Article 13, the 24-hour early warning and 72-hour notification obligations in Article 14, and the requirement to provide free security updates for at least five years (or the expected product lifetime, whichever is shorter).

Together, these two pillars reflect the EU legislature's recognition that cybersecurity is not a one-time activity at product launch but a continuing responsibility throughout the product's supported lifetime.

CRA reference:Article 1(1), Annex I

Products with Digital Elements Defined

Although Article 1 does not itself define 'products with digital elements', it is the provision that triggers the definition in Article 3. A product with digital elements is any hardware or software product that features a data connection — direct or indirect — to a device or network. This broad definition intentionally captures a wide range of products: consumer IoT devices, industrial control systems, routers, smartphones, operating systems, and standalone software applications.

The breadth of this definition reflects the EU legislature's concern that the digital supply chain is deeply interconnected and that a vulnerability in any component can cascade across many products and systems. Article 1's purpose statement provides important interpretive guidance when applying the definitions in Article 3 to borderline products.

CRA reference:Article 1, Article 3(1)

Relationship to the New Legislative Framework

The CRA fits within the EU's New Legislative Framework (NLF) for product regulation. This means it follows the same general architecture as other CE marking directives and regulations: essential requirements, presumption of conformity through harmonised standards, conformity assessment procedures, and market surveillance by national authorities.

Article 1 positions the CRA explicitly within this framework, which has important practical implications. Compliance evidence gathered for the CRA (technical documentation, declarations of conformity, testing records) follows established NLF conventions. Manufacturers with existing CE marking experience will find many of the procedural requirements familiar, even if the cybersecurity substance is new.

CRA reference:Article 1(2)

Lifecycle Security as a Legal Requirement

One of the most significant innovations of the CRA, established in principle by Article 1 and operationalised in subsequent provisions, is the requirement for post-market security support. Prior to the CRA, no EU-wide rule required manufacturers to continue providing security updates after initial sale.

Article 1 establishes that the regulation's goals include ensuring products remain secure throughout their lifecycle. This principle translates into concrete obligations: manufacturers must define a support period, communicate it to consumers, and actually deliver security updates during that period. The support period must be at least five years for most products, creating a significant long-term commitment for manufacturers that has not previously existed under EU law.

CRA reference:Article 1, Article 13(8)

CVD Portal helps you comply with Article 1 automatically.

Public submission portal, 48-hour acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever.

Start your free portal

Frequently asked

When does the CRA apply to products already on the market?+

The CRA applies to products placed on the EU market on or after the application date (September 2026). Products already on the market before that date are generally not subject to CRA requirements, but manufacturers who continue to actively sell those products after the application date will need compliant versions. Transitional arrangements may apply in specific cases.

Does the CRA apply to software-only products?+

Yes. The CRA applies to both hardware and software products with digital elements. A standalone software application that can connect to a network falls within scope. However, pure SaaS and cloud services provided on a subscription basis — where the product is never placed on the market as a discrete item — are generally excluded.

Is the CRA a directive or a regulation?+

The CRA is an EU regulation, which means it applies directly in all EU member states without requiring national implementing legislation. This distinguishes it from a directive, which would need to be transposed by each member state and could lead to variations in national requirements.

Does Article 1 create any direct obligations for manufacturers?+

Article 1 itself is a purpose and subject-matter provision — it does not create specific obligations. However, it is important for interpretation: when in doubt about whether a provision applies to a particular product or situation, Article 1's statement of purpose provides the interpretive lens.

How does the CRA interact with GDPR and NIS2?+

The CRA complements but does not replace GDPR or NIS2. GDPR governs personal data processing; NIS2 imposes security obligations on critical infrastructure operators and important entities. The CRA focuses on product-level security requirements. A single product or organisation may need to comply with all three frameworks simultaneously.

Related CRA Articles

Article 2Scope and Exclusions Under the Cyber Resilience ActArticle 3Scope — Which Products Are Covered by the CRA?Article 5Essential Cybersecurity Requirements for Products with Digital ElementsArticle 13Coordinated Vulnerability Disclosure Obligations for Manufacturers

Need a CVD policy that satisfies Article 1?

Download a free CRA-compliant template and deploy it in minutes.

Browse templates →