← CRA Guide
Article 5

Procurement and Professional Use of Products with Digital Elements

Article 5 addresses the obligations of organisations that procure or professionally deploy products with digital elements — particularly public sector bodies and operators of critical infrastructure. While most CRA obligations fall on manufacturers, Article 5 ensures that buyers and users of CRA-regulated products also play a role in maintaining cybersecurity, including applying security updates, considering cybersecurity in procurement decisions, and cooperating with manufacturers on security issues.

Effective: September 2026Applies to: Public sector bodies procuring products with digital elements
Free compliance portal →

Cybersecurity in Procurement Decisions

Article 5 requires that organisations procuring products with digital elements — particularly public sector bodies and essential entities under the NIS2 Directive — take cybersecurity into account when making procurement decisions. In practice, this means:

  • Evaluating whether products under consideration meet CRA essential requirements (Annex I)
  • Preferring products with a published CVD policy and a track record of timely security updates
  • Verifying that suppliers have adequate vulnerability handling processes
  • Including cybersecurity requirements in tender specifications and supplier contracts

Organisations are encouraged to refer to ENISA's published guidance on secure ICT procurement when designing their procurement processes.

CRA reference:Article 5(1)

Obligations to Apply Security Updates

Article 5 establishes that professional users of products with digital elements must apply security updates provided by the manufacturer within a reasonable time. This obligation exists alongside — and reinforces — the manufacturer's obligation to provide updates under Article 13.

  • Establishing patch management processes capable of applying security updates promptly
  • Prioritising critical security updates over routine maintenance windows
  • Maintaining records of update applications for audit purposes
  • Where auto-update mechanisms are available and risk-appropriate, enabling them

The obligation to apply updates applies to the extent that updates are available and applicable to the specific deployment. Organisations that customise or modify products may need to assess the applicability of manufacturer updates to their modified versions.

CRA reference:Article 5(2)

Cooperation with Manufacturers on Security Issues

Article 5 encourages professional users to cooperate with manufacturers when they identify security vulnerabilities or incidents in products they deploy. While reporting vulnerabilities to manufacturers is not mandated for users, Article 5 recognises that users often discover vulnerabilities through operational experience and that their reports are valuable to the CRA's vulnerability disclosure ecosystem.

  • Report findings to the manufacturer through its published CVD process
  • Consider coordinated disclosure to avoid facilitating exploitation before a patch is available
  • Engage with national CSIRTs where the vulnerability may have sectoral implications

Public sector bodies and essential entities that discover vulnerabilities may also consider whether they have separate reporting obligations under the NIS2 Directive or sector-specific regulation.

CRA reference:Article 5

CVD Portal helps you comply with Article 5 automatically.

Public submission portal, 48-hour acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free for Article 14 compliance — for all manufacturers placing products with digital elements on the EU market.

Start your free portal

Frequently asked

Does Article 5 apply to private sector companies that just use CRA products?+

Article 5's obligations are most clearly framed around public sector bodies and essential/important entities under NIS2. For general private sector users, Article 5 is more guidance-oriented, but the obligation to apply security updates and consider cybersecurity in procurement applies broadly to professional deployments of networked products.

What if a manufacturer stops providing security updates mid-lifecycle?+

If a manufacturer ceases providing security updates before the end of the published support period, this is a violation of their Article 13 obligations and can be reported to the relevant national market surveillance authority. Users should document the gap in update provision and assess the risk of continued operation without updates, considering compensating controls or migration to a supported product.

Does Article 5 create liability for organisations that fail to apply updates?+

Article 5 does not directly create financial penalties equivalent to those in Article 64 for manufacturers. However, failure to apply security updates may affect an organisation's position under NIS2 compliance assessments, sector-specific regulation, or general duty-of-care frameworks. Public sector bodies may also face scrutiny under public procurement rules if cybersecurity obligations in contracts are not met.

Related CRA Articles

Article 6Essential Cybersecurity Requirements for Products with Digital ElementsArticle 13Obligations of ManufacturersArticle 14Active Exploitation and Incident Reporting - 24h, 72h, and 14-Day ObligationsArticle 64Administrative Fines for CRA Non-Compliance

Need a CVD policy that satisfies Article 5?

Download a free CRA-compliant template and deploy it in minutes.

Browse templates →