"What we produced and stocked before 2027 doesn't fall under the CRA." I hear this sentence more and more often in conversations with manufacturers hoping for some form of grandfathering. My counter-question is always the same: When exactly is your product placed on the market, at production or at sale?
This is where a fundamental misconception becomes visible. And it can be expensive.
What does "placing on the market" mean under the CRA?
"Placing on the market" is a clearly defined legal term in the EU Cyber Resilience Act. It refers not to the production date, but to the moment a product is first actually made available on the EU market, the handover to distributors, integrators, or end customers.
The term is defined in Article 3 of the regulation and is consistent with horizontal EU product law (New Legislative Framework). Important: The obligation applies per individual unit. Each serial number, each physical unit is assessed separately, not the product model as an abstract category.
The current EU guidance draft on the CRA makes this explicit: The conformity obligation applies at the moment the respective unit actually enters the market. Note: The CRA text itself leaves some room for interpretation, but the EU guidance is clear.
Why the production date is irrelevant for CRA applicability
Picture this situation: A programmable logic controller (PLC) or a smart washing machine is produced in 2026 and put into storage. The device only leaves the warehouse for a customer in 2028.
The placing on the market happens in 2028, not in 2026. This means:
- The unit must meet the full CRA requirements at the point of delivery in 2028
- All known exploitable vulnerabilities must be addressed by that point
- The technical documentation must be current at delivery
- Vulnerability disclosure processes must be operational for that specific unit
The production date is legally irrelevant. What counts is the day the unit leaves the manufacturer for the market.
Myth vs. fact
Myth: What was produced before the CRA cut-off is not affected by the CRA.
Fact: There is no grandfathering by production date. What is placed on the market after the cut-off must comply. The obligation applies per individual unit, not per product model.
Concrete consequences for your inventory
Anyone producing devices today that will likely only be shipped after December 2027 needs clear processes for the last mile before placing on the market. Classic warehousing becomes a digital logistics challenge.
Three things that are strategically important now:
1. Conduct an inventory audit now. Which devices are in storage? Which delivery timeframes are realistic? Which models will likely be sold after December 2027? This list is the basis for all further decisions.
2. Establish update processes right before delivery. For every device sold after the cut-off, you must be able to apply the current software state shortly before delivery, including all security patches for vulnerabilities known up to that point. This affects not just the firmware, but every component listed in the Software Bill of Materials (SBOM): libraries, third-party software, operating system layers.
3. Make strategic delivery decisions. Sometimes it is more economical to bring forward a delivery and place it on the market before the cut-off than to retroactively establish full CRA conformity. But this trade-off should be made consciously.
What does this mean for your CRA roadmap?
If you start your CRA compliance planning today, you should keep two dates in mind:
- 11 September 2026: Reporting obligations for actively exploited vulnerabilities and severe incidents take effect, and apply to all products with digital elements on the EU market, including those already delivered
- 11 December 2027: Full applicability of CRA obligations, from this day on, every newly placed-on-market unit must comply
Manufacturers who deliver their products shortly after 11 December 2027 and rely on the production date risk significant fines, up to 15 million euros or 2.5% of worldwide annual turnover.
Frequently asked questions
What does "placing on the market" mean under the CRA? The CRA defines "placing on the market" as the first actual availability of a product on the EU market, the handover to distributors, integrators, or end customers. The obligation applies per individual unit, not per product model.
Does the CRA apply to devices produced before the cut-off date? Yes, if they are placed on the market after the cut-off date. There is no grandfathering by production date. What counts is the day of first market availability.
When is the most important CRA cut-off date for manufacturers? 11 December 2027 marks the full applicability of the CRA. From that day on, every unit placed on the market must comply with all CRA requirements.
What happens to inventory delivered after December 2027? This inventory falls fully under the CRA, regardless of production date. Manufacturers must establish update processes for the last mile before delivery to apply the current software state, including all known security patches.
Conclusion
Don't rely on the production date as the cut-off. The CRA knows no grandfathering by manufacturing day, what counts is the moment of placing on the market.
Audit your inventory now. Establish processes that can update software states shortly before delivery. And make strategic delivery decisions consciously.
A structured CRA roadmap helps work through these points systematically, before the cut-off date tips from theory into practice.
Every Friday I debunk a CRA myth here.