In the Commission Notice publishing the 2026 annual Union work programme for European standardisation (OJ C; C/2026/1695), the Commission includes an item on cybersecurity requirements for products with digital elements supporting Regulation (EU) 2024/2847 (Cyber Resilience Act). The Notice signals an upcoming standardisation request to develop harmonised European standards in support of the CRA, complementing the earlier request M/606, and notes the intent to address gaps for products with digital elements outside CRA Annexes III–IV (e.g., in rail, machinery, lifts, agricultural machinery, AI systems and solar inverters). While not an Annex III amendment, this is relevant to Annex III compliance strategy because harmonised standards (when cited) underpin presumption of conformity for CRA essential requirements and influence how Annex III manufacturers demonstrate compliance and plan conformity assessment evidence.
The European Commission published draft guidance for feedback to assist companies applying the Cyber Resilience Act (CRA). The draft guidance addresses scope and application issues (including remote data processing solutions, free and open-source software, support periods, and interplay with other EU legislation) that can directly affect whether a product is in-scope and how CRA obligations apply. These clarifications can materially impact Annex III ‘important products’ determinations and the resulting conformity assessment route (e.g., whether third-party assessment pathways apply). The Commission opened a feedback period (consultation deadline stated as 31 March on the Commission news page).
The European Commission published draft guidance for feedback to help companies apply the Cyber Resilience Act (CRA). The draft guidance addresses topics that can directly affect interpretation and compliance planning for Annex III ‘important products’ (e.g., treatment of remote data processing solutions, free and open-source software, ‘support periods’, and interplay with other EU legislation). A public feedback period is open until 31 March 2026, which is relevant for manufacturers and other economic operators preparing Annex III-related classification and conformity assessment strategies.
The European Commission updated its official Cyber Resilience Act (CRA) implementation factpage ("Progress so far") summarizing key CRA implementation milestones relevant to Annex III (important products) categorisation and downstream obligations. The page highlights prior adoption of the implementing act on technical descriptions for important/critical product categories (Implementing Regulation (EU) 2025/2392) and provides a timeline of upcoming application dates that compliance teams track, including (as stated on the page) application of provisions on notification of Conformity Assessment Bodies (11 June 2026) and application of reporting obligations (11 September 2026). This is an official guidance/timeline update (web content), not a new legal amendment to Annex III, but it affects compliance planning and program timelines for Annex III-scoped products.
The European Commission updated its CRA standardisation page (last update shown: 12 January 2026) stating that it has adopted standardisation request M/606 (41 standards) to support compliance with the Cyber Resilience Act. The page notes that vertical/product-specific standards are prioritised for product categories in CRA Annex III (important products) and Annex IV (critical products). This update is directly relevant for Annex III ‘important products’ because harmonised standards (once developed and cited) are the main pathway to demonstrate compliance (presumption of conformity) with CRA essential requirements and to support conformity assessment planning for Annex III products subject to stricter assessment routes.
The European Commission updated its CRA ‘Conformity assessment’ guidance page (page update date shown as 12 January 2026) to reiterate that Annex III (important products) and Annex IV (critical products) are subject to stricter conformity assessment procedures than the default CRA approach and to direct stakeholders to Implementing Regulation (EU) 2025/2392 for the technical descriptions used to determine whether a product’s core functionality places it within an Annex III/IV category. This guidance is relevant for Annex III ‘additional requirements’ compliance planning because it clarifies how to use the implementing regulation to classify products and select the correct conformity assessment pathway.
The European Commission adopted Commission Implementing Regulation (EU) 2025/2392 to operationalize classification of ‘important products with digital elements’ (CRA Annex III) (and ‘critical products’ in Annex IV) by establishing technical descriptions for those categories. This directly affects Annex III compliance because classification as an Annex III ‘important product’ drives the applicable conformity assessment route (including stricter procedures for certain classes versus default self-assessment). Compliance teams should review product portfolios against the implementing regulation’s technical descriptions—focused on a product’s ‘core functionality’—to confirm Annex III applicability and the resulting conformity assessment obligations and documentation planning.
Regulation (EU) 2024/2847 (Cyber Resilience Act) is the binding baseline instrument establishing the Annex III ‘important products with digital elements’ construct and the associated additional/stricter compliance pathway (notably via conformity assessment) compared with default CRA products. For Annex III compliance, the CRA is the legal basis defining ‘important products’ and providing the Commission with powers to adopt further implementing/delegated acts that clarify or operationalize Annex III categorisation (e.g., technical descriptions later provided in Implementing Regulation (EU) 2025/2392). Compliance teams should treat this as the controlling text for Annex III obligations and track related implementing/delegated acts that refine Annex III application in practice.