European Commission publishes draft CRA guidance for feedback (scope/obligations topics affecting Annex I interpretation)

The European Commission published draft guidance to assist companies in applying the Cyber Resilience Act (Regulation (EU) 2024/2847). Although the guidance does not amend Annex I text, it is directly relevant to Annex I baseline/essential cybersecurity requirements because it clarifies CRA scope and obligations that determine when/how Annex I requirements apply in practice (e.g., treatment of remote data processing solutions, free and open-source software, support periods, and interplay with other EU legislation). The Commission opened a feedback/consultation period running until 31 March 2026, which compliance teams may wish to monitor and/or respond to given potential impacts on conformity approaches and lifecycle/vulnerability-handling expectations tied to Annex I.