The European Commission updated its “Cyber Resilience Act – Implementation” fact page (last update shown as 4 March 2026). The page is an official implementation tracker listing adopted and planned secondary instruments and milestones (implementing/delegated acts, guidance, and standardisation deliverables). Although it does not amend Annex I baseline requirements, it is directly relevant for Annex I compliance planning because it signals when and how the CRA’s essential requirements may be supported by guidance, standards, and presumption-of-conformity mechanisms. Compliance teams should monitor these milestones to align product security engineering, technical documentation, and conformity assessment planning with forthcoming implementation supports.
The European Commission updated its official Cyber Resilience Act (CRA) implementation factpage (last update shown as 4 March 2026). The page points stakeholders to a Better Regulation “Have your say” initiative for draft Commission guidance on the CRA. While this does not amend Annex I text, the consultation and resulting guidance may materially affect how manufacturers interpret and operationalise the Annex I essential (baseline) cybersecurity requirements (e.g., evidence expectations for risk assessment, secure-by-default practices, and vulnerability handling processes). Compliance teams should monitor the consultation and be prepared to adjust Annex I conformity arguments and documentation once guidance is finalised.
The European Commission published draft guidance to assist companies in applying the Cyber Resilience Act (Regulation (EU) 2024/2847). Although the guidance does not amend Annex I text, it is directly relevant to Annex I baseline/essential cybersecurity requirements because it clarifies CRA scope and obligations that determine when/how Annex I requirements apply in practice (e.g., treatment of remote data processing solutions, free and open-source software, support periods, and interplay with other EU legislation). The Commission opened a feedback/consultation period running until 31 March 2026, which compliance teams may wish to monitor and/or respond to given potential impacts on conformity approaches and lifecycle/vulnerability-handling expectations tied to Annex I.
The European Commission published draft guidance on applying the Cyber Resilience Act (CRA) in practice and opened it for stakeholder feedback. Although this is not an amendment to CRA Annex I, it is directly relevant to Annex I baseline/essential cybersecurity requirements because it is intended to clarify how CRA obligations should be interpreted and operationalized (e.g., scope/definitions, support periods, treatment of free and open-source software, remote data processing solutions, and interplay with other EU legislation). Compliance teams should review the draft and submit feedback during the consultation window, as the final guidance could materially affect how conformity with Annex I requirements is demonstrated in design controls, vulnerability handling processes, and technical documentation.
The European Commission updated its CRA implementation factpage (last update shown: 20 February 2026). The page summarizes staged application milestones that drive readiness planning for Annex I essential requirements (baseline cybersecurity and vulnerability-handling requirements) and points to related secondary measures (including the implementing act on technical descriptions for important/critical product categories and a delegated act related to CSIRT withholding/delayed dissemination via the reporting ecosystem). While this does not amend Annex I text, it is an authoritative implementation update used for compliance program planning (e.g., resourcing, conformity assessment strategy, and reporting preparedness aligned with Annex I obligations).
The European Commission updated its official CRA “Reporting obligations” page (last update shown: 16 February 2026). The update provides operational details that compliance teams can use to implement vulnerability-handling and reporting processes linked to CRA Annex I Part II (vulnerability handling), including: (1) reporting applicability date for actively exploited vulnerabilities and severe incidents (stated as applying as of 11 September 2026); (2) expected notification sequencing/timelines (early warning within 24 hours; full notification within 72 hours); and (3) final report timing (≤14 days after corrective measure is available for actively exploited vulnerabilities; within a month for severe incidents). The page also points to an EU delegated act adopted on 11 December 2025 related to circumstances under which CSIRTs may delay dissemination, which is relevant for organizations designing reporting workflows via the Single Reporting Platform ecosystem. This is not an Annex I text amendment, but an authoritative Commission implementation/guidance update affecting how Annex I-linked processes are operationalized.
The European Commission updated its CRA “Reporting obligations” policy page (last update shown as 16 February 2026). While not amending Annex I text, the page provides official, practical clarification of CRA reporting mechanics tied to vulnerability handling (closely linked to Annex I baseline/essential requirements around vulnerability handling and lifecycle security). It summarizes expected reporting timelines (e.g., early warning within 24 hours, notification within 72 hours, and final report deadlines) and references the Single Reporting Platform (SRP) framework and related delegated act context for CSIRTs withholding notifications. Compliance teams can use this as an authoritative reference for setting up incident/vulnerability reporting processes aligned with CRA expectations.
The European Commission updated its official CRA “Conformity assessment” page (last update shown: 12 January 2026). The page provides implementation guidance relevant to demonstrating compliance with CRA Annex I essential cybersecurity requirements by clarifying conformity assessment routes (including when self-assessment may apply versus when involvement of notified bodies is required for important/critical product categories). It also links to the CRA’s annexes on EUR-Lex and references the implementing regulation on technical descriptions of important/critical product categories, which influences which conformity assessment procedures apply—thereby affecting how Annex I baseline requirements are assessed and evidenced in technical documentation.
The European Commission updated its CRA summary page (last update shown: 3 December 2025). The page reiterates CRA staged application dates and explains how manufacturers must evidence compliance with the Annex I essential cybersecurity requirements (baseline requirements) through risk assessment, technical documentation, and conformity assessment. This Commission-maintained summary supports compliance interpretation and program planning but does not change the legal text of Annex I.
ENISA published a “Cyber Resilience Act Requirements Standards Mapping” document mapping CRA requirements to relevant standards. Although non-binding and not an amendment to CRA Annex I, the mapping is directly relevant to implementing and evidencing conformity with Annex I essential cybersecurity requirements by helping manufacturers and compliance teams identify applicable standards and where they support Annex I controls (e.g., security updates, vulnerability handling, and baseline product security measures).
Regulation (EU) 2024/2847 (Cyber Resilience Act) is available on EUR-Lex as the authoritative legal text, including Annex I essential/baseline cybersecurity requirements for products with digital elements. This provides the controlling baseline for Annex I compliance mapping, technical documentation, and conformity assessment preparation. (No recent amendment to Annex I itself is identified in the provided research; this entry captures the binding act as the source-of-truth reference surfaced in the official-source review.)