The Joint Committee of the European Supervisory Authorities published its Annual Report 2025, which includes updates on implementation of DORA’s oversight regime for critical ICT third‑party providers (CTPPs). The report describes the ESAs’ work on the CTPP designation process and oversight preparations (e.g., Joint Examination Teams and oversight fee readiness). This is not a new binding rule, but it is an authoritative regulator publication that informs financial entities’ and ICT vendors’ expectations for DORA third‑party oversight, contracting, resilience testing, and supervisory engagement.
The European Commission updated its CRA implementation factpage (shown as last updated 23 April 2026). The page tracks CRA implementation deliverables and explicitly points implementers to the Commission implementing act that specifies the technical descriptions of categories of ‘important’ and ‘critical’ products with digital elements. For CRA Annex IV (critical products), this matters because the technical descriptions are used for scoping/classification decisions that drive the applicable conformity assessment route (including when third-party involvement is required).
The European Commission published a Commission Notice in the Official Journal (C/2026/1695) setting the 2026 annual Union work programme for European standardisation. The programme includes an action on cybersecurity requirements for products with digital elements linked to the Cyber Resilience Act (Regulation (EU) 2024/2847) and states that an upcoming standardisation request will complement earlier request M/606. The Notice explicitly notes that M/606 mandates both horizontal cybersecurity properties and vertical standards for CRA Annex III/IV product categories (including Annex IV critical products). While this does not amend Annex IV categories, it is an official implementation/standardisation signal affecting how Annex IV critical products are likely to demonstrate conformity via harmonised standards (presumption of conformity) once developed/adopted.
The European Commission published a draft guidance package to assist companies in applying the Cyber Resilience Act (CRA) and opened a feedback period. Although this is not an amendment to Annex IV, the draft guidance is directly relevant to Annex IV ‘critical products’ compliance because it addresses CRA scope and obligations (including topics such as remote data processing solutions, free and open-source software, support periods, and interaction with other EU legislation), which can affect classification and compliance planning for products that may fall under Annex IV and therefore require stricter conformity assessment routes.
The European Commission published draft guidance to assist companies in applying the Cyber Resilience Act and opened it for feedback. The draft guidance addresses CRA scope and implementation topics that can materially affect Annex III ‘important products’ compliance planning, including treatment of remote data processing solutions, free and open-source software, ‘support periods’, and the interplay between the CRA and other EU legislation. The Commission’s feedback window is open until 31 March 2026.
The European Commission updated its CRA conformity assessment explainer page, reiterating that Annex IV ‘critical products’ require third-party conformity assessment by a notified body in all cases (i.e., no self-assessment route). The page also points stakeholders to Implementing Regulation (EU) 2025/2392 for the technical descriptions used to determine whether a product’s core functionality falls into Annex IV categories—an important scoping input for Annex IV compliance and conformity route selection.
The European Commission updated its official CRA “Conformity assessment” guidance page (last update shown on-page: 12 January 2026). The page operationalizes Annex IV (critical products) compliance by stating that use of a notified body is mandatory in all cases for critical products, and it directs stakeholders to Commission Implementing Regulation (EU) 2025/2392 for the technical descriptions of Annex III/IV product categories. This is relevant for Annex IV scoping because the technical descriptions and the ‘core functionality’ concept determine whether a product falls within a critical category, which triggers stricter conformity assessment planning (e.g., budgeting/timelines for notified body involvement).
The EU published Commission Implementing Regulation (EU) 2025/2392 in the Official Journal (OJ L, 1 December 2025). The implementing act sets out the technical descriptions of the categories of ‘important products with digital elements’ (CRA Annex III, Classes I and II) and ‘critical products with digital elements’ (CRA Annex IV). This is directly relevant to Annex III compliance because the clarified technical descriptions affect product classification, which in turn determines the applicable conformity assessment route and related compliance planning (e.g., whether stricter procedures apply for products falling under Annex III categories).
Commission Implementing Regulation (EU) 2025/2392 (of 28 November 2025) establishes the technical description of the categories of “important” and “critical” products with digital elements under the Cyber Resilience Act (Regulation (EU) 2024/2847). For Annex IV ‘critical products’, these technical descriptions are central for determining whether a product’s core functionality falls into an Annex IV category, which in turn drives the applicable conformity assessment route (typically requiring third-party involvement for critical products). Compliance teams should use this implementing regulation when classifying products against Annex IV and aligning technical documentation and conformity assessment planning accordingly.
The European Supervisory Authorities (ESAs) communicated the timeline and reporting approach for the designation of critical ICT third-party service providers (CTPPs) under DORA, supported by an ESA Decision and associated data model for the DORA register of information. This affects vendor cybersecurity & data privacy by operationalizing supervisory oversight of ICT vendors serving EU financial entities and by driving standardized collection/reporting of ICT third-party contractual and service information (via competent authorities and regulated entities’ registers of information). Vendors supporting EU financial entities should anticipate increased information requests, structured data expectations, and governance requirements tied to DORA third-party risk oversight.