Linkedin
Retour aux actualités

Cyber Resilience Act (CRA): Regulatory Compliance Position – Customer Information

CRA READY (4)

Regulatory Compliance Position regarding the Cyber Resilience Act (CRA)

In the context of the entry into force of Regulation (EU) 2024/2847, known as the Cyber Resilience Act (CRA), Leroy-Automation wishes to clarify the scope of its legal obligations towards its customers. This briefing note specifies the regulatory framework applicable to products already placed on the market before December 11, 2027 (legacy products). It strictly defines the boundary between legal information obligations and technical maintenance services, which fall exclusively within the contractual framework.

Executive Summary

Prior to December 11, 2027, the CRA compliance of products already on the market relies exclusively on Article 14. The technical requirements of Annex I are not applicable, and no obligation to correct or patch is created by the regulation.

1. General Position

LEROY Automation strictly applies the legal obligations provided for by Regulation (EU) 2024/2847, known as the “Cyber Resilience Act” (CRA), and only these obligations.
No additional obligation, particularly regarding corrections, the provision of patches, or the maintenance of existing products, shall be inferred or implied beyond the applicable regulatory text.

2. Regulatory Scope Applicable to Products Already on the Market

In accordance with the transitional provisions of the CRA (Article 69):

"Products with digital elements that have been placed on the market before 11 December 2027 shall be subject to the requirements set out in this Regulation only if, as from that date, those products are subject to substantial modifications." (Article 69, paragraph 2 – CRA)

Consequently, the substantive technical requirements set out in Annex I (ESSENTIAL CYBERSECURITY REQUIREMENTS) are not applicable to products placed on the market before December 11, 2027, in the absence of a substantial modification.

3. Specific Obligation Applicable to Legacy Products

Through Article 69, the CRA explicitly provides that:

"the obligations set out in Article 14 shall apply to all products with digital elements falling within the scope of this Regulation that have been placed on the market before 11 December 2027." (Article 69, paragraph 3 – CRA)

By virtue of this, the sole regulatory obligation applicable to legacy products is therefore the one provided for in Article 14.

4. Nature and Exact Scope of Article 14

Article 14 of the CRA relates exclusively to reporting and information obligations, particularly in the event of an actively exploited vulnerability.
It provides, in particular, for:

"A vulnerability notification (...) any corrective or mitigating measures taken and corrective or mitigating measures users can take, where applicable." (Article 14, paragraph 2, point b – CRA)

Legal Scope:

  • Article 14 does not mandate the creation of a corrective measure.

  • Article 14 does not mandate the correction of an existing product.

  • Article 14 does not mandate the free provision of updates.

  • Article 14 exclusively governs the communication of information, where such information exists.

5. Absence of Obligation to Correct or Patch

The text of the CRA therefore creates no obligation to develop, correct, or provide patches for products placed on the market before December 11, 2027, as long as no substantial modification is carried out.
Any obligation of this type can only result from a specific contractual agreement, separate from the regulatory framework.

6. Services Outside the Regulatory Scope

Consequently, any activity going beyond the obligations strictly provided for by the CRA, including:

  • Development or provision of patches,

  • Security updates,

  • Maintenance of legacy products,

  • In-depth technical analyses,

is not required by the regulation and does not fall under CRA compliance. Such activity will be subject, where applicable, to a specific contract and dedicated billing.

More info