The CRA, Blue Guide and Commission guidance differ in their interpretation of fundamental concepts like making available on the market, placing on the market, intended purpose and substantial modification. Typically, the Blue Guide explains the terse definitions of the CRA, whereas the Commission guidance fabricates much stricter interpretations. I'm trying to guide you towards the right interpretation. My advice: If in doubt, rely on the CRA.
Making a Product Available on the Market
Article 3.22 defines the concept of making a product available on the market.
Making available on the market means the supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge.
Recitals 15-20 clarify what commercial activity means and what not - especially when open-source software is part of a proprietary product. This is a discussion for another post. Hereafter, we look at the ultimate commercial activities: selling and buying or, more general, transfer of ownership and possession.
Transfer of Ownership or Possession
Section 2.2 of the Blue Guide explains the term in more detail. Any transfer of ownership or possession like sale, loan, hire, leasing or gift is a commercial activity. Let us look at selling an agricultural machine:
- A manufacturer (Article 3.13) produces 100 forage harvesters in Germany (a member of the EU).
- The manufacturer sells six harvesters to a dealer of agricultural machines - the distributor (Article 3.17) - in France (another member of the EU).
- The dealer sells one harvester to Paul, a farmer in France.
As a consequence of a commercial activity (sale), ownership is transferred twice: once from the manufacturer to the distributor and once from the distributor to the farmer (the end user). In this case, the manufacturer and distributor are legal persons, whereas the farmer may be a natural or legal person. A commercial activity happens between natural or legal persons and implies a transfer of ownership (e.g., sale, gift) or possession (e.g., leasing, rental, subscription). As the end use of the harvester by Paul takes place in an EU country, the harvester is made available on the EU market and must satisfy the CRA.
If a manufacturer had produced the harvesters in Mexico, which is not in the EU, Paul's harvester would still fall under the EU CRA. Whether the manufacturer is based in the EU or not, doesn't matter. The manufacturer would sell the harvesters to an importer (Article 3.16). The importer would sell the harvesters to a distributor, which would sell one harvester to the farmer. The importer would make the harvester available on the EU market for the first time and the distributor for the second time. Of course, the importer and the distributor could be the same company.
Let us tweak the example a bit. Ali, a farmer from Tunisia, buys another harvester from the same dealer in France as Paul. He transports the harvester to Tunisia, where he will use the harvester from now on. The manufacturer or the importer would make the harvester available on the EU market. As the end use of the harvester is outside the EU, Ali's harvester is not made available on the EU market.
Any Offer for Distribution or Use
Section 2.2 of the Blue Guide introduces another criterion for a product being placed on the market: any offer for distribution or use.
Such supply includes any offer for distribution [...] or use on the Union market which could result in actual supply in relation to products already manufactured (e.g. an invitation to purchase, advertising campaigns).
The offer for distribution or use happens after the product was manufactured and before ownership or possession is transferred for the product. After advertising its new models on its website and on trade fairs, our manufacturer receives orders for its harvesters. Then, it produces the ordered harvesters and some more for late buyers in several production runs. The harvesters stand in the manufacturer's parking lot waiting for collection and delivery to their new owners.
The Blue Guide regards the harvesters as made available on the market as soon as they stand on the parking lot. Example 3 in Section 2.12 (Summary Examples) of the Blue Guide confirms this interpretation. In this example, the manufactured products are moved to a "distribution branch", which takes care of the delivery. The distribution branch can just be a different department in the company. It doesn't have to be a legal entity of its own.
The concept of offer for distribution or use cannot be found in the CRA. The Blue Guide is an interpretation of the law, but it is not the law. Hence, manufacturers and courts are free to come up with their own interpretation - and they will.
Application to Each Individual Product Instance
Making a harvester available on the market is a per-harvester decision and applies to an individual harvester. It does not apply to all harvesters of the same model or to a production batch of harvesters. The Blue Guide states tersely: "The concept of making available refers to each individual product."
Placing a Product on the Market
Article 3.21 defines the concept of placing a product on the market.
Placing on the market means the first making available of a product with digital elements on the Union market.
One product can be made available on the market multiple times. In our example above, the manufacturer or the importer make the harvesters available on the Union market for the first time, when they sell harvesters to the dealer. The dealer makes the harvester available on the Union market a second time, when it sells the harvester to Paul.
Placing on the market denotes the first time a product is made available on the market. It is normally done by the manufacturer or the importer. Paul's harvester is placed on the EU market when the manufacturer or its importer sells the harvester to the dealer. The date for placing Paul's harvester on the market does not change, no matter how often it changes its owner. The date for placing a product on the market marks the start of the support period.
In contrast, Ali uses his harvester outside the EU. Therefore, his harvester is not placed on the EU market and the support period doesn't start.
As placing on the market applies to each harvester instance individually, the placed-on-the-market date differs from harvester to harvester. The manufacturer sells three harvesters of the same model on 11 May 2028, 20 February 2029 and 6 July 2030. The dates of sale are the placed-on-the-market dates. Even if the three harvesters have identical hardware and software BoMs, that is, if they are identical, they have different placed-on-the-market dates. This is true when we apply transfer of ownership.
If we applied offer for distribution or use, identical harvesters from the same production run would have the earlier and maybe even the same placed-on-the-market dates. The placed-on-the-market date would be the date, when the manufacturer moves the harvesters from the production line to the parking lot. The three harvesters could be placed on the market in the period from 11 to 25 May 2028. Their support periods would end 1-2 years earlier simplifying supply chain management for the manufacturer.
The Commission guidance on the CRA does exactly this for standalone software (§14). A version of the software is offered for distribution or use, when the manufacturer makes it available on a server for purchase and download. Each copy of this version has the same placed-on-the-market date: the date when the version was uploaded to the server.
So far, the Commission's argument is OK, although its exclusive focus on standalone software felt a bit strange. The feeling was justified. The Commission goes bonkers (§16) and explicitly forbids the application of the offer for distribution or use to "combinations of hardware and software", better known as embedded systems. If the standalone software is delivered on a USB drive, it is considered a hardware-software combination and the placed-on-the-market date must be determined by transfer of ownership. Ridiculous! To be crystal clear:
The Commission Guidance contradicts the interpretation of the Blue Guide. I can't find any legal basis in the CRA for favouring standalone software over all other products with digital elements. You can find a deep analysis of this discrepancy in my newsletter No. 71: Commission Guidance on the CRA - Placing on the Market.
A manufacturer can work around the misguidance of the Commission using transfer of ownership. It creates a separate legal entity - the distributor - responsible for distributing the machines. The manufacturer transfers ownership or possession of the machines to the distributor. The date of the transfer is the date when the machines are placed on the market. A batch of machines manufactured together has the same placed-on-the-market date, which is a lot earlier than the date per machine instance.
Intended Purpose
Article 3.23 defines the intended purpose of a product (emphasis and structure mine).
Intended purpose means the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified
- in the information supplied by the manufacturer in the instructions for use,
- [in] promotional or sales materials and statements, as well as
- in the technical documentation.
Let us illustrate the definition with an example. When a manufacturer set out to build a maize harvester, the intended purpose was, well, to cut maize as silage fodder. After some years, they figured out that the harvester could pick up grass just by providing a different front implement. The "specific context and conditions of use" change:
- grass instead of maize,
- picking up instead of cutting, and
- multiple harvests from spring to autumn instead of a single harvest in autumn.
The original implement for maize cuts the plants in many small pieces. Some years later, the manufacturer introduces an implement for cutting the whole plant just above the ground. This new implement leaves the intended purpose unchanged: cutting maize for silage fodder.
A change of the intended purpose implies a substantial modification, which triggers an update of the CRA conformity assessment.
Substantial Modification
Clarifying the CRA Definition
Article 3.30 defines substantial modification as follows (emphasis and structure mine):
Substantial modification means a change to the product with digital elements following its placing on the market,
- which results in a modification to the intended purpose for which the product with digital elements has been assessed.
- which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I, or
In plain language: A manufacturer substantially modifies a product,
- if the modification changes the intended purpose of the product, or
- if the modification increases the risk of violating the essential product properties (Annex I.I).
Of course, the manufacturer must make the substantially modified product available on the market. Using the product only in-house is irrelevant for the CRA.
We have seen an example of changing the intended purpose for the maize harvester. The original purpose is to cut maize for silage fodder. When the manufacturer adds the implement to pick up grass, the intended purpose changes. And changing the intended purpose modifies the product substantially.
You have probably noticed that I replaced the vague "affects the compliance" with the more specific "increases the risk". This is in line with Recital 39, which does the same. Recital 39 uses nearly the same wording as the Blue Guide (Section "2.1 Product Coverage: Software"). Both expand on the definition of Article 3.30. Here is the version of Recital 39.
[A product] should be considered to be substantially modified by a software change
- where the software update modifies the intended purpose of that product and those changes were not foreseen by the manufacturer in the initial risk assessment, or
- where the nature of the hazard has changed or the level of cybersecurity risk has increased because of the software update.
Modifying the intended purpose only leads to a substantial modification, if the manufacturer didn't foresee this change when it placed the machine on the market. Did the manufacturer foresee that its maize harvester can also pick up grass? Most likely, it didn't.
The chance that we can foresee a change of the intended purpose in three, five or ten years is vanishingly low. Purpose changes are the result of learning over time how we could extend or adapt our business. It's rarely something we can foresee. Even if we could, it wouldn't be enough to document the risks in the technical documentation. We would have to implement the necessary security measures and prove that we did (see Annex VII.6) - when we placed the product on the market.
The phrase "the nature of the hazard has changed" has the same problem as the phrase "affects the compliance": It doesn't convey whether the risk increases or decreases. Note that hazard is synonymous with threat or risk. We can simply drop the first half of the second condition.
Feature Updates Imply Substantial Modifications
Let me be precise: Feature updates almost always imply substantial modifications. This is a consequence of the CRA setting a very low bar for substantial modifications. Recital 39 states that "the addition of new features typically leads to a broader attack surface, thereby increasing the cybersecurity risk". The example given is an input field with missing or inadequate validation.
This is an extremely low bar! Let us compare that with the reality of a driver terminal of a construction machine. The terminal runs its HMI applications on embedded Linux. In a month, it sees thousands of changes for its 150+ third-party packages in addition to the changes in the manufacturer's software. The terminal is just one of roughly 10 ECUs under the control of the manufacturer. The sum of all changes is huge and grows rapidly every month.
Update intervals for embedded systems are measured in months, not in weeks, days or hours. Every month would be short, every three or six months more typical and once a year not unusual. This is a flood of new features, bug fixes and security fixes and certainly a significant broadening of the attack surface according to Recital 39.
Consequences of Substantial Modifications
The CRA mentions two consequences of substantial modifications. The first consequence comes from Recital 41.
[...] where a substantial modification occurs [...], it is appropriate that the compliance of the product is verified and that, where applicable, [the product] undergoes a new conformity assessment.
If a product is substantially modified, the manufacturer must update the conformity assessment including, of course, the risk assessment of the essential product properties. According to Recital 42, refactorings, maintenance changes and bug fixes are not necessarily substantial modifications. As we saw in the section Feature Updates Imply Substantial Modifications, it can be difficult to keep non-substantial and substantial modifications apart.
The second consequence comes from Article 69.2 and refers to products placed on the market before 11 December 2027.
Products with digital elements that have been placed on the market before 11 December 2027 shall be subject to the requirements set out in this Regulation only if, from that date, those products are subject to a substantial modification.
If a manufacturer substantially modifies a product after 11 December 2027, it must put the product through full CRA compliance - no matter whether the product was placed on the market before or after 11 December 2027. For products placed on the market after 11 December 2027, this is OK. For products placed on the market before that date, it is most likely a violation of the non-retroactivity of law as I argued in my newsletter.
The Blue Guide (Section 2.10 Transitional periods in the case of new or revised EU rules) acknowledges the non-retroactivity of law: Law must not be applied retroactively. The Blue Guide allows a retroactive application of a legislation like the CRA only "if this is deemed necessary for safety reasons or other objectives of the legislation".
Mentioning safety makes it clear that only very serious reasons can override existing law. As the non-retroactivity of law is a constitutional right, only a constitutional right ranked higher can override it. Examples are threats against the health or safety of persons, against constitutional rights or against critical infrastructure. Article 57.1 uses these threats to demand additional security measures for products that satisfy the CRA. Article 69.2 should use these threats instead of substantial modification as the trigger to force pre-CRA products under full CRA compliance. Unfortunately, it will be up to the courts to put some sense into Article 69.2.
Remember: Recital 41 and Article 69.2 are the only two places in the CRA mentioning consequences of substantial modifications. This doesn't prevent the Commission guidance from fabricating a third consequence in paragraph 107.
The act of making the substantially modified product available on the market constitutes a new placing on the market.
Substantially modifying a product triggers a new placing on the market, which triggers a restart of the support period, which triggers a reevaluation of the length of the support period, which triggers a change of the CE declaration and of several other places in the technical documentation - in addition to updating the risk assessment of the essential product properties.
Restarting the support period with almost every feature update, leads to extremely long support periods. As I show in my newsletter No. 72: Commission Guidance on the CRA - Infinite Support Periods, the original support period of 15 years for a harvester can easily double. To prevent this, the manufacturer can try to justify a shorter remaining support period at every restart and might bring down the support period to 20-25 years instead of 30 years. This is a lot of extra documentation effort but doesn't improve the security of the product.
The Commission guidance is still a draft. Let us hope that the Commission sees reason and removes paragraph 107 from its guidance. If not, we have the CRA - the actual law - on our side. And the CRA clearly disagrees with the guidance.