Back to blogs

Blog | OCT 27, 2025

Cyber Resilience Act: Information and Instructions to the User

Cyber Resilience Act

Cybersecurity is not only a matter of firewalls, patches and secure coding. It also depends on whether people know how to handle the technology in their hands. The EU’s Cyber Resilience Act (CRA) makes this point explicit: every product with digital elements must come with clear, accessible and lasting information for its users. This obligation goes far beyond the traditional “user manual.” Under the CRA, instructions become a core security measure: they explain how a product should be installed, updated, operated and eventually decommissioned – all in a way that prevents avoidable risks. For companies, the message is clear: compliance does not stop at the development stage. Security must also be communicated – consistently, understandably and for the entire product lifecycle.

The obligation to provide information and instructions to the user is anchored in the Cyber Resilience Act (Regulation (EU) 2024/2847). It is not an optional add-on, but a legal precondition for market access: without the prescribed documentation, a product cannot be lawfully placed on the EU market.

  • Annex II defines in detail what information and instructions must be provided, from manufacturer details to update procedures and end-of-support dates.

  • Article 13 sets out the responsibilities of manufacturers, including the obligation to keep this information accessible and to provide a clear point of contact for vulnerabilities.

  • Articles 19 and 20 extend these duties to importers and distributors, who must check that the required instructions are present before a product enters or circulates on the EU market.

  • Article 31 and Annex VII establish the connection to technical documentation: the content of Annex II is not separate guidance but an integral part of the technical file that every manufacturer must prepare and maintain.

In practice, this means: no market access without instructions. User information is treated with the same legal weight as cybersecurity features themselves and becomes a binding element of compliance subject to regulatory oversight.

What Must Be Included (Annex II)

Annex II of the Cyber Resilience Act specifies in detail what information and instructions must be provided to the user. The objective is to ensure that security is not only built into products but also maintained in practice throughout their entire lifecycle.

  • Manufacturer details – name, trade name or trademark, postal and electronic address, and website, so the responsible entity can always be identified and contacted.

  • Single point of contact – a clearly designated channel for vulnerability reporting, with a disclosure policy, ensuring issues are handled responsibly and securely.

  • Product identification – clear product name, type, model and unique identifier, so it is evident which version is covered.

  • Intended purpose and security environment – explanation of the product’s functions, essential security features and expected operational context, defining safe use and limits of foreseeable misuse.

  • Known or foreseeable risks – information about circumstances that could create cyber threats, raising user awareness of potential vulnerabilities.

  • Reference to the EU Declaration of Conformity – internet address where the official compliance statement can be accessed.

  • Support conditions and end-of-support date – statement of the security support offered and the precise month/year when support will end, giving users clarity for long-term planning.

In addition, Annex II requires detailed instructions (either included directly or via an online reference) covering:

  • Necessary measures during initial commissioning and throughout the product’s lifetime to ensure secure use.

  • How changes to the product may affect data security.

  • How security-relevant updates can be installed.

  • Procedures for the secure decommissioning of the product, including safe removal of user data.

  • How the default setting for automatic installation of security updates (required under Annex I) can be turned off.

  • Where a product is intended for integration into other products, the information required by integrators to comply with Annex I (cybersecurity requirements) and Annex VI (documentation)

And if the manufacturer decides to make available a software bill of materials (SBOM), information on where this SBOM can be accessed.

Need a practical overview of what the Cyber Resilience Act requires? The Tributech CRA Guide walks you through key obligations, Annex I requirements, and how they apply to digital products.

Obligations of Manufacturers (Article 13)

For manufacturers, the CRA turns user information into a long-term compliance task. Article 13 defines not only what must be communicated, but also how it has to be managed in practice.

  • Provide instructions in durable form Manufacturers need to decide early on whether instructions are given in paper, electronic, or both formats. In any case, the content must be clear, written in plain language, and accessible for at least ten years after market placement or for the full support period. This requires a reliable archiving and publication process.

  • Maintain a single point of contact Companies must set up a vulnerability reporting channel that goes beyond a generic support email. It should be clearly listed in the user instructions, staffed with competent personnel, and capable of handling confidential security reports without relying solely on automated systems.

  • Communicate end-of-support clearly The support period (month/year) has to be visible on the product or its packaging. Manufacturers should also prepare for end-of-support notifications – either via the product interface or other technical means – to warn users when updates are no longer provided.

  • Keep documentation current with internal processes User instructions are not stand-alone material; they form part of the technical documentation file (Annex VII). This means every software update, change in risk assessment, or adjustment of support timelines must trigger an update of the instructions. To handle this consistently, manufacturers need defined internal workflows for drafting, reviewing, and publishing user information, as well as for ensuring that both regulators and users can access the latest and previous versions over the entire lifecycle.

In short: manufacturers must treat user information as a core compliance deliverable, just like security testing or vulnerability handling. Without robust processes, meeting the 10-year accessibility requirement will be difficult in practice.

Obligations of Importers and Distributors (Art. 19 & 20)

While manufacturers carry the primary responsibility, the CRA also places obligations on importers and distributors. Their role is to act as control points in the supply chain, making sure that no non-compliant products reach the EU market.

  • Importers (Article 19)

    • Must verify that the product comes with the full set of user information and instructions as required in Annex II.

    • Need to check that the instructions are provided in a language understandable in the Member State where the product will be sold.

    • Cannot place a product on the market if these requirements are missing.

  • Distributors (Article 20)

    • Must ensure that manufacturers and importers have fulfilled their obligations before making a product available.

    • This includes checking that the required user instructions are present, up to date, and accessible.

    • Are expected to act if they identify missing or incomplete documentation.

What this means in practice

Importers and distributors cannot rely solely on trust. They must implement basic compliance checks as part of their logistics and sales processes:

  • Create a checklist to confirm that Annex II information is included with every product batch.

  • Ensure that instructions are available in the correct local language(s).

  • Establish internal rules to stop distribution if required documentation is incomplete or unclear.

  • Keep a record of verification to demonstrate due diligence in case of audits or enforcement actions.

By formalising these checks, importers and distributors protect themselves from liability and help ensure that only CRA-compliant products circulate in the EU market.

Integration with Technical Documentation (Article 31 & Annex VII)

User instructions under Annex II are not separate guidance but an integral part of the technical documentation defined in Annex VII. Manufacturers must include the complete set of instructions in their technical file and keep them updated for as long as the product is supported.

Practical Implications

The obligations around user instructions may sound like formal paperwork, but in practice they have a direct impact on how companies need to organise themselves.

  • Manufacturers must think beyond product launch. They need reliable processes to draft instructions, keep them aligned with updates, and ensure that they remain accessible for at least ten years. This requires not only technical writing but also version control and long-term publishing strategies.

  • Importers and distributors act as the last line of defence before products reach the market. They must check whether instructions are complete, up to date and provided in the correct language. Without these checks, they risk liability for non-compliant products.

  • SMEs and microenterprises benefit from simplified formats for technical documentation, but when it comes to user instructions, the bar is the same as for everyone else. The challenge for smaller companies lies in producing professional documentation with limited resources.

  • Large companies face a different challenge: ensuring consistency. With wide product portfolios and long support periods, they must maintain a documentation system that can keep pace with product changes for a decade or more.

Conclusion

The Cyber Resilience Act treats user instructions as a security feature in their own right. By requiring details on support periods, update procedures, decommissioning steps and points of contact, it ensures that security is not only designed into a product but also communicated and lived throughout its lifecycle.

This can easily be seen as a burden – another set of documents to prepare and maintain. But it also opens a clear opportunity: to turn transparency into trust. When users know how to install updates, understand the limits of safe use, or receive clear notice when support ends, they are better equipped to keep products secure. And when manufacturers provide this guidance openly, they show that they take responsibility seriously.

For smaller companies, this is a chance to stand shoulder to shoulder with larger players by delivering professional, compliant documentation. For larger manufacturers, it is a way to demonstrate consistency and reliability across complex portfolios. In both cases, the outcome is the same: user instructions that meet CRA requirements not only fulfill a legal duty but also strengthen the relationship between producer and user.

In a digital market where resilience is becoming a competitive factor, treating user instructions as part of security-by-design is more than compliance. It is a way to build credibility, differentiate from competitors, and show that security is both built in – and clearly explained.

CRA Learning Path

Get the CRA Newsletter and unlock everything you need to stay compliant with CRA regulations: