How the CRA Forces Us to Rethink Substantial Modification

Substantial modification is a key concept in European product legislation. In essence, when a product is substantially modified, it is traditionally treated as a new product. As a result, a new set of manufacturer obligations is triggered, and the entity performing the substantial modification becomes the manufacturer for regulatory purposes.

Historically, this notion functioned reasonably well. However, the increasing complexity of modern products, especially software-driven and cloud-connected systems, combined with the extensive post-market obligations introduced by the Cyber Resilience Act (CRA), raises the question whether the traditional interpretation remains appropriate.

This article first examines how the CRA forces us to revisit the classical doctrine, and then turns to the concept’s roots in the EU’s New Legislative Framework (NLF) to explain why this tension arises.

Substantial modification under the CRA #

The CRA defines substantial modification as follows:

Article 3 CRA: Definitions

‘substantial modification’ means a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed.

The term is then used in three articles:

• Article 21 CRA states that when importers or distributors substantially modify a product, they are considered to be a manufacturer.

• Article 22 CRA states that when “a natural or legal person, other than the manufacturer, the importer or the distributor” substantially modifies a product, they are considered to be a manufacturer. It also states that if only part of the product is affected by the substantial modification, then that person is only responsible for the modified part of the product.

• Article 69 CRA states that products placed on the market before 11 December 2027 are subject to the CRA only if they are substantially modified after the CRA’s entry into effect. Although it is somewhat unusual for this to be stated explicitly (as this is generally implicit in EU product legislation), the main function of this provision is likely to enable the exception that follows it: namely, that the CRA’s reporting obligations apply to all products within its scope, regardless of when they were placed on the market.

At first sight, these provisions appear sensible. However, given the expansive definition of the term “substantial modification”, combined with the very broad nature of the CRA’s essential requirements, it becomes clear that a very wide range of changes may qualify as substantial modifications. This is confirmed by Recital 39 CRA, which explicitly states that software updates can qualify as substantial modifications, and continues by stating:

Recital 39 CRA:

A minor functionality update, such as a visual enhancement or the addition of new pictograms or languages to the user interface, should not generally be considered to be a substantial modification.

Conversely, where a feature update modifies the original intended functions or the type or performance of a product with digital elements and meets the above criteria, it should be considered to be a substantial modification, as the addition of new features typically leads to a broader attack surface, thereby increasing the cybersecurity risk. For example, this could be the case where a new input element is added to an application, requiring the manufacturer to ensure adequate input validation.

Although Commission guidance on substantial modification under the CRA is still outstanding,¹ this recital suggests a very low bar.

Moreover, upon closer examination, various aspects surrounding substantial modification in the CRA raise questions and do not seem entirely coherent. We will explore these aspects below.

The CRA is only partially explicit about substantial modification #

In older product law practice, substantial modification is typically understood as a reset point. The substantially modified product is treated as a new product, and the first making available on the market of that modified product is treated as a new placing on the market.

Historically, the concept of substantial modification was not codified. However, with the CRA, we find ourselves in a somewhat peculiar position. While several mechanisms relating to substantial modification are explicitly codified, the foundational premise, namely, that a substantial modification results in a “new product” and therefore leads to a new placing on the market, is not expressly stated.

Furthermore, the CRA explicitly regulates substantial modification related obligations for importers and distributors (Article 21), as well as for “natural or legal persons, other than the manufacturer, the importer or the distributor” (Article 22). Conspicuously absent from this enumeration is the original manufacturer.

This omission raises a fundamental interpretative question: was this exclusion deliberate, implying that the concept of substantial modification is not intended to apply to a product’s original manufacturer, or was it inadvertent, leaving manufacturers subject to the historic, implicit doctrine developed under earlier product legislation?

The issue becomes even more significant when considered in light of the CRA’s introduction of the support period.

Substantial modification and the support period #

The CRA is the first piece of EU product legislation that introduces a support period, thereby placing significant post-market obligations on manufacturers. Pursuant to Article 13 CRA, manufacturers are under a continuous obligation, throughout the support period, to ensure that products remain in conformity with the essential cybersecurity requirements. They must also keep the technical documentation up to date.

Because support period obligations apply irrespective of whether a substantial modification takes place, substantial modification does not, in itself, create a new layer of compliance obligations if it occurs during the support period. At first sight, this significantly reduces the relevance of the substantial modification with respect to the original product manufacturer.

However, under the classical interpretation, a substantially modified product is considered a new product. Its first making available on the market therefore constitutes a new placing on the market. If this logic applies, then under Article 13 CRA, a manufacturer that substantially modifies a product must determine a new support period. That support period must last at least five years. In practical terms, each substantial modification would reset the clock on manufacturer obligations, and the manufacturer would be required to provide at least another five years of support for the modified product.

This is where the CRA forces a rethink. In a software-driven lifecycle, significant changes are prevalent. If each such change is treated as a fresh placing on the market, then support obligations risk compounding excessively, even where the regulatory goal is already achieved through continuous Article 13 duties.

Consider, for example, an Android smartphone. Under the CRA, a software update to a new major Android version would likely qualify as a substantial modification and would therefore trigger a new five-year security support period for the entire phone.² This outcome appears disproportionate and may incentivise manufacturers to refrain from providing functionality updates, thereby accelerating (planned) obsolescence.

At the same time, the 2023 Ecodesign Requirements for Smartphones explicitly require manufacturers to provide operating system updates for at least five years after the production of a specific phone model has ceased. The combined effect of these laws may therefore create unhealthy legislative interplay: one framework incentivising restraint in feature updates, while another mandates their provision. Without careful interpretation, this tension risks undermining both cybersecurity and sustainability objectives.

Substantial modification and software updates #

Under the classical notion of substantial modification, the entity that performs the substantial modification assumes the responsibilities of the manufacturer. In the context of software updates, however, identifying that entity is not always straightforward. Consider the following scenarios and determine who the entity was that made the substantial modification in each case.

1. A manufacturer pushes an update to a product, and that update is automatically installed.
2. A manufacturer pushes an update to a product, and that update is installed after the user agreed to it.
3. A manufacturer places an updated product firmware on its webpage, which a user downloads and installs.
4. A manufacturer places an updated product firmware on its webpage with a notice stating that this update is not intended for products sold before 2027-12-11, a user who bought their product on 2027-12-10 downloads and installs the software update.
5. A manufacturer sells a laptop with a preinstalled commercial operating system (OS). The OS vendor releases an update without informing the laptop’s manufacturer. The update is automatically installed.
6. A manufacturer sells a laptop with a preinstalled free and open source (FOSS) application on it. The FOSS vendor releases an update without informing the laptop’s manufacturer. The update is automatically installed.

Although this attribution problem is not unique to the CRA, the CRA makes it particularly visible. Its horizontal structure and its specific focus on products with digital elements bring software-driven modifications to the centre of product regulation. As a result, questions about who performs a substantial modification, and therefore who assumes manufacturer responsibilities, become both more frequent and more difficult to answer.

Substantial modification and RDPS #

The CRA explicitly includes remote data processing solutions (RDPS) within the definition of products with digital elements. Consequently, a modification made to a remote data processing solution can also qualify as a substantial modification. Combined with the CRA’s broad definition of substantial modification, it is likely that the following modifications would be considered substantial (and would thus trigger at least 5 years of product support):

1. Migrating an RDPS to another cloud provider
2. Migrating an RDPS to another database solution
3. Upgrading the OS of a server hosting an RDPS
4. Updating a companion app to support a new Android version

These examples are intentionally mundane. They are common maintenance operations, and will likely go unnoticed by the product’s user. Yet they are also precisely the kind of changes that, under a broad substantial modification definition, can easily be argued to affect compliance with essential cybersecurity requirements.

Substantial modification and placing on the market #

CRA obligations are tied to making products available on the market. More specifically, Article 13 CRA states that manufacturer obligations apply “when placing a product with digital elements on the market”. It also states that the support period starts at the placing on the market.

Article 3 CRA defines “placing on the market” as the first making “available” on the market, and defines the latter as:

Article 3 CRA: Definitions

‘making available on the market’ means the supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge;

This definition is coherent with the latest Blue Guide (2022).

However, with respect to software updates, there is significant room for interpretation. Does publishing an update amount to a new making available of the product? And if so, does this concern the entire product or only the part that is modified? The answer may depend on the update distribution model and is particularly complex for embedded products, where software is only a component of the product, not the product itself.

If an update automatically implies the making available of the product, then an update that performs a substantial modification to a product automatically implies a placing on the market, and new manufacturer obligations apply.

If not, further questions arise. Consider the following scenario:

1. A commercial user buys a product
2. The user installs an update provided by the manufacturer. The update includes a substantial modification, but the update does not imply a making available on the market.
3. The user later resells the product.

Now consider the following questions:

• Does the resale constitute a placing on the market of the substantially modified product?
• If yes, who is the new manufacturer? Is it the commercial user or the original manufacturer?
• If the original manufacturer is also the manufacturer of the new product, can Article 13 CRA apply even though the placing on the market is done by another economic operator?
• If yes, when does the support period start?³

Similar questions arise for substantial modifications to remote data processing solutions.

Particular care must be taken when applying case law or guidance to these questions, as some NLF legislation, particularly the 2006 Machinery Directive and 2023 Machinery Regulation, do not only apply when making a product available on the market, but also when putting it into service. This is not the case for the CRA.

Explaining the tension: a historic view on substantial modification #

Although the first explicit mention of substantial modification in EU product law dates back only to 2023, it has long been an established concept within EU product law. The original 2000 edition of the Blue Guide⁴ on product regulation already stated:

A product, which has been subject to important changes that aim to modify its original performance, purpose or type after it has been put into service, may be considered as a new product. This has to be assessed on a case-by-case basis and, in particular, in view of the objective of the directive and the type of products covered by the directive in question.

(…)

The responsibility of the manufacturer is placed on any person who changes the intended use of a product in such a way that different essential requirements will become applicable, or substantially modifies or re-builds a product (thus creating a new product), with a view to placing it on the Community market.

Notably, the 2000 edition of the Blue Guide used terminology inconsistently, referring both to “important changes” and to “substantial modification” without clearly distinguishing between the two.

Over time, EU product legislation has become increasingly explicit in defining the obligations applicable to each economic operator and in clarifying when responsibilities shift; particularly in situations involving product modification. The evolution from broad, interpretative guidance toward more precise legal definitions is in line with broader trends seen in how the EU market operates.

The gradual development of obligations is outlined below.

Early directives #

Early product directives, such as the 1973 Low Voltage Directive, contained only high-level safety requirements. They did not clearly allocate obligations among economic operators. For example, the 1973 Low Voltage Directive simply stated that “The Member States shall take all appropriate measures to ensure that electrical equipment may be placed on the market only if, (…) it does not endanger the safety of persons (…)”.

Pre-NLF directives #

Later directives became more explicit. For example, the 2006 Machinery Directive clearly assigned obligations to the manufacturer.

Article 5 Machinery Directive: Placing on the market and putting into service

Before placing machinery on the market and/or putting it into service, the manufacturer or his authorised representative shall: (a) ensure that it satisfies the relevant essential health and safety requirements set out in Annex I; (…)

It also explicitly states that in the absence of a manufacturer “any natural or legal person who places on the market or puts into service machinery or partly completed machinery covered by this Directive shall be considered a manufacturer.”

Hence, responsibility allocation became clearer, but substantial modification was still implicit.

The introduction of the NLF #

With the 2008 NLF decision, the EU introduced reusable model provisions explicitly specifying the obligations of manufacturers, importers, and distributors.

It also includes the following snippet about the concept of substantial modification:

Article R6: Cases in which obligations of manufacturers apply to importers and distributors

An importer or distributor shall be considered a manufacturer for the purposes of this … [act] and he shall be subject to the obligations of the manufacturer under Article [R2], where he places a product on the market under his name or trademark or modifies a product already placed on the market in such a way that compliance with the applicable requirements may be affected.

This was the first systematic codification of the concept of substantial modification as a trigger for manufacturer obligations. However, we note that the term substantial modification itself was not yet used explicitly.

Early NLF legislation uses the Article R6 template extensively. Over time we see only minor variations to the original text from the 2008 decision.⁵

Late NLF legislation #

From 2017 onwards, product legislation began diverging more substantially from the Article R6 template. For example, the 2017 medical device regulation (MDR) and in vitro device regulation (IVDR) include much longer provisions specifying when manufacturer obligations shift. The MDR and IVDR are also the first pieces of product legislation that state that manufacturer obligations can also apply to entities different from importers or distributors.

We see similar extensive provisions in the 2023 Battery Regulation, the 2023 Machinery Regulation, the 2024 Cyber Resilience Act, and the 2025 Packaging Regulation.

Substantial modification as an explicit term #

The first explicit definition of the term substantial modification is found in the 2023 Machinery Regulation. Since then, the term has been defined in both the AI Act (2024) and the CRA (2024).

In the Machinery Regulation, the term is defined as follows:

Article 3 Machinery Regulation: Definitions

‘substantial modification’ means a modification of machinery or a related product, by physical or digital means after that machinery or related product has been placed on the market or put into service, which is not foreseen or planned by the manufacturer, and which affects the safety of that machinery or related product, by creating a new hazard, or by increasing an existing risk, which requires:

(a) the addition of guards or protective devices to that machinery or related product the processing of which necessitates the modification of the existing safety control system; or

(b) the adoption of additional protective measures to ensure the stability or mechanical strength of that machinery or related product;

The term is then used in the Article 18: Other cases in which obligations of manufacturers apply, which states that

1. a natural or legal person that carries out a substantial modification shall be considered to be a manufacturer for the parts of machinery that are affected by the substantial modification;
2. that the person carrying out the change must redo the conformity assessment procedure; and
3. provides a carve-out for non-professional users that modify their own machinery.

The final exemption is necessary because the Machinery Regulation also applies to machinery that is not placed on the market.

The Article 18 provisions are generally well-aligned with the interpretation that a substantially modified product is effectively a new product, and therefore its conformity must be reassessed. However, for the first time they also introduce the notion that new manufacturer obligations might apply only to a subset of a product.

Lack of uniformity #

As we discussed above, since 2017, individual pieces of EU product legislation have started to deviate from the NLF template regarding substantial modification.

As each piece of NLF-based product legislation is effectively independent, that means that the specificities of substantial modification under these various pieces of legislation cannot simply be generalized.⁶ Therefore, blanket statements, such as “a modification is substantial if it was not foreseen in the risk assessment”, are unsafe. Each act must be interpreted on its own terms.

In fact, looking at the definitions of substantial modification under the CRA and the machinery regulation (see above) we already see discrepancies. That is, under the Machinery Regulation, a substantial modification must be “not foreseen or planned by the manufacturer”, whereas under the CRA there is no such requirement.

It is also questionable to which extent the guidance on substantial modification in the latest Blue Guide (2022) is applicable to more recent directives, as the 2022 Blue Guide predates the first explicit codification of the term. For example, the CRA definition of substantial modification states that modifications “which affect the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose (…)” must be considered as substantial, whereas the 2022 Blue Guide contradicts the CRA in that it states that:

2022 Blue Guide, Section 2.1 Repairs and modifications to products

A product, which has been subject to important changes or overhaul after it has been put into service must be considered as a new product if: i) its original performance, purpose or type is modified, without this being foreseen in the initial risk assessment; ii) the nature of the hazard has changed or the level of risk has increased in relation to the relevant Union harmonisation legislation; and iii) the product is made available (…)

Notably, the use of the conjunction “and” before the third criterion indicates that these conditions are cumulative. This diverges from the CRA’s non-cumulative definition, thereby giving rise to a clear discrepancy between the 2022 Blue Guide and the CRA.

Moreover, discrepancies between different acts or guidance are not limited only to definitions. For example, Article 18 Machinery Regulation does not include the same exclusion of the original manufacturer as we see it in Article 22 CRA. As the CRA was published after the Machinery Regulation, one could reasonably assume that this is intentional.

Conclusion #

As we demonstrated above, the concept of substantial modification is incrementally being formalized. However, under the CRA it remains structurally incomplete.

Three dynamics collide:

1. The legislative template continues to evolve, but does not yet fully reflect modern digital supply chains.
2. The CRA’s support period overlaps with and amplifies the effects of substantial modification.
3. The CRA’s horizontal scope captures highly complex lifecycle realities.

Traditionally, substantial modification implied a new product, leading to a new placing on the market. This in turn leads to a new conformity assessment. We see that in the Machinery Regulation, this notion is already weakened to the point that manufacturer obligations (including conformity assessment) can be limited to a subset of the product.

Given the extensive post-market obligations introduced by the CRA, the concept of substantial modification requires further refinement. In particular, it should allow for situations in which a product can be substantially modified without automatically triggering a new support period.

Under Article 13 CRA, manufacturers are already obliged to ensure that products remain in conformity throughout the original support period. They must maintain compliance with the essential cybersecurity requirements and keep the technical documentation up to date. Where a substantial modification is carried out during that period, these ongoing obligations already capture much of the regulatory concern.

An interpretation that distinguishes between (i) modifications that genuinely amount to a new product and (ii) significant updates within the lifecycle of an existing product would therefore enhance proportionality. It would prevent every substantial modification from automatically “resetting the clock” and reduce the incentives for planned obsolescence, while still safeguarding the objectives of the CRA.

Such a refined approach would better align the doctrine of substantial modification with the CRA’s lifecycle-based compliance model and avoid imposing disproportionate support-period extensions.