DDADUE Article 32: ANFR to be designated as France's CRA authority Featured
ANFR CRA Conformité Contrôle de marché DDADUE

DDADUE Article 32: ANFR to be designated as France's CRA authority

The DDADUE bill, adopted by the Senate under accelerated procedure, formally designates ANFR as France's market surveillance authority for the CRA. Article 32 inserts a new I quinquies into Article L.43 of the CPCE, sets out the mise en demeure → fine sequence, and codifies the three CRA sanction tiers (up to €15M or 2.5% of worldwide turnover). Two points deserve particular attention: trade secrets are not opposable to ANFR in CRA investigations, and the entry into force is split, ANFR mission on 11 September 2026, sanctions regime on 11 December 2027.

 1 May 2026  6 min
The RED cyber DA is repealed: the CRA takes over on 11 December 2027 Featured
CRA Conformité CE Cybersécurité Directive RED EN 18031

The RED cyber DA is repealed: the CRA takes over on 11 December 2027

Commission Delegated Regulation (EU) 2026/339, published in the Official Journal on 29 April 2026, repeals Delegated Regulation (EU) 2022/30 with effect 11 December 2027 — the date of full CRA application. There will be no regulatory double-obligation: radio equipment manufacturers who have been working toward EN 18031 compliance since August 2025 are covered until that date, and the CRA takes over exclusively. What the repeal resolves, what it does not, and how to sequence the transition.

 1 May 2026  6 min
CRA market surveillance: the ANFR perspective Featured
ANFR Article 14 CRA Conformité CE Contrôle de marché Due diligence

CRA market surveillance: the ANFR perspective

For manufacturers of connected radio products, the authority that matters for both the RED directive and the CRA is ANFR, not DGCCRF. Both regulations are enforced by the same small team of inspectors, operating with a resource constraint that shapes enforcement into a model of exemplary cases. Article 14 creates an investigation channel that did not exist before: a manufacturer who notifies a vulnerability becomes visible to ANFR; one who does not, becomes exposed when the flaw becomes public. What ANFR looks for in a CRA technical file, what triggers a control, and why the CRA sanction regime changes the risk calculus for investors.

 30 April 2026  12 min
DGCCRF and CE marking compliance: the inspector's method
Conformité CE DGCCRF Directive Machines Dossier technique Surveillance du marché

DGCCRF and CE marking compliance: the inspector's method

A DGCCRF inspection does not begin with the technical file: it begins with the visible elements of the product on the shelf. The funnel method, the company maturity assessment, the test report reading grid and the administrative follow-up sequence constitute a framework that a manufacturer cannot reconstruct from the regulatory text. This article describes that framework from statutory authorisation to compelled publication, covering the CE regulations in DGCCRF's mandate: LVD, EMC, Machinery Directive and Regulation 2023/1230, Toys, PPE, CPR, ATEX, RoHS, WEEE and GPSR.

 2 May 2026  12 min
Classifying products under the CRA: a practical guide to Annex III
Annexe III CRA Conformité Cybersécurité Marquage CE

Classifying products under the CRA: a practical guide to Annex III

Product classification under the CRA (standard, important Class I or Class II) determines the conformity assessment module, and with it whether a notified body is required. For an SME manufacturer, the difference easily amounts to €15,000–50,000 and six to twelve months of additional timeline. This guide provides a practical reading of Annex III, incorporates the Implementing Regulation (EU) 2025/2392, and addresses the most common application cases for alarm, IoT and network equipment manufacturers.

 1 May 2026  13 min
CRA and the Radio Equipment Directive (EN 18031): mapping synergies for radio equipment manufacturers
CRA Conformité Cybersécurité Directive RED EN 18031 EN 304 632

CRA and the Radio Equipment Directive (EN 18031): mapping synergies for radio equipment manufacturers

Since August 2025, manufacturers of internet-connected radio equipment are subject to the cybersecurity requirements of the Radio Equipment Directive (EN 18031-1/2/3). Many believe this work covers most of their CRA obligations. That is not entirely wrong, but it is incomplete. This article maps precisely what EN 18031 delivers for CRA purposes, what it does not cover, and what the conformity assessment module question (dependent on vertical standard harmonisation) changes operationally for connected security product manufacturers.

 1 May 2026  13 min
SBOM: what the CRA actually requires and how to prepare
Article 14 CRA Cybersécurité Firmware Gestion des vulnérabilités SBOM

SBOM: what the CRA actually requires and how to prepare

The SBOM (Software Bill of Materials) is required by Annex VII of the CRA, but its regulatory value exceeds the documentary checkbox: without an up-to-date SBOM that can be correlated against vulnerability databases, the 24-hour Article 14 deadline is unmanageable. Formats, minimum content, challenges specific to embedded firmware, and what a viable SBOM looks like for an industrial SME without a full CI/CD pipeline.

 1 May 2026  12 min
CRA Article 14: the September 2026 milestone most manufacturers are not ready for
Article 14 CRA CVD Cybersécurité Gestion des vulnérabilités PSIRT

CRA Article 14: the September 2026 milestone most manufacturers are not ready for

On 11 September 2026, the obligations to notify actively exploited vulnerabilities under Article 14 of the CRA enter into application. They apply to all products already on the market: no grandfather clause. For a manufacturer without an up-to-date SBOM and no PSIRT function, the 24-hour deadline cannot be met. What must be in place, in what order, and what a market surveillance authority looks for in a notification file.

 1 May 2026  11 min
The Cyber Resilience Act: mapping a new regulatory framework
CRA Conformité Cybersécurité EN 304 632 Marquage CE

The Cyber Resilience Act: mapping a new regulatory framework

Regulation (EU) 2024/2847 introduces a compliance logic that the connected electronics sector had not encountered under previous directives: a cybersecurity obligation running throughout the product lifecycle, not merely at the point of placing on the market. This article maps the regulation's internal structure (scope, classification, conformity assessment modules and the two-speed timeline) for manufacturers beginning their compliance work today.

 1 May 2026  15 min
All ANFR Annexe III Article 14 CRA CVD Conformité Conformité CE Contrôle de marché Cybersécurité DDADUE DGCCRF Directive Machines Directive RED Dossier technique Due diligence EN 18031 EN 304 632 Firmware Gestion des vulnérabilités Marquage CE PSIRT SBOM Surveillance du marché