DDADUE Article 32: ANFR to be designated as France's CRA authority Featured
ANFR CRA Conformité Contrôle de marché DDADUE

DDADUE Article 32: ANFR to be designated as France's CRA authority

The DDADUE bill, adopted by the Senate under accelerated procedure, formally designates ANFR as France's market surveillance authority for the CRA. Article 32 inserts a new I quinquies into Article L.43 of the CPCE, sets out the mise en demeure → fine sequence, and codifies the three CRA sanction tiers (up to €15M or 2.5% of worldwide turnover). Two points deserve particular attention: trade secrets are not opposable to ANFR in CRA investigations, and the entry into force is split, ANFR mission on 11 September 2026, sanctions regime on 11 December 2027.

 1 May 2026  6 min
Classifying products under the CRA: a practical guide to Annex III
Annexe III CRA Conformité Cybersécurité Marquage CE

Classifying products under the CRA: a practical guide to Annex III

Product classification under the CRA (standard, important Class I or Class II) determines the conformity assessment module, and with it whether a notified body is required. For an SME manufacturer, the difference easily amounts to €15,000–50,000 and six to twelve months of additional timeline. This guide provides a practical reading of Annex III, incorporates the Implementing Regulation (EU) 2025/2392, and addresses the most common application cases for alarm, IoT and network equipment manufacturers.

 1 May 2026  13 min
CRA and the Radio Equipment Directive (EN 18031): mapping synergies for radio equipment manufacturers
CRA Conformité Cybersécurité Directive RED EN 18031 EN 304 632

CRA and the Radio Equipment Directive (EN 18031): mapping synergies for radio equipment manufacturers

Since August 2025, manufacturers of internet-connected radio equipment are subject to the cybersecurity requirements of the Radio Equipment Directive (EN 18031-1/2/3). Many believe this work covers most of their CRA obligations. That is not entirely wrong, but it is incomplete. This article maps precisely what EN 18031 delivers for CRA purposes, what it does not cover, and what the conformity assessment module question (dependent on vertical standard harmonisation) changes operationally for connected security product manufacturers.

 1 May 2026  13 min
The Cyber Resilience Act: mapping a new regulatory framework
CRA Conformité Cybersécurité EN 304 632 Marquage CE

The Cyber Resilience Act: mapping a new regulatory framework

Regulation (EU) 2024/2847 introduces a compliance logic that the connected electronics sector had not encountered under previous directives: a cybersecurity obligation running throughout the product lifecycle, not merely at the point of placing on the market. This article maps the regulation's internal structure (scope, classification, conformity assessment modules and the two-speed timeline) for manufacturers beginning their compliance work today.

 1 May 2026  15 min
CVD: drafting and publishing a coordinated vulnerability disclosure policy
CRA CVD Conformité Cybersécurité Gestion des vulnérabilités PSIRT

CVD: drafting and publishing a coordinated vulnerability disclosure policy

The coordinated vulnerability disclosure (CVD) policy is a public document that most connected product manufacturers have never produced, because before the CRA, nothing required it. From 11 September 2026, its absence constitutes a direct non-conformity finding. This article explains what a CVD policy must contain under CRA Annex I Part II and prEN 40000-1-3, how it differs from the internal vulnerability handling procedure, how to make it operational rather than decorative, and what the safe harbour clause implies legally.

 30 April 2026  11 min
All ANFR Annexe III Article 14 CRA CVD Conformité Conformité CE Contrôle de marché Cybersécurité DDADUE DGCCRF Directive Machines Directive RED Dossier technique Due diligence EN 18031 EN 304 632 Firmware Gestion des vulnérabilités Marquage CE PSIRT SBOM Surveillance du marché