CRA and Security Incidents Outside EU

When a Security Incident Happens Outside the EU: Does the CRA Still Apply?

The global nature of cybersecurity raises a practical question for manufacturers. If an actor exploits a vulnerability outside the European Union, do the Cyber Resilience Act (CRA) reporting and remediation obligations still apply?

The short answer is yes. If a manufacturer places a product on the EU market, the CRA can trigger obligations, no matter where the incident occurs. In other words, when exploitation or discovery happens outside the EU, it can still trigger CRA obligations. To understand why and how, we must examine the CRA’s scope and the broader operation of EU product law.

The CRA is Market-Based, Not Geography-Based

The CRA is a product regulation. The scope depends on whether a manufacturer places a product with digital elements on the Union market. It does not depend on where the manufacturer is located or where a cybersecurity incident occurs.

Recital 15 makes this clear: the Regulation applies to products that manufacturers “make available on the market,” meaning they supply them for distribution or use on the Union market in a commercial activity. The legal trigger is market access, not territorial origin.

This reflects the general principles of EU product law as explained in the 2022 Blue Guide. EU harmonisation legislation applies to products that manufacturers place or make available on the EU market, regardless of where they produce them or where events occur later. The decisive question is whether the supplier provides the product within the Union market framework.

Once manufacturers place a product on the EU market, it must comply with EU legislation throughout its lifecycle, including CRA cybersecurity obligations.

Article 3 CRA: Definitions

“Making available on the market’ means the supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge”

Cybersecurity Is Inherently Cross-Border

The CRA explicitly recognises the cross-border nature of digital risks. Recital 4 emphasises that the cybersecurity of products with digital elements has a “particularly strong cross-border dimension”. Digital vulnerabilities do not respect territorial boundaries. A vulnerability exploited in one jurisdiction may rapidly affect users, networks, and infrastructures in another.

Recital 66 goes further. It states that because manufacturers market most digital products across the internal market, any exploited vulnerability in such a product threatens the market’s functioning.

Notably, the recital does not limit this to vulnerabilities exploited within the Union. It refers to “any exploited vulnerability” in a product marketed in the internal market. The logic is systemic: when manufacturers sell a product in the EU, an exploited vulnerability anywhere can threaten the internal market’s security and integrity.

Reporting Obligations Are Not Territory-Limited

Article 14 requires manufacturers to notify actively exploited vulnerabilities and severe incidents affecting the security of products with digital elements. Recital 65 explains that reporting ensures authorities receive the information they need to assess risks and coordinate responses.

Article 3(42) defines an “actively exploited vulnerability” as one with reliable evidence that a malicious actor has exploited it. The definition does not include any geographic qualifier. It does not require exploitation within the Union.

Recital 66 reinforces this approach by linking exploited vulnerabilities to threats to the internal market. If manufacturers place a product on the EU market and a malicious actor actively exploits a vulnerability—whether first in the United States, Asia, or elsewhere—the vulnerability still threatens EU market security.

The manufacturer must notify authorities as soon as they become aware of such exploitation (Article 14(1); Recital 68). The location of the initial incident does not alter that duty.

What If the incident only Affects Non-EU Users?

A more nuanced scenario arises when exploitation appears to affect only users outside the EU. Even in this case, the CRA framework suggests caution.

If manufacturers offer the same product version on the EU market, the vulnerability also exists in products within the Union. Even if authorities have not yet observed exploitation within the EU, the risk remains. Given the cross-border dimension in Recital 4 and the internal market focus in Recital 66, authorities must treat these vulnerabilities as relevant.

Moreover, Article 14(8) requires manufacturers to inform affected users where appropriate. Manufacturers do not face a geographic limitation for this obligation; it ties directly to product security and user impact.

In practice, once a malicious actor actively exploits a vulnerability in a product on the EU market, manufacturers should comply with CRA reporting obligations to stay on the safe and legally defensible side.

The Broader Regulatory Logic

The CRA aims to strengthen the cybersecurity posture of the internal market as a whole. The CRA uses a lifecycle approach, requiring manufacturers to manage vulnerabilities and maintain security throughout the support period (Annex I, Part II).

This framework would collapse if manufacturers avoided reporting obligations just because a malicious actor first exploited a vulnerability outside the Union. Cybersecurity remains interconnected. Supply chains, cloud infrastructures, and update mechanisms are global.

The CRA therefore adopts a market based regulatory model combined with a risk based security logic. When manufacturers place a product on the EU market and a malicious actor actively exploits a vulnerability, they must comply with reporting obligations, no matter where authorities first detect it.

Practical Implications for Global Manufacturers

For manufacturers operating globally, this has clear implications. Incident response processes must be aligned across jurisdictions. A vulnerability exploited in one country may trigger reporting obligations under multiple regulatory regimes, including the CRA.

Manufacturers should ensure their monitoring, disclosure, and internal reporting processes identify and escalate incidents relevant to the EU market. The decisive factor is not the attacker’s location but whether manufacturers place the affected product on the EU market.

Conclusion

The CRA does not limit its scope to incidents or discoveries within the EU. As a market regulation, it protects the internal market against cybersecurity risks from products that manufacturers place on that market.

When manufacturers place a product with digital elements on the EU market and detect a vulnerability actively exploited anywhere in the world, the CRA can trigger reporting obligations (Recitals 4, 15, 66; Article 14). In an interconnected digital ecosystem, authorities cannot segment cybersecurity compliance by geography. It must follow the product.

If you need help understanding how cross-border incidents affect your EU regulatory exposure and supply-chain risks, Bitsea can turn complex rules into structured, defensible compliance workflows.