Written by: Haim Ravia, Dotan Hammer
The European Commission published two significant sets of draft guidelines in March 2026, providing practical compliance guidance for two of the EU’s most consequential recent digital regulations.
On March 3, 2026, the Commission published draft guidelines intended to clarify the application of the EU Cyber Resilience Act (CRA) and opened a public consultation for stakeholder feedback. The CRA, which entered into force on December 10, 2024, establishes EU-wide cybersecurity requirements for products with digital elements—both hardware and software. The draft guidelines provide an overview of the CRA’s scope, confirming its applicability to both hardware and software products, and elaborate on key compliance obligations such as risk assessments, reporting duties, and procedures for vulnerability handling. The CRA is being implemented in phases: Chapter IV will apply from June 11, 2026; Article 14’s vulnerability reporting obligations will take effect from September 11, 2026; and the CRA as a whole will apply from December 11, 2027.
The guidelines are designed to help organizations prepare for these upcoming requirements and to support harmonized enforcement by national market surveillance authorities across the EU. The Commission notes that further guidelines may be issued as the CRA is integrated with other EU digital regulations. The consultation for stakeholder feedback was open until March 31, 2026. While not legally binding, the guidelines aim to clarify the Commission’s interpretation of the CRA and are designed to support organizations—especially SMEs—in achieving compliance.
Separately, the European Commission published draft guidelines on AI transparency obligations under the EU AI Act. These guidelines address the transparency and information requirements that providers and deployers of AI systems must meet, including the obligation to inform users when they are interacting with AI systems, the labeling and watermarking of AI-generated content, and the disclosure requirements that apply to AI systems designed to interact with natural persons. The transparency guidelines are particularly timely: while the Commission’s Digital Omnibus on AI proposes to delay the application of high-risk AI system rules, certain transparency obligations are among the provisions that the EDPB and EDPS have urged be maintained on the original timeline. The draft guidelines aim to give developers and deployers practical tools for implementing these requirements before the relevant provisions become applicable.
Click here to read the draft Cyber Resilience Act guidelines.
Click here to read the draft EU AI transparency guidelines.
