CRA
Does the Cyber Resilience Act apply to my product?
Regulation (EU) 2024/2847 introduces horizontal cybersecurity requirements for products with digital elements. Answer 5 questions to find out if it applies to your product.
Last updated: 12 May 2026
Do CRA scope need to comply with CRA?
Regulation (EU) 2024/2847 introduces horizontal cybersecurity requirements for products with digital elements. Answer 5 questions to find out if it applies to your product. If yes: CRA applies — heightened-risk class, conformity assessment required. If not: CRA does not apply — c…
- Yes path: CRA applies — heightened-risk class, conformity assessment required
- No path: CRA does not apply — covered by sectoral legislation
- Use the step-by-step decision tree below for your exact situation
CRA · Question 1
Is your offering a 'product with digital elements' — hardware or software made available on the EU market?
Article 3(1) defines a product with digital elements as any software or hardware product whose intended or reasonably foreseeable use includes a direct or indirect data connection. Pure SaaS provided as a service (not made available as a product) is excluded.
For informational purposes only. Consult qualified legal counsel before making compliance decisions.
Decision tree questions
Is your offering a 'product with digital elements' — hardware or software made available on the EU market?
Article 3(1) defines a product with digital elements as any software or hardware product whose intended or reasonably foreseeable use includes a direct or indirect data connection. Pure SaaS provided as a service (not made available as a product) is excluded.
- Yes: Continue to: Does the product's intended or reasonably foreseeable use include a direct or indirect data connection to another device or network?
- No: CRA does not apply — pure SaaS / service-only offering
Does the product's intended or reasonably foreseeable use include a direct or indirect data connection to another device or network?
The data connection element is constitutive. Fully air-gapped devices with no possible network connection fall outside the CRA.
- Yes: Continue to: Is the product already covered by equivalent sectoral EU legislation (e.g. MDR/IVDR, motor-vehicle type-approval, civil aviation EASA, national security, defence)?
- No: CRA does not apply — no data-connection element
Is the product already covered by equivalent sectoral EU legislation (e.g. MDR/IVDR, motor-vehicle type-approval, civil aviation EASA, national security, defence)?
Article 2(2)–(4) excludes products already subject to equivalent cybersecurity requirements under sectoral EU law. The exclusion is narrow — software components of in-scope sectoral products may still need separate analysis.
- Yes: CRA does not apply — covered by sectoral legislation
- No: Continue to: Is the product free and open-source software developed outside the course of commercial activity?
Is the product free and open-source software developed outside the course of commercial activity?
Article 3(20) defines 'commercial activity'. FOSS developed by maintainers without a commercial intent is excluded. FOSS made available via paid support, hosted distributions, or as part of a commercial offer is in scope.
- Yes: CRA does not apply — FOSS outside commercial activity
- No: Continue to: Is the product an 'important' (Annex III) or 'critical' (Annex IV) class — e.g. password managers, network management systems, identity-management products, smart-home assistants?
Is the product an 'important' (Annex III) or 'critical' (Annex IV) class — e.g. password managers, network management systems, identity-management products, smart-home assistants?
Annex III lists important products subject to stricter conformity-assessment routes. Annex IV products will be designated by Commission delegated act.
- Yes: CRA applies — heightened-risk class, conformity assessment required
- No: CRA applies — default class, self-assessment route