EuroComply
Créer un compte

CRA for SaaS Products

The Cyber Resilience Act applies to 'products with digital elements' — defined as software or hardware made available on the EU market whose intended or foreseeable use includes a data connection. Pure SaaS (provided as a service, not made available as a product) is excluded; the boundary turns on whether the customer receives a software artefact they install or operate themselves.

Does CRA apply to saas products?

It depends. SaaS provided purely as a service is excluded. SaaS that ships any artefact installed or operated by the customer (downloadable agent, on-prem edition, customer-managed extension) becomes a product with digital elements and is in scope.

  • Pure cloud-hosted SaaS = excluded (no 'product made available on the market'). Hybrid offerings (downloadable agents, on-prem editions, customer-installed extensions) may be in scope
  • Free and open-source software developed in the course of commercial activity is in scope (Article 3(20)); FOSS developed without commercial activity is excluded
  • The 'important' and 'critical' product categories (Annex III, Annex IV) trigger stricter conformity-assessment routes
  • Mandatory vulnerability handling (Article 13): security updates for the support period (typically 5 years or product lifetime, Annex I Part II), free of charge
Source: Regulation (EU) 2024/2847 — EUR-LexReviewed:

Who does CRA apply to?

The CRA applies to any 'product with digital elements' — hardware or software — placed on the EU market whose intended or reasonably foreseeable use includes a direct or indirect data connection to another device or network. A small set of products is excluded (e.g. medical devices already covered by MDR/IVDR, motor vehicles, aviation, military equipment).

  • Hardware products with digital elements (e.g. connected appliances, industrial controllers)
  • Standalone and embedded software products placed on the EU market
  • Two heightened risk categories — 'important' and 'critical' — with stricter conformity-assessment routes
  • Excluded: products already covered by equivalent sectoral rules (MDR, IVDR, type-approval for vehicles, civil aviation, defence, national security)
Source: Regulation (EU) 2024/2847 — EUR-Lex — Article 2 (Scope)Reviewed:

What are the penalties for CRA non-compliance?

The CRA's penalty tiers track the nature of the breach. The highest tier targets failure to comply with the essential cybersecurity requirements; a middle tier covers other obligations; a lower tier covers incorrect or misleading information.

Maximum fineUp to €15 million or 2.5% of global annual turnover, whichever is higher
Source: Regulation (EU) 2024/2847 — EUR-Lex — Article 64 (Administrative fines)Reviewed:

When does CRA apply?

The CRA entered into force on 10 December 2024. Vulnerability and incident reporting obligations apply from 11 September 2026. The main body of substantive obligations applies from 11 December 2027.

  • 2024-12-10 — Entry into force
  • 2026-09-11 — Vulnerability and incident reporting obligations apply
  • 2027-12-11 — Main body of substantive obligations applies
Source: Regulation (EU) 2024/2847 — EUR-Lex — Article 71 (Entry into force and application)Reviewed:
5 years (or product lifetime)

Minimum support period during which manufacturers must provide security updates for a product with digital elements, taking into account the expected lifetime of the product.

Regulation (EU) 2024/2847, Annex I, Part II

Next step — classify

Check if the CRA applies to your product

Targeted next step for saas products based on CRA scope.

Check if the CRA applies to your product

Full CRA compliance guide for all sectors and personas.

CRA guide

For informational purposes only. This is not legal advice — consult qualified legal counsel.

Last reviewed: · Editorial policy