---
url: https://eurocomply.app/regulations/cra/persona/saas-product
canonical: https://eurocomply.app/regulations/cra/persona/saas-product
title: CRA for SaaS Products — EuroComply
regulation: CRA
regulationNumber: (EU) 2024/2847
celex: 32024R2847
persona: SaaS Products
personaSlug: saas-product
inForceDate: 2024-12-10
applicationDate: 2027-12-11
sourceUrl: https://eur-lex.europa.eu/eli/reg/2024/2847/oj
lastReviewed: 2026-05-12
author: EuroComply Team
license: CC-BY-4.0
---

# CRA for SaaS Products

The Cyber Resilience Act applies to 'products with digital elements' — defined as software or hardware made available on the EU market whose intended or foreseeable use includes a data connection. Pure SaaS (provided as a service, not made available as a product) is excluded; the boundary turns on whether the customer receives a software artefact they install or operate themselves.

## Does CRA apply to saas products?

It depends. SaaS provided purely as a service is excluded. SaaS that ships any artefact installed or operated by the customer (downloadable agent, on-prem edition, customer-managed extension) becomes a product with digital elements and is in scope.

**Key considerations:**

- Pure cloud-hosted SaaS = excluded (no 'product made available on the market'). Hybrid offerings (downloadable agents, on-prem editions, customer-installed extensions) may be in scope
- Free and open-source software developed in the course of commercial activity is in scope (Article 3(20)); FOSS developed without commercial activity is excluded
- The 'important' and 'critical' product categories (Annex III, Annex IV) trigger stricter conformity-assessment routes
- Mandatory vulnerability handling (Article 13): security updates for the support period (typically 5 years or product lifetime, Annex I Part II), free of charge

## Underlying CRA facts

**Full name:** Regulation (EU) 2024/2847 of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act).

**Maximum fine:** Up to €15 million or 2.5% of global annual turnover, whichever is higher.

**Key dates:**

- 2024-12-10 — Entry into force (Article 71)
- 2026-09-11 — Vulnerability and incident reporting obligations apply (Article 14)
- 2027-12-11 — Main body of substantive obligations applies (Article 71)

## Recommended next step

[Check if the CRA applies to your product](https://eurocomply.app/tools/regulation-checker)

## Related EuroComply resources

- Full CRA compliance guide: [/regulations/cra](https://eurocomply.app/regulations/cra)
- Markdown companion: [/regulations/cra.md](https://eurocomply.app/regulations/cra.md)

## Source

Authoritative text: [(EU) 2024/2847 — EUR-Lex](https://eur-lex.europa.eu/eli/reg/2024/2847/oj) (OJ L, 20.11.2024).

---

Informational only. Not legal advice — consult qualified legal counsel.

Last reviewed: 2026-05-12 by the EuroComply Team. License: CC-BY-4.0.