CRA Applicability Check: Does Your Product Fall Under the Cyber Resilience Act?

The EU Cyber Resilience Act applies to an extraordinarily broad range of products — but not everything. Determining whether your product falls under the CRA, and if so, which category and conformity assessment path applies, is the essential first step before investing in compliance. Get it wrong and you either waste resources on unnecessary compliance or, worse, discover non-compliance after the December 2027 deadline when your products cannot legally be sold in the EU.

This guide provides a systematic four-step applicability assessment that takes you from "does the CRA apply to my product?" to "what exactly do I need to do?" — with concrete examples for every product category.

Step 1: Is It a Product with Digital Elements?

The CRA defines a "product with digital elements" as any software or hardware product whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network. This definition has three key components that determine applicability:

The Digital Element

The product must contain software — either as its primary function (standalone software) or as an embedded component (firmware, operating system, control software). A purely mechanical device with no software component is not covered. However, the threshold is very low: even a simple embedded microcontroller with firmware qualifies the product as having a digital element.

The Connection Requirement

The product must connect (or be intended to connect) to a device or network. Connection types that trigger applicability:

• Physical connections: Ethernet, USB, serial ports, HDMI with data capabilities
• Wireless connections: WiFi, Bluetooth, Zigbee, Z-Wave, cellular (4G/5G), LoRaWAN, NFC
• Logical connections: APIs, SDKs, drivers that enable communication with other software or services
• Indirect connections: Products that connect through a hub, gateway, or intermediary device

Critical distinction: the connection must be part of the product’s intended or reasonably foreseeable use. A service port used exclusively during manufacturing or repair that is disabled in the product’s normal operation does not trigger CRA applicability. However, if users could reasonably enable that port, it likely does.

In-Scope Examples

• Smart home devices: Thermostats, door locks, cameras, lighting systems, voice assistants
• Consumer electronics: Smart TVs, connected speakers, gaming consoles, fitness trackers, smartwatches
• Enterprise software: ERP systems, CRM platforms, development tools, database management systems
• Network equipment: Routers, switches, firewalls, access points, VPN appliances
• Industrial products: PLCs with network interfaces, industrial sensors, SCADA components, connected meters
• Standalone software: Operating systems, browsers, office suites, mobile apps, desktop applications
• Software components: Libraries and SDKs distributed as standalone products for integration

Out-of-Scope Examples

• Purely analog devices: Mechanical tools, non-electronic components, passive hardware without firmware
• Pure SaaS without client-side software: Cloud-hosted applications accessed entirely through a standard browser with no downloads, plugins, or on-device processing
• Products covered by sector-specific regulation: Medical devices (MDR/IVDR), motor vehicles (UNECE), aviation (EASA regulations), marine equipment
• Non-commercial open-source software: Community-developed, freely distributed software with no commercial intent
• National security and military products
• Products developed exclusively for research and development purposes that are not placed on the market

Step 2: Is the Product Placed on the EU Market?

The CRA applies when a product is "made available on the market" — meaning it is supplied for distribution, consumption, or use on the EU market in the course of a commercial activity, whether for payment or free of charge.

This has important implications:

• Digital distribution counts: Software available for download from an app store, website, or repository accessible to EU users is placed on the EU market, regardless of the developer’s location
• Free products are in scope: Freemium software, free versions of commercial products, and free tools that are part of a commercial business model all qualify
• Non-EU manufacturers are affected: If your product reaches EU customers, you must comply. Non-EU manufacturers must appoint an authorized representative in the EU
• B2B products are included: The CRA applies regardless of whether the buyer is a consumer or a business

The only products not "placed on the market" are those that are genuinely internal (never distributed outside the organization), custom-developed for a single customer under a bespoke contract (which may instead fall under contractual obligations), or products explicitly limited to non-EU markets with effective geographic restrictions.

Step 3: What Product Category?

If your product is in scope (Steps 1 and 2), the next question is: which risk category applies? The category determines the conformity assessment path — and the associated effort and cost.

Default Category (Self-Assessment)

Products that do not appear in Annex III or Annex IV of the CRA. This covers the vast majority of products: consumer IoT devices, business software, mobile apps, connected appliances, and most enterprise tools. The manufacturer performs a self-assessment against the essential requirements, documents compliance, and affixes CE marking. No third-party audit is required, but the documentation must be complete and available for market surveillance authorities.

Important Products — Class I (Self-Assessment or Third-Party)

Listed in Annex III, Part I. These are products with higher security significance:

• Identity management systems and privileged access management software
• Standalone and embedded browsers
• Password managers
• VPN software and hardware
• Network management systems
• Security information and event management (SIEM) systems
• Boot managers and BIOS/UEFI firmware
• Firewalls, intrusion detection/prevention systems
• Routers and modems intended for internet connection
• Microcontrollers with security-relevant functionality

Conformity path: self-assessment using harmonized standards (when published). If no applicable harmonized standard exists for your product category, third-party assessment by a notified body is mandatory.

Important Products — Class II (Mandatory Third-Party)

Listed in Annex III, Part II. Products with the highest security impact short of critical:

• Operating systems for servers, desktops, and mobile devices
• Hypervisors and container runtime systems
• Public key infrastructure (PKI) and digital certificate issuance systems
• Industrial firewalls and intrusion detection for industrial environments
• Smart meters and other smart energy devices
• Industrial IoT devices not covered by sector-specific regulation
• Robot sensing and actuator components with connectivity

Conformity path: mandatory third-party assessment by a notified body. Self-assessment is never sufficient for Class II products.

Critical Products (EU Certification)

Listed in Annex IV. Currently a very narrow category:

• Hardware security modules (HSMs)
• Smart cards and smart card readers
• Tamper-resistant elements in devices (secure enclaves)

Conformity path: EU cybersecurity certification under an applicable scheme. Until such schemes are available, Class II rules (third-party assessment) apply as a transitional measure.

Step 4: What Are Your Obligations?

Once you know your product category, the obligations fall into place:

All Categories (Universal Obligations)

• Meet essential security requirements (Annex I): secure by default, encrypted data, access control, update capability, minimal attack surface
• Establish vulnerability handling process with coordinated disclosure policy
• Report actively exploited vulnerabilities to ENISA within 24 hours (already active since September 2026)
• Maintain and provide a Software Bill of Materials (SBOM)
• Provide free security updates for at least 5 years
• Prepare technical documentation (Annex VII)
• Prepare EU declaration of conformity
• Affix CE marking
• Retain documentation for 10 years

Additional for Class I

• Apply applicable harmonized standards (when published) OR obtain third-party assessment
• More rigorous documentation of conformity assessment methodology

Additional for Class II and Critical

• Engage a notified body for third-party conformity assessment
• Provide the notified body with full access to technical documentation, source code (where required), and testing infrastructure
• Maintain ongoing relationship with notified body for product updates that affect conformity

Practical Examples: Applying the Decision Tree

Example 1: Enterprise SaaS with Desktop Client

A project management SaaS platform with a web interface and an optional desktop client for Windows and macOS. Step 1: The desktop client is software with network connectivity → product with digital elements. The web-only access is excluded, but the desktop client brings the product into scope. Step 2: Available in the EU via download. Step 3: Not in Annex III or IV → default category. Step 4: Self-assessment. Focus compliance on the desktop client component; document the web-only mode as out of scope.

Example 2: Industrial IoT Sensor

A temperature sensor with Bluetooth connectivity for factory monitoring. Step 1: Firmware + Bluetooth = product with digital elements. Step 2: Sold to EU industrial customers. Step 3: Industrial IoT not covered by sector regulation → check Annex III Part II → Class II. Step 4: Mandatory third-party assessment by a notified body. Significant compliance effort required.

Example 3: Open-Source Library Published on npm

A JavaScript utility library published as open source under MIT license by a solo developer. Step 1: Software component. Step 2: Freely downloadable. Step 3: Check commercial intent → no commercial activity, no monetization, no company → non-commercial open source → excluded from CRA. However: any company that commercially integrates this library into their product becomes responsible for CRA compliance of the library component.

Example 4: Network Firewall Appliance

A hardware firewall with firmware and web management interface. Step 1: Hardware + firmware + network connectivity = product with digital elements. Step 2: Sold to EU businesses. Step 3: Firewalls are listed in Annex III Part I → Class I important product. Step 4: Self-assessment using harmonized standards when available; otherwise third-party assessment. Must also comply with vulnerability reporting since September 2026.

Example 5: Mobile Banking App

A banking app for iOS and Android. Step 1: Software with network connectivity = product with digital elements. Step 2: Available on EU app stores. Step 3: Not a medical device, not in Annex III/IV directly. However, if the app includes identity management or authentication functionality, it may qualify as Class I. Step 4: Likely default category (self-assessment) unless the authentication component triggers Class I classification. Consult Annex III carefully.

The SaaS Trap: CRA vs. NIS2

Many software companies assume they are exempt because they deliver SaaS. This is a dangerous assumption. The CRA excludes "remote data processing solutions" (pure cloud services), but NIS2 may apply to the same company as an operator of essential services or an important entity. The coverage gap:

• CRA applies to your product components (desktop clients, mobile apps, browser extensions, on-device code)
• NIS2 applies to your organization (security operations, incident response, supply chain management)
• If you deliver both SaaS and downloadable software, both regulations apply to different aspects of your business

The practical takeaway: do not assume SaaS exemption from all cybersecurity regulation. Map your product architecture against CRA scope AND your organization against NIS2 scope.

What to Do Next

1. Conduct the four-step applicability assessment for every product in your portfolio within the next 30 days
2. For each in-scope product, classify the risk tier (default, Class I, Class II, critical) based on Annex III and IV
3. Prioritize Class II and critical products — these require third-party assessment and have the longest compliance timelines
4. Check vulnerability reporting compliance — the 24h/72h reporting obligation to ENISA is already active
5. Begin SBOM generation for all products — this is foundational for both conformity assessment and vulnerability management
6. Engage legal counsel for borderline cases, especially SaaS/on-device hybrid products and products that may be covered by both the CRA and sector-specific regulation

Frequently Asked Questions

Our product is sold globally — can we ignore the CRA?

No. If your product is available to EU customers, the CRA applies regardless of your company location. This includes products downloadable from websites or app stores accessible in the EU. Like GDPR, the CRA has extraterritorial reach. Non-EU manufacturers must appoint an authorized representative in the EU.

We use third-party components — who is responsible for their CRA compliance?

The manufacturer of the final product is responsible for CRA compliance of the complete product, including all third-party components. If a vulnerability is discovered in an open-source library used in your product, you — not the library maintainer — must report it and provide a security update. This is why SBOM management and continuous dependency monitoring are essential.

How do I classify a product that spans multiple categories?

If a product has features that place components in different categories, the highest applicable category determines the conformity assessment path. For example, a network appliance that functions as both a router (Class I) and a firewall (Class I) is assessed as Class I. If it also includes industrial IoT functionality (Class II), the entire product must undergo Class II third-party assessment.

What if harmonized standards are not yet published for my product category?

For default category products: you can self-assess against the essential requirements directly (no standard needed). For Class I products: without a harmonized standard, third-party assessment by a notified body becomes mandatory — you cannot self-assess. The European Commission is working with standardization bodies (CEN, CENELEC, ETSI) to publish harmonized standards before the December 2027 deadline.

Is a product sold before December 2027 exempt from the CRA?

No. Products placed on the market before December 2027 must be brought into compliance. There is no grandfathering provision. However, the manufacturer has until the deadline to complete the conformity assessment and affix CE marking. Products that cannot be brought into compliance must be withdrawn from the market.

Does the CRA apply to internal tools we build for our own use?

No, if the tool is genuinely internal and never distributed outside your organization. The CRA only applies to products "placed on the market" or "made available on the market." However, if you later decide to commercialize an internal tool or share it with partners, it enters CRA scope at that point.