"We're not affected by the Cyber Resilience Act. Our machine runs completely offline." A customer told me this in a conversation. My follow-up: "Is there a service port?" Brief pause. "Yes, a USB connector for updates."
That product has a digital physical interface. And falls into the scope of the CRA.
What is a "product with digital elements" under the CRA?
The EU Cyber Resilience Act does not just cover networked devices. It covers products with digital elements, a much broader category.
The definition in Article 3 is deliberately broad: software or hardware products whose intended or reasonably foreseeable use includes a logical or physical data connection to a device or network. The interface does not need to be permanently active. It does not even need to be used regularly. The mere possibility is enough.
Any logical or physical data connection can bring a product into the CRA scope. Even a single USB port. Even an RS-232 service connector. Even an SD card slot. Even a JTAG header.
Which interfaces trigger CRA applicability?
Each of these interfaces, on its own, is enough to pull a product into the CRA scope: Ethernet, Wi-Fi, Bluetooth, NFC, Zigbee, USB in all variants, RS-232, RS-485, CAN, Modbus, SD and microSD card slots, JTAG, SWD, UART service ports, proprietary service connectors, and optical data interfaces.
Only purely analog connections without digital data transfer fall outside the CRA, for example an analog 4-20 mA sensor output without HART protocol. The moment digital data runs on the same line, via HART or IO-Link, the product is back in scope.
Why even pure industrial products are affected
The CRA is especially underestimated in classic industrial environments like machinery, industrial automation, and measurement and test equipment. The argument usually goes: "Our devices run on the factory network, behind a firewall, nothing gets through."
That may be operationally true, but it doesn't change the scope. The CRA doesn't ask how secure your factory network is. It asks whether your product has a digital interface.
PLCs and industrial controllers with Modbus, Profinet, or EtherCAT, embedded HMIs with USB stick update process, measurement and test systems with RS-232 or USB data export, edge gateways for machine connectivity, servo drives and frequency converters with fieldbus connection, sensors and actuators with IO-Link, all routinely land in CRA scope.
Whether the device is actually plugged into the network is secondary for CRA applicability. The interface makes the scope.
What you should check now
The first step is a complete interface inventory per product. List every interface, not just Ethernet and Wi-Fi. Also USB, SD, RS-232, JTAG, and any service port. A single entry is enough to bring the product into scope. Internal maintenance ports are often missing from product specs and only surface when someone actually opens the device.
Once the inventory is in place, the risk assessment has to be rethought. A USB port that enables update delivery is simultaneously the attack vector. Risk analysis and security requirements must address this. And as soon as firmware runs on the device (which is the case for anything with a USB update port), you need an SBOM and a working update path for vulnerabilities.
Frequently asked questions
Does the CRA also apply to offline devices? Yes, as soon as the device has a logical or physical data connection. The CRA covers products with digital elements, not only networked ones.
What is a 'product with digital elements' under the CRA? Software or hardware products whose intended or reasonably foreseeable use includes a logical or physical data connection to a device or network. The interface does not need to be permanently active.
Which interfaces trigger CRA applicability? All digital interfaces: Ethernet, Wi-Fi, Bluetooth, NFC, USB, RS-232/RS-485, SD card slots, JTAG service ports, proprietary service connectors.
Is a USB service port relevant for the CRA? Yes. A single USB port for firmware updates qualifies the product as a 'product with digital elements' under the CRA.
Conclusion
Offline doesn't protect you from the CRA. The CRA doesn't ask whether your device is on the network, it asks whether it has a digital interface. And a USB port is just as much an interface as an Ethernet jack.
Walk through your product list and check all interfaces. Not just Ethernet and Wi-Fi. Anyone who misses the service port misses the entire CRA.
A structured CRA roadmap helps build interface inventory, risk assessment, and update paths systematically, before the first market surveillance check finds the forgotten USB port.
Every Friday I debunk a CRA myth here.