Back to Blog
IoTEmbedded SystemsSmart HomeIndustrial MachineryTelecomSoftwareCyber Resilience ActCRA ComplianceProduct Classification

Cyber Resilience Act Scope: Which Products Are Affected?

Does your product fall under the Cyber Resilience Act? Learn exactly which products the CRA covers, which exemptions apply, and how product classification works.

October 28, 2025
5 min read
Think Ahead Team

One of the most common questions manufacturers ask: Does my product even fall under the Cyber Resilience Act? For most manufacturers of digital products, the answer is yes. The CRA has an intentionally broad scope that captures nearly all products with digital elements made available on the EU market.

The Basic Rule: Products with Digital Elements

The CRA defines its scope through the term "products with digital elements." This covers all software and hardware products, along with their remote data processing solutions, where a direct or indirect logical or physical data connection to a device or network exists.

In concrete terms: every product that contains software and is in any way connected or connectable falls under the CRA. This includes physical devices with embedded software such as IoT devices, smart home products, industrial controllers, network equipment, and embedded systems. Pure software products are equally covered – desktop applications, mobile apps, firmware, and operating systems. Components brought to market individually are also captured: microprocessors with security functions, software libraries, and modules.

The scope is technology-neutral. It does not matter whether your product communicates via WiFi, Bluetooth, Ethernet, cellular, or any other protocol.

What the CRA Does Not Cover: The Exemptions

The CRA contains several clearly defined exemptions. These concern product categories already covered by other EU regulations.

Medical devices are exempt, as they already fall under the Medical Devices Regulation (MDR) and the In Vitro Diagnostics Regulation (IVDR). These regulations already contain comprehensive cybersecurity requirements.

Vehicles and their accessories are exempt when covered by the motor vehicle type-approval regulation. UNECE Regulations R155 and R156 address vehicle cybersecurity.

Aviation products are exempt when falling under EU aviation regulations.

Products for national security and defense are exempt, as are products developed exclusively for military purposes.

Open-source software is generally exempt, provided it is not placed on the market in the course of a commercial activity. However, when open-source software is commercially distributed or used in a commercial product, it falls under the CRA. Open-source stewards (foundations and organizations maintaining open-source projects) face reduced obligations.

Important: SaaS products generally do not fall under the CRA, as they are not "placed on the market" as a product. However, there is a crucial exception: when remote data processing is provided by the device manufacturer and is necessary for the product's core function, this remote processing falls under the CRA.

The Three Product Categories in Detail

The CRA divides all covered products into three categories requiring different conformity assessment procedures.

Standard products (default). The vast majority of products – estimated over 90 percent – fall into this category. This includes all products not explicitly listed in CRA Annexes III and IV as important or critical. Examples: smart speakers, smart bulbs, connected household appliances, fitness trackers, simple sensors, most software applications and games. Self-assessment by the manufacturer is sufficient for standard products.

Important products (Class I). This category covers products with higher security risk. CRA Annex III lists these products: identity management systems and privileged access software, browsers, password managers, malware detection software, VPN products, network management systems, SIEM systems, boot managers, digital certificate issuance systems, physical and virtual network interfaces, operating systems for devices and routers not falling under Class II, and microprocessors with security-relevant functions. For Class I products, self-assessment is possible when harmonized standards are fully applied. Otherwise, a notified body is required.

Important products (Class II). This category covers products with even higher risk: hypervisors and container runtime environments, firewalls and intrusion detection systems, tamper-resistant microprocessors and microcontrollers, hardware security modules (HSM), secure cryptoprocessors, smartcard readers, industrial automation devices with safety functions, and robot sensor systems. Class II products mandatorily require notified body involvement.

Critical products. Annex IV lists a small group of critical products: hardware devices with security boxes (e.g., hardware security modules, smartcards), smart meter gateway devices, and other devices for advanced security purposes. A notified body is also mandatory for critical products.

Edge Cases: Common Questions About Scope

In practice, boundary cases regularly arise when determining scope.

Products without network connectivity: A purely analog product or a product with software but no network interface whatsoever does not fall under the CRA. However, as soon as a USB interface, Bluetooth function, or other connectivity option is present, the CRA applies.

Spare parts and components: When a component is placed on the market as a standalone product (e.g., a WiFi module), it falls under the CRA. If it is exclusively used as an internal part of another product and not separately distributed, it is covered through the end product.

Cloud backend for hardware: When a device requires a cloud backend provided by the same manufacturer, this remote processing falls under the CRA. This applies, for example, to smart home hubs that cannot function without cloud connectivity.

Updates for existing products: A pure software update for an existing product does not trigger a new CRA assessment – unless the update substantially changes the product's intended purpose or fundamentally affects the security architecture.

How to Check Whether Your Product Is Affected

Take a systematic approach: Does your product contain software or firmware? Can it establish a data connection to a network or other devices? Is it made available on the EU market? Does it fall under any of the defined exemptions? If the first three answers are yes and the last is no, your product falls under the CRA.

Next, determine the product category using CRA Annexes III and IV. This determines which conformity assessment procedure you must follow and which requirements specifically apply.

Our free CRA readiness assessment helps you quickly evaluate whether and how the CRA affects your product – and what steps you should take next.

Share:

Continue Reading

Cyber Resilience Act Summary: Key Facts at a Glance

A compact summary of the EU Cyber Resilience Act – objectives, scope, core obligations, deadlines, and penalties. With references to the original documents.

Read more

Cyber Resilience Act Requirements: Complete Overview for Manufacturers

All CRA requirements at a glance – from security by design through SBOM obligations to reporting duties. The complete overview with links to detailed guidance for each requirement.

Read more

CRA Compliance Software Compared: Why Partial Solutions Fall Short

CRA compliance requires more than SBOM tools or vulnerability scanners alone. Learn why integrated platforms like Kunnus outperform fragmented approaches – and what to look for when choosing.

Read more

Ready to assess your CRA readiness?

Take our free readiness assessment and find out where your organization stands with CRA compliance — in just 15 minutes.

Start Free Assessment