EU Cyber Resilience Act
Is my product in scope for the EU Cyber Resilience Act?
If you place a “product with digital elements” (hardware or software whose intended use includes a data connection) on the EU market, the Cyber Resilience Act almost certainly applies to you.
What counts as a “product with digital elements”
The CRA covers products with digital elements (PDEs): any software or hardware product, and its remote data-processing solutions, placed on the EU market whose intended use includes a connection to a device or network. That spans IoT and industrial devices, embedded firmware, desktop and mobile software, and many SaaS-adjacent products.
A few categories are carved out (for example products already covered by sector-specific EU rules). When you are unsure, the practical step is to classify the product against the CRA’s criteria rather than guess.
The three category tiers decide your route
The CRA sorts in-scope products into default, important (Annex III, class I/II) and critical (Annex IV). Roughly 90% fall in the default category and may self-assess. Important and critical products follow stricter routes.
Key points
- Scope: products with digital elements placed on the EU market.
- ~90% of products fall in the default category and can self-assess.
- Manufacturers carry the obligations; importers and distributors have related duties.
- Unsure? Classify the product — don’t assume you’re exempt.
Frequently asked questions
- Does the EU Cyber Resilience Act apply to my product?
- If your product has digital elements and is placed on the EU market, the CRA most likely applies. A small set of products covered by other EU sectoral law are excluded. Run the free readiness check to classify yours.
- Does the CRA apply to free and open-source software?
- Open-source software developed or supplied outside a commercial activity is generally treated differently, and a lighter “open-source steward” role exists. Commercial products that bundle open-source components are still in scope as products.
Related
General information about the EU Cyber Resilience Act — not legal advice. Normproof provides tooling and audit-ready evidence; the manufacturer self-declares conformity. For your specific product, run the free readiness check or consult a qualified advisor.