EU Cyber Resilience Act
CRA and medical software
Medical software can be affected by both the Cyber Resilience Act and sector-specific EU rules. Where products are already covered by equivalent requirements under other EU law, overlaps are handled to avoid double regulation — but the cybersecurity evidence still has to exist.
What to focus on
- Check interaction with existing medical-device regulation before assuming scope.
- Cybersecurity evidence (SBOM, vulnerability handling) is reusable across regimes.
- Document the essential requirements you meet and how.
- Confirm the conformity route for your specific product.
Frequently asked questions
- Does the CRA apply to medical software?
- It can, and it interacts with existing medical-device rules; where other EU law already imposes equivalent requirements, duplication is avoided. Confirm scope for your specific product.
General information about the EU Cyber Resilience Act — not legal advice. Normproof provides tooling and audit-ready evidence; the manufacturer self-declares conformity. For your specific product, run the free readiness check or consult a qualified advisor.