EU Cyber Resilience Act

CRA and medical software

Medical software can be affected by both the Cyber Resilience Act and sector-specific EU rules. Where products are already covered by equivalent requirements under other EU law, overlaps are handled to avoid double regulation — but the cybersecurity evidence still has to exist.

What to focus on

  • Check interaction with existing medical-device regulation before assuming scope.
  • Cybersecurity evidence (SBOM, vulnerability handling) is reusable across regimes.
  • Document the essential requirements you meet and how.
  • Confirm the conformity route for your specific product.

Frequently asked questions

Does the CRA apply to medical software?
It can, and it interacts with existing medical-device rules; where other EU law already imposes equivalent requirements, duplication is avoided. Confirm scope for your specific product.

General information about the EU Cyber Resilience Act — not legal advice. Normproof provides tooling and audit-ready evidence; the manufacturer self-declares conformity. For your specific product, run the free readiness check or consult a qualified advisor.

See what the CRA requires for your medical software.

Run the free readiness check — your category, obligations, and deadlines in 60 seconds.