EU Cyber Resilience Act

Does the CRA apply to SaaS?

The Cyber Resilience Act targets products with digital elements, including the remote data-processing solutions necessary for a product to function. Pure standalone cloud services may sit outside, but software products and product-linked back ends are often in scope.

What to focus on

  • Distinguish a standalone service from a product (and its required back end).
  • Where in scope, maintain an SBOM and vulnerability handling.
  • Document the essential requirements and update policy.
  • Confirm scope for your specific offering.

Frequently asked questions

Does the CRA apply to SaaS?
The CRA covers products with digital elements and the remote data-processing solutions necessary for them to function. Whether a given SaaS is in scope depends on how it relates to a product — classify yours to be sure.

General information about the EU Cyber Resilience Act — not legal advice. Normproof provides tooling and audit-ready evidence; the manufacturer self-declares conformity. For your specific product, run the free readiness check or consult a qualified advisor.

See what the CRA requires for your saas & web products.

Run the free readiness check — your category, obligations, and deadlines in 60 seconds.