Applicability testEU Cyber Resilience Act

CRA applicability test for products with digital elements

Decide whether a hardware, software, firmware, connected component, or open-source release is likely in scope of the EU Cyber Resilience Act.

Work through product status, EU market availability, Article 2 exclusions, operator roles, remote data processing, and Annex III or Annex IV classification before starting conformity assessment.

Back to main artifactReview sources
Author
Sorena AI
Published
Mar 4, 2026
Updated
May 25, 2026
Sections
8

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Mar 4, 2026
Updated May 25, 2026
Overview

Use this CRA applicability test when a product team needs a first, source-linked scoping record. The useful output is not a legal conclusion in isolation; it is a product-by-product record showing which facts make the CRA apply, which exclusion was checked, which economic-operator role is involved, and which follow-up assessment is needed.

Section 1

1. Is there a product with digital elements?

Start by identifying the actual product boundary. The CRA covers software or hardware products, their remote data processing solutions, and software or hardware components that are placed on the market separately.

Do not stop at the device casing or the app name. A single CRA product can include hardware, embedded firmware, separately downloaded software, and manufacturer-controlled remote processing where those elements operate together to perform product functions.

  • Record whether the item is hardware, software, firmware, source code, a separately supplied component, or a combined hardware-software product.
  • List the functions the product is marketed or intended to perform, using technical documentation and user-facing materials rather than marketing labels alone.
  • Identify any app, API, database, cloud service, update service, identity service, or configuration portal that the product needs for one of its functions.
  • Keep model, version, edition, deployment mode, and sales channel separate because CRA scope and classification can differ across product variants.
Section 2

2. Does the product connect to a device or network?

Article 2 applies where the product's intended purpose or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network. The presence of electronics or firmware alone is not enough if the product does not exchange digital data.

For software, indirect connection can still matter. Commission FAQ examples include software that does not initiate communications itself but runs on a host operating system that connects to a network.

  • Describe each logical connection, such as APIs, network sockets, files, browser sessions, email protocols, or other software interfaces.
  • Describe each physical connection, such as USB, Ethernet, fibre, wired fieldbus, Wi-Fi, Bluetooth, NFC, or another data-carrying interface.
  • Separate data connections from signals that only power, charge, or trigger a function without conveying digitally encoded information.
  • If the product is offline on its own, document whether it is indirectly connected through a host system, larger product, deployment environment, or update mechanism.
Section 3

3. Is it made available on the Union market in commercial activity?

The CRA scope test also asks whether the product is supplied for distribution or use on the EU market in the course of a commercial activity. Products made only for the manufacturer's own use are generally not placed on the market.

Open-source status does not decide the answer by itself. Free and open-source software is assessed by asking whether it is supplied on the Union market in commercial activity; hosting code on an open repository or package manager does not, by itself, make it available on the market.

  • Record who supplies the product, to whom, through which channel, and whether EU distribution or use is intended or reasonably targeted.
  • For software and open-source releases, document whether access, binaries, updates, support, performance optimisation, monetised services, personal-data use, or donor-only benefits indicate commercial activity.
  • For unfinished test software, record whether it is limited to testing and visibly identified as non-compliant and not made available for other purposes.
  • For source code, record whether it is commercially supplied as code, or only shared as public review, tutorial, demo, or unfinished development material.
Section 4

4. Does an Article 2 exclusion remove the product from CRA scope?

Check exclusions before investing in conformity planning. Article 2 removes several product groups where other Union regimes apply or where the product is made for specific national security, defence, or classified-information purposes.

A product is not excluded merely because it can be used in a defence context. The grounded CRA question is whether it was developed or modified exclusively for national security or defence purposes, or specifically designed to process classified information.

  • Check whether the product is covered by the EU medical devices or in vitro diagnostic medical devices regulations.
  • Check vehicle type approval, civil aviation certification, and marine equipment exclusions where the product is part of those regulated product groups.
  • Check whether the item is an identical spare part made to the same specifications to replace an identical component in a product with digital elements.
  • Check whether a delegated act limits or excludes the CRA because another Union framework addresses the same cybersecurity risks with an equivalent or higher level of protection.
Section 5

5. Which CRA role does each organisation have?

Applicability is also role-specific. The CRA distinguishes manufacturers, authorised representatives, importers, distributors, other economic operators, and open-source software stewards. The same company can have different roles for different products or sales channels.

The manufacturer role is broader than physical production. A business can be the manufacturer when it develops or has a product developed and markets it under its own name or trademark. Importers and distributors can also become manufacturers if they place the product on the market under their own name or trademark, or substantially modify it.

  • Name the legal entity marketing the product under its own name or trademark and the entity that controls product cybersecurity decisions.
  • For non-EU manufacturers, identify the EU-established operator performing the required market-surveillance contact tasks.
  • For importers, record the checks needed before placement: conformity assessment, technical documentation, CE marking, declaration of conformity, and required information and instructions.
  • For distributors, record the checks needed before making the product available, and note any facts that would turn the distributor or importer into the manufacturer.
Section 6

6. Is any cloud or backend service a remote data processing solution?

Remote data processing is in scope only when the processing is at a distance, its absence would prevent the product from performing one of its functions, and the software is designed and developed by the manufacturer or under the manufacturer's responsibility.

This does not automatically pull an entire cloud estate into the CRA product. The grounded boundary is the software parts that directly support product functions, not the manufacturer's network and information systems as a whole.

  • Mark a service as likely RDPS when it enables onboarding, configuration, synchronisation, remote commands, updates, identity access, or another product function and the manufacturer designed it or had it built for that purpose.
  • Treat general-purpose third-party SaaS differently unless it was designed and developed by or under the responsibility of the manufacturer.
  • Exclude ordinary informational websites and internal systems such as HR, payroll, CRM, CI/CD, pentesting, or threat-hunting tooling unless they meet the CRA remote-processing criteria for a product function.
  • Document third-party cloud dependency risks even where the service is not RDPS, because the manufacturer may still need due diligence for components and services that affect product cybersecurity.
Section 7

7. Is it default, important class I, important class II, or critical?

Once the product appears in scope, classification determines the conformity assessment route. Products with the core functionality of an Annex III category are important products; products with the core functionality of an Annex IV category are critical products.

The classification test is based on actual features and technical capabilities reflected in the product's intended purpose. Integrating an important or critical component does not automatically make the whole product important or critical.

  • Compare the product's one core functionality against the Annex III and Annex IV categories and the Commission's technical descriptions.
  • Do not classify only by broad family names such as platform, gateway, browser, security tool, or embedded device; compare the actual product capability.
  • If the product only has ancillary overlap with a listed category, record why the listed category is or is not the product's core functionality.
  • If the product qualifies as free and open-source software and falls under Annex III, record whether the Article 32(5) public technical documentation condition is relevant.
Section 8

Applicability record to keep

The page output should be a short scoping record that a product, security, legal, or compliance team can reuse when conformity assessment, technical documentation, supplier due diligence, and release planning begin.

If any answer depends on facts not yet known, mark the product as unresolved rather than forcing an in-scope or out-of-scope answer.

  • Product identifier, version, edition, deployment mode, sales channel, and intended EU availability.
  • Product-with-digital-elements analysis, including hardware, software, firmware, components, connection types, and RDPS boundary.
  • Market-availability and commercial-activity analysis, including open-source monetisation facts where relevant.
  • Article 2 exclusion check, economic-operator role map, Annex III or Annex IV classification outcome, and the source references used for each conclusion.
Next step

Turn the CRA scope answer into a product assessment

Use the applicability result to open a product-level assessment covering role ownership, technical documentation inputs, RDPS boundaries, classification, conformity route, and release blockers.

Assessment workflow
Create a CRA product assessment

Convert the scope record into assigned evidence requests, role checks, and product cybersecurity assessment tasks.

Explore next step
Talk to Sorena
Review a CRA scope question

Use Sorena's contact route for product-specific scoping, RDPS, open-source, or important-product classification questions.

Explore next step
Primary sources

References and citations

Commission Implementing Regulation (EU) 2025/2392
eur-lex.europa.eu
Referenced sections
  • Supports the need to compare actual product features and technical capabilities against the technical descriptions for important-product categories.
"technical descriptions"
Draft Commission guidance on the Cyber Resilience Act
ec.europa.eu
Referenced sections
  • Supports the practical boundary analysis for source code, public repositories, data connections, remote data processing solutions, product core functionality, and important or critical classification.
"Draft Commission guidance on the Cyber Resilience Act"
European Commission CRA FAQs, January 2026
ec.europa.eu
Referenced sections
  • Supports practical interpretations of CRA scope, standalone software, firmware, connection types, products made for own use, transition handling, open-source software, operator roles, and important or critical product classification.
"products with digital elements"
Regulation (EU) 2024/2847, Cyber Resilience Act
data.europa.eu
Referenced sections
  • Supports the legal scope test for products with digital elements, Article 2 exclusions, economic-operator definitions, open-source steward status, remote data processing, Annex III and Annex IV classification, and conformity-assessment consequences.
"products with digital elements"
Related guides

Explore more topics

CRA Article 14 Reporting Obligations for Vulnerabilities and Incidents
Article 14 guide to CRA reports for actively exploited vulnerabilities and severe product-security incidents, including deadlines, CSIRT routing, users, and evidence.
CRA Blue Guide Concepts FAQ | Placing on the Market, Making Available, Distance Sales
CRA FAQ explaining Blue Guide market-access concepts for products with digital elements: placing on the market, making available, imports, CE marking, operator roles, online sales, stock, and testing exceptions.
CRA CE Marking FAQ | Conformity Assessment, EU Declaration, Evidence
Practical CRA CE marking answers for products with digital elements: conformity assessment, EU declaration, technical documentation, standards, software placement, and launch evidence.
CRA Component Due Diligence FAQ | Third-Party Software, FOSS, SBOMs
Cyber Resilience Act FAQ on manufacturer due diligence for integrated components, third-party software, FOSS dependencies, SBOMs, vulnerability handling, and evidence records.
CRA Conformity Assessment and CE Marking
How to choose a Cyber Resilience Act conformity route, prepare technical documentation, issue the EU declaration of conformity, and affix CE marking.
CRA Conformity Assessment Routes FAQ | Module A, Module B+C, Module H, Important and Critical Products
Cyber Resilience Act FAQ on when manufacturers can use module A, when module B+C or module H is required, and how important and critical products affect the route.
CRA Cybersecurity Risk Assessment FAQ | Article 13, Annex I, Updates
CRA FAQ on Article 13 cybersecurity risk assessments, Annex I applicability, intended purpose, foreseeable use, technical documentation, and update evidence.
CRA deadlines and compliance calendar | EU Cyber Resilience Act
Track the Cyber Resilience Act entry into force, staged application dates, Article 14 reporting deadlines, transitional rules, and review dates.
CRA Declaration of Conformity FAQ | Annex V, Simplified Declaration, CE Marking
FAQ on the Cyber Resilience Act EU Declaration of Conformity: Annex V contents, simplified Annex VI wording, CE marking link, technical documentation, retention, updates, and operator duties.
CRA Economic Operators FAQ | Manufacturers, Importers, Distributors, Authorised Representatives
CRA FAQ on economic-operator roles: manufacturers, importers, distributors, authorised representatives, substantial modification, traceability, and evidence controls.
CRA Essential Cybersecurity Requirements FAQ | Annex I Part I and Part II
CRA FAQ on Annex I product cybersecurity requirements, vulnerability handling, secure-by-default design, risk assessment, documentation, lifecycle duties, and user information.
CRA Essential Cybersecurity Requirements in Annex I
A grounded guide to the Cyber Resilience Act Annex I requirements for product security, vulnerability handling, secure-by-design controls, documentation, and evidence.
CRA Hardware and Software Boundaries FAQ | Product Scope, Components, RDPS
FAQ on Cyber Resilience Act hardware and software boundaries: combined products, standalone software, source code, components, remote data processing, SaaS and market-placement changes.
CRA Harmonised Standards FAQ | Presumption of Conformity, Common Specifications
Cyber Resilience Act FAQ on how harmonised standards, common specifications, certification schemes, and OJ publication affect CRA conformity evidence.
CRA Important and Critical Products FAQ | Annex III, Annex IV, Conformity Assessment
FAQ on CRA important and critical products, Annex III and Annex IV classification, core functionality, and conformity assessment consequences.
CRA Integrated Components and Dependencies FAQ | Third-Party Software and SBOM Evidence
Cyber Resilience Act FAQ on integrated components, third-party software, remote data processing, SBOM-style evidence, upstream fixes, FOSS dependencies, and manufacturer responsibility.
CRA Interplay With EU Product Laws FAQ | RED, Machinery, Data Act
Grounded CRA FAQ on overlap with the Radio Equipment Directive, Machinery Regulation, GPSR, Data Act, exclusions, declarations, documentation, and existing certificates.
CRA Known Exploitable Vulnerabilities at Launch FAQ
FAQ for Cyber Resilience Act launch decisions: known exploitable vulnerabilities, CVEs, component flaws, secure-by-default settings, release gates, Article 14 reporting, and evidence.
CRA Legacy Products FAQ | Pre-11 December 2027 Products
Cyber Resilience Act FAQ on products placed on the market before 11 December 2027, Article 14 reporting, substantial modification, distributor stock, spare parts, and records.
CRA Manufacturer Obligations FAQ | Article 13, Annex I, CE Marking
FAQ for Cyber Resilience Act manufacturers covering Article 13 duties, risk assessment, Annex I, vulnerability handling, support periods, documentation, conformity assessment, reporting, CE marking, and evidence controls.
CRA Market Surveillance and Enforcement FAQ | Authorities, Corrective Action, Safeguards
Cyber Resilience Act FAQ on market-surveillance authorities, investigations, corrective action, withdrawal, recall, safeguards, sweeps, documentation access, and penalties.
CRA Module B+C FAQ | EU-Type Examination, Conformity to Type, Notified Bodies
CRA Module B+C FAQ explaining EU-type examination, conformity to type, notified-body evidence, production control, CE marking, declarations, and certificate changes.
CRA Module H FAQ | Full Quality Assurance, Notified Body Surveillance, CE Marking
CRA Module H FAQ explaining the full-quality-assurance route, notified-body assessment, quality-system scope, technical documentation, CE marking, declarations, and records.
CRA Notified Bodies FAQ | Scope, Modules B+C and H, Certificates
Practical CRA FAQ on when notified bodies are needed, how CRA bodies are designated, what their notified scope means, and how Module B+C and Module H assessments work.
CRA Open-Source Software FAQ | FOSS Scope, Stewards, Manufacturers
Cyber Resilience Act FAQ for free and open-source software: commercial activity, steward duties, manufacturer due diligence, vulnerability handling, public documentation, and user obligations.
CRA Over-the-Air Updates FAQ
Cyber Resilience Act FAQ on OTA updates, automatic security updates, secure update distribution, support-period evidence, and offline update paths.
CRA penalties and fines FAQ | Article 64 fine caps
FAQ on EU Cyber Resilience Act Article 64 penalties: maximum fine tiers, turnover caps, national enforcement, economic operators, reporting duties, and open-source steward carve-outs.
CRA Penalties and Fines: Article 64 Caps and Enforcement Context
Article 64 of the EU Cyber Resilience Act sets administrative fine ceilings for Annex I, manufacturer, reporting, economic-operator, notified-body, and information-request breaches.
CRA Product Families FAQ | Variants, Shared Assessments, Family Reuse, Conformity Scope
CRA FAQ on product families, variant grouping, shared technical documentation, conformity evidence, and when cybersecurity-relevant differences need separate assessment.
CRA Products with Digital Elements Scope | EU Cyber Resilience Act
Apply the EU Cyber Resilience Act scope test for software, hardware, remote data processing, components, open-source software, exclusions, and economic-operator roles.
CRA Products With Digital Elements Scope FAQ
EU Cyber Resilience Act FAQ on products with digital elements, software, firmware, remote data processing, components, exclusions, market placement, and CRA operator boundaries.
CRA Remote Data Processing Solutions FAQ | Product Scope, Cloud and Backend Boundaries
FAQ on how the EU Cyber Resilience Act treats remote data processing solutions, manufacturer-controlled backends, third-party cloud services, SaaS, risk assessment, documentation, and user information.
CRA Reporting Obligations FAQ | Article 14, CSIRTs, ENISA, User Notices
Cyber Resilience Act FAQ on Article 14 reporting for actively exploited vulnerabilities and severe incidents, including timing, CSIRT routing, ENISA access, user notices, and evidence.
CRA Requirements | Annex I, Manufacturer Duties and CE Evidence
Map Cyber Resilience Act requirements from Annex I to manufacturer duties, vulnerability handling, user information, technical documentation, declaration of conformity, and CE marking evidence.
CRA SBOM and Vulnerability Management Template
Build a CRA-ready SBOM and vulnerability handling record with component inventory, triage, remediation, disclosure, reporting, update, and technical documentation fields.
CRA Secure-by-Default FAQ | Default Configuration and Annex I Controls
Cyber Resilience Act FAQ on secure-by-default configuration, automatic security updates, attack surface reduction, authentication, data minimisation, user information, and tailor-made products.
CRA Security Updates vs Functionality Updates FAQ
Cyber Resilience Act FAQ on classifying security updates, functionality updates, support-period duties, automatic updates, user notices, and substantial-modification review.
CRA Substantial Modification FAQ | Updates, Repairs, Manufacturer Duties
Cyber Resilience Act FAQ on when software updates, repairs, spare parts, and post-market changes become substantial modifications and trigger CRA manufacturer, evidence, and conformity duties.
CRA Support Period FAQ | Expected Product Lifetime, Security Updates, User Information
Practical CRA FAQ on how manufacturers determine support periods, disclose support end dates, keep security updates available, and document support-period evidence.
CRA Tailor-Made Products FAQ | Bespoke Products, Market Placement, Evidence
FAQ on when a bespoke product may be treated as tailor-made under the EU Cyber Resilience Act, what the carve-out changes, and what manufacturers still need to document.
CRA Technical Documentation FAQ | Annex VII Evidence and Technical File
CRA FAQ explaining Annex VII technical documentation, risk assessment evidence, conformity assessment files, vulnerability handling records, product families, RDPS, language, and authority access.
CRA Transition Period FAQ | Entry Into Force, Application Dates, Reporting, Legacy Products
CRA FAQ on the transition period covering entry into force, 2026 reporting, 2027 application, legacy products, stock, customs timing, and software versions.
CRA Update Availability and Software Archives FAQ
FAQ on CRA security-update availability, support-period notices, optional public software archives, historical versions, and Article 13(10) software-version limits.
CRA User Information and Transparency FAQ | Annex II Instructions
Practical CRA FAQ on Annex II user instructions, support-period disclosure, vulnerability contacts, update notices, importer and distributor information.
CRA vs RED Cybersecurity Delegated Act
Compare the EU Cyber Resilience Act with the RED cybersecurity delegated act for connected and radio equipment, including scope, timing, evidence, and transition treatment.
CRA vs UK PSTI Act | Cyber Resilience Act Comparison
Compare grounded EU Cyber Resilience Act duties with UK PSTI planning points, with UK legal details clearly marked for separate source review.
CRA Vulnerability Handling and Disclosure | Article 14 Reporting and Security Updates
How EU Cyber Resilience Act manufacturers should run vulnerability intake, remediation, coordinated disclosure, Article 14 reporting, secure updates, and evidence records.
CRA Vulnerability Handling FAQ | Support Periods, Components, Reporting
Practical CRA FAQ on vulnerability handling: SBOMs, remediation, coordinated disclosure, component issues, security updates, support periods, Article 14 reporting, and user notices.
Cyber Resilience Act Module A FAQ | Internal Production Control
FAQ on when CRA Module A internal production control is available, when it is blocked, and what documentation, testing, standards, and evidence it still requires.
EU CRA Compliance Program for Manufacturers and Economic Operators
Build a Cyber Resilience Act compliance program around product scope, Annex I security requirements, conformity assessment, technical documentation, vulnerability reporting, and market surveillance.
EU Cyber Resilience Act Checklist for Product Security and CE Marking
A CRA checklist for products with digital elements: scope, Annex I security controls, vulnerability handling, Article 14 reporting, technical documentation, conformity assessment, CE marking, and support-period evidence.
EU Cyber Resilience Act Core Functionality FAQ | CRA Product Classification
CRA FAQ on core functionality, product boundaries, remote data processing, integrated components, ancillary functions, and software changes that affect product classification.
EU Cyber Resilience Act FAQ
Direct CRA FAQ answers on scope, economic-operator roles, essential requirements, vulnerability reporting, conformity assessment, CE marking, support periods, and market surveillance.
EU Cyber Resilience Act Repairs and Spare Parts FAQ
CRA FAQ for repairs, spare parts, legacy products, security updates, substantial modification, and responsibility after product changes.
EU Cyber Resilience Act Technical Documentation and Audit File
Build an audit-ready CRA technical file around Article 31 and Annex VII: product scope, risk assessment, vulnerability handling, conformity evidence, testing, and retention.