Search every question across CRA sub-FAQs

No.

The draft guidance says its specific explanation for digitally supplied standalone software applies only to standalone software. It does not govern cases where the software is combined with hardware as part of one product.

No.

The draft guidance distinguishes software supplied via physical means from standalone software supplied digitally. In that case, the physical carrier with the software on it is treated as the product supplied for distribution.

Yes.

The CRA defines software as computer code, and the draft guidance explains that this can include both machine code and source code.

No.

The draft guidance says whether code is uncompiled, compiled or interpreted is not relevant to whether it is software within the CRA.

Yes.

The draft guidance says that where a manufacturer provides customers with computer code as part of its commercial activity, that code is considered to be placed on the market regardless of whether it is machine code or source code.

The draft guidance says the original supplier is responsible for the code it placed on the market. The customer's later adaptations and compilation are a separate matter.

No.

The draft guidance says sample or demo code provided as part of tutorials or training materials is not considered placed on the market.

No.

The draft guidance says unfinished code shared during design and development is not considered placed on the market because its manufacturing phase is not complete. Separately, Article 4(3) deals with unfinished software intentionally made available for testing under specific conditions.

Yes.

Article 3(1) expressly includes software or hardware components placed on the market separately. The Commission FAQ gives firmware, embedded software, integrated circuits, motherboards and sensors as examples.

No.

The Commission FAQ says websites that do not support the functionality of a product are not themselves products with digital elements. It also says standalone SaaS or other cloud solutions designed and developed outside the responsibility of a manufacturer are not themselves products with digital elements. Where such elements meet the definition of remote data processing, they may instead fall within scope on that basis.

Yes.

The draft guidance says complex systems can constitute a single product where the system is placed on the market as one product.

No.

The draft guidance says those characteristics do not in themselves exclude a complex system from the CRA. They affect how the CRA's risk-based compliance analysis is applied, not whether the product is in scope.

Yes.

The CRA definition of a product with digital elements includes its remote data processing solutions. Whether a specific remote function qualifies depends on the separate Article 3(2) test, but the product boundary is not limited to the local hardware or software alone.

Yes.

The Commission FAQ gives tools used to design and program FPGAs as an example of software placed on the market together with hardware. Read together with the draft guidance, this shows that relevant software does not need to be preloaded on the hardware or run on the hardware itself. If, in light of the intended purpose and reasonably foreseeable use, the software is necessary for the hardware product to perform its intended functions or to be meaningfully used, it can form part of the same product boundary.

Not automatically.

The cited sources identify the wearable and the manufacturer-provided smartphone application as together constituting a single product because they are designed and intended to operate together. At the same time, the Commission FAQ separately recognises mobile apps and smartphones or laptops as products with digital elements in their own right. Taken together, those examples indicate that the necessary app can fall within the combined product boundary without automatically absorbing the user's general-purpose host device into that same boundary.

Yes, if it is designed and developed under the manufacturer's responsibility.

The draft guidance explains that remote data processing can qualify as part of the product not only when it is developed fully in-house, but also when an external provider develops it solely on behalf of the manufacturer, based on the manufacturer's designs and specifications. In that situation, the remote software can still fall within the product boundary as remote data processing.

No, not as such.

The draft guidance explains that remote data processing is defined as the software elements of data processing at a distance. It is not meant to include, as part of the product boundary, the hardware that the remote data processing relies on. So the relevant remote software may fall within the product boundary, but the entire hosting infrastructure does not automatically do so as hardware.

No.

For remote functionality to qualify as remote data processing, the software must be designed and developed by the manufacturer or under its responsibility. The draft guidance says standard third-party SaaS, and comparable third-party elements in PaaS or IaaS stacks, do not meet that test merely because the product depends on them. Instead, they should be treated similarly to third-party components: the manufacturer must assess the resulting risks and address them through product-level measures and due diligence.

They are the CRA's main technical conformity tools.

Article 27 gives harmonised standards, common specifications, and certain European cybersecurity certification schemes a specific legal role in demonstrating conformity with the CRA's essential cybersecurity requirements. They do not change the requirements themselves, but they can create a presumption of conformity for the requirements they cover.

No.

The CRA does not require manufacturers to use harmonised standards. They are a voluntary means of demonstrating conformity. If the manufacturer does not use them, it still has to show compliance with the essential cybersecurity requirements by other technical means and document that approach in the technical documentation.