Does every electronic product with embedded firmware automatically fall within the CRA?
No.
The product must also have a direct or indirect logical or physical data connection to a device or network in its intended purpose or reasonably foreseeable use. The Commission FAQ gives examples such as offline dishwashers, calculators, toys, coffee machines, and electric toothbrushes that are outside scope despite embedded firmware.
What counts as a logical connection under the CRA?
A logical connection is a virtual representation of a data connection implemented through a software interface.
The Commission FAQ gives examples such as network sockets, pipes, files, APIs, browsers establishing HTTPS sessions, and email clients initiating IMAP or SMTP exchanges.
What counts as a physical connection under the CRA?
A physical connection is a connection between electronic information systems or components implemented using physical means, including electrical, optical, mechanical, wired, or radio-based interfaces.
The Commission FAQ gives examples such as USB, Ethernet, fibre, copper fieldbus, Wi-Fi, Bluetooth, and NFC.
Can a product still be in scope if it is only indirectly connected to a device or network?
Yes.
The CRA expressly covers indirect logical or physical connections. The Commission FAQ explains that even products only indirectly connected through a larger system can serve as attack vectors and therefore fall within scope.
Is a product outside scope if it has electronics but does not exchange digital data?
Generally yes.
The March 2026 draft guidance says the scope boundary is not the mere presence of electronics, but the product's capacity to exchange digital information. Signals used only to power or trigger a function, without conveying digitally encoded information, do not amount to a data connection for CRA purposes.
Are websites themselves CRA products with digital elements?
Not necessarily.
The Commission FAQ says websites that do not support the functionality of a product with digital elements are not themselves products with digital elements. If a website supports the functionality of a product and meets the definition of remote data processing, it may fall within scope on that basis.
Is standalone SaaS itself a product with digital elements under the CRA?
No, not by itself.
The Commission FAQ says standalone SaaS and other cloud solutions designed and developed outside the responsibility of a manufacturer of a product with digital elements are not themselves products with digital elements. Where such a service meets the definition of remote data processing for a product, it can fall within scope on that basis.
When does remote data processing become part of a CRA product?
Remote data processing is in the product boundary when three conditions align: data processing happens at a distance, the relevant software is designed and developed by the manufacturer or under the manufacturer's responsibility, and the product would be unable to perform one of its functions without that processing.
This means the CRA question is narrower than "does the product use cloud infrastructure?" A manufacturer-operated API or database service that is necessary for a mobile app function can be part of the product, while unrelated back-office systems or generic third-party SaaS usually need separate risk and supplier assessment rather than being treated as the product's own remote data processing.
FAQ 1.2 confirms that standalone SaaS is not itself a product with digital elements unless it meets the remote data processing definition for a product.
Are products manufactured only for the manufacturer's own use in CRA scope?
Generally no.
The CRA applies to products made available on the market. The Commission FAQ relies on the Blue Guide to explain that placing on the market does not take place where a product is manufactured for one's own use.
Who is the manufacturer, importer, or distributor for CRA scope decisions?
The manufacturer is the party that develops, manufactures, or has the product designed, developed, or manufactured, and markets it under its own name or trademark. The importer is the EU-established party that places on the market a product bearing the name or trademark of a person established outside the Union. The distributor is another supply-chain party that makes the product available on the Union market without affecting its properties.
Those labels matter because the scope answer does not by itself allocate every obligation. A branded reseller may be the manufacturer, a third-country direct-sales setup still needs an EU-established responsible operator for Article 4 of Regulation (EU) 2019/1020 tasks, and an online marketplace is not a CRA economic operator for a product merely because it hosts an offer.
When does an importer or distributor become the CRA manufacturer?
An importer or distributor becomes the manufacturer for CRA purposes if it places the product on the market under its own name or trademark, or if it carries out a substantial modification of a product that is already on the market.
A separate person that substantially modifies a product and then makes it available on the market is also treated as the manufacturer. The manufacturer obligations apply to the affected part of the product, or to the product as a whole where the substantial modification affects the cybersecurity of the whole product.
Article 21 states when importers, distributors, or other persons become subject to manufacturer obligations after own-brand placement or substantial modification.
Can a manufacturer release unfinished or non-compliant software for testing purposes under the CRA?
Yes, under specific conditions.
Article 4(3) allows unfinished software that does not comply with the CRA to be made available for the limited period required for testing, provided it carries a visible sign stating that it does not comply and is not being made available for purposes other than testing.
What if a product was designed before 11 December 2027 but is first placed on the market on or after that date for CRA scope purposes?
It can still be in scope.
The March 2026 draft guidance explains that the CRA applies based on placement on the market, not on when the product was originally designed. So a product designed before 11 December 2027 can still fall within the CRA if it is first placed on the EU market on or after 11 December 2027.
Do products placed on the market before 11 December 2027 fall under the CRA?
As a rule, only if they are substantially modified from that date onward.
Article 69(2) says products placed on the market before 11 December 2027 are subject to the CRA only if, from that date, they are substantially modified. Article 14 reporting obligations are the express exception, and the Commission FAQ says those obligations start applying on 11 September 2026.
Article 2(7) excludes products developed or modified exclusively for national security or defence purposes and classified-information processing products.
Are dual-use products excluded from the CRA just because they can also be used in defence contexts?
No.
The Commission FAQ says dual-use products remain subject to the CRA when made available on the market unless they are developed or modified exclusively for national security or defence purposes.
Does the CRA identify an additional vehicle-related exclusion outside Article 2?
Yes.
The Commission FAQ says Delegated Regulation (EU) 2025/1535 also excludes products with digital elements falling within the scope of Regulation (EU) No 168/2013 on two- or three-wheel vehicles and quadricycles, except L1e category vehicles designed to pedal.
Are there other products that may later be limited or excluded because sectoral rules already cover the same risks?
Yes.
Article 2(5) allows the Commission to adopt delegated acts limiting or excluding the CRA for products covered by other Union rules that address all or some of the same risks, where the regulatory framework remains coherent and the sectoral rules achieve the same or a higher level of protection.