Search every question across CRA sub-FAQs

A product is in scope when three elements are present together:

- it is a product with digital elements

- it is made available on the EU market

- its intended purpose or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network

The Article 2 exclusions must then also be checked.

A product with digital elements is a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately.

Yes.

The Commission FAQ expressly lists standalone software, such as downloadable mobile apps and programs, as examples of products with digital elements.

Yes.

Firmware falls within the CRA when it is software placed on the market, including when it is supplied separately for integration into hardware devices.

Yes.

The Commission FAQ lists integrated circuits, motherboards, and sensors as examples of hardware that can be products with digital elements when the other scope conditions are met.

Yes.

The draft guidance says the delivery channel does not decide the product boundary by itself. If a hardware device is designed to operate together with specific software so that it can perform its intended functions, the hardware and that software together constitute the product with digital elements even if the software is downloaded later through a separate channel such as a website or app store.

No.

The product must also have a direct or indirect logical or physical data connection to a device or network in its intended purpose or reasonably foreseeable use. The Commission FAQ gives examples such as offline dishwashers, calculators, toys, coffee machines, and electric toothbrushes that are outside scope despite embedded firmware.

A logical connection is a virtual representation of a data connection implemented through a software interface.

The Commission FAQ gives examples such as network sockets, pipes, files, APIs, browsers establishing HTTPS sessions, and email clients initiating IMAP or SMTP exchanges.

A physical connection is a connection between electronic information systems or components implemented using physical means, including electrical, optical, mechanical, wired, or radio-based interfaces.

The Commission FAQ gives examples such as USB, Ethernet, fibre, copper fieldbus, Wi-Fi, Bluetooth, and NFC.

Yes.

The CRA expressly covers indirect logical or physical connections. The Commission FAQ explains that even products only indirectly connected through a larger system can serve as attack vectors and therefore fall within scope.

Generally yes.

The March 2026 draft guidance says the scope boundary is not the mere presence of electronics, but the product's capacity to exchange digital information. Signals used only to power or trigger a function, without conveying digitally encoded information, do not amount to a data connection for CRA purposes.

Not necessarily.

The Commission FAQ says websites that do not support the functionality of a product with digital elements are not themselves products with digital elements. If a website supports the functionality of a product and meets the definition of remote data processing, it may fall within scope on that basis.

No, not by itself.

The Commission FAQ says standalone SaaS and other cloud solutions designed and developed outside the responsibility of a manufacturer of a product with digital elements are not themselves products with digital elements. Where such a service meets the definition of remote data processing for a product, it can fall within scope on that basis.

Generally no.

The CRA applies to products made available on the market. The Commission FAQ relies on the Blue Guide to explain that placing on the market does not take place where a product is manufactured for one's own use.

Generally no, unless they are separately placed on the market.

The Commission FAQ gives this example directly for development and configuration tools.

Yes, under specific conditions.

Article 4(3) allows unfinished software that does not comply with the CRA to be made available for the limited period required for testing, provided it carries a visible sign stating that it does not comply and is not being made available for purposes other than testing.

It can still be in scope.

The March 2026 draft guidance explains that the CRA applies based on placement on the market, not on when the product was originally designed. So a product designed before 11 December 2027 can still fall within the CRA if it is first placed on the EU market on or after 11 December 2027.

As a rule, only if they are substantially modified from that date onward.

Article 69(2) says products placed on the market before 11 December 2027 are subject to the CRA only if, from that date, they are substantially modified. Article 14 reporting obligations are the express exception, and the Commission FAQ says those obligations start applying on 11 September 2026.

No.

Those products are excluded, as are products specifically designed to process classified information.

No.

The Commission FAQ says dual-use products remain subject to the CRA when made available on the market unless they are developed or modified exclusively for national security or defence purposes.