EU Cyber Resilience Act FAQ Scope and Products with Digital Elements

A product is in scope when three elements are present together:

- it is a product with digital elements

- it is made available on the EU market

- its intended purpose or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network

The Article 2 exclusions must then also be checked.

A product with digital elements is a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately.

Yes.

The Commission FAQ expressly lists standalone software, such as downloadable mobile apps and programs, as examples of products with digital elements.

Yes.

Firmware falls within the CRA when it is software placed on the market, including when it is supplied separately for integration into hardware devices.

Yes.

The Commission FAQ lists integrated circuits, motherboards, and sensors as examples of hardware that can be products with digital elements when the other scope conditions are met.

Yes.

The draft guidance says the delivery channel does not decide the product boundary by itself. If a hardware device is designed to operate together with specific software so that it can perform its intended functions, the hardware and that software together constitute the product with digital elements even if the software is downloaded later through a separate channel such as a website or app store.

No.

The product must also have a direct or indirect logical or physical data connection to a device or network in its intended purpose or reasonably foreseeable use. The Commission FAQ gives examples such as offline dishwashers, calculators, toys, coffee machines, and electric toothbrushes that are outside scope despite embedded firmware.

A logical connection is a virtual representation of a data connection implemented through a software interface.

The Commission FAQ gives examples such as network sockets, pipes, files, APIs, browsers establishing HTTPS sessions, and email clients initiating IMAP or SMTP exchanges.

A physical connection is a connection between electronic information systems or components implemented using physical means, including electrical, optical, mechanical, wired, or radio-based interfaces.

The Commission FAQ gives examples such as USB, Ethernet, fibre, copper fieldbus, Wi-Fi, Bluetooth, and NFC.

Yes.

The CRA expressly covers indirect logical or physical connections. The Commission FAQ explains that even products only indirectly connected through a larger system can serve as attack vectors and therefore fall within scope.

Generally yes.

The March 2026 draft guidance says the scope boundary is not the mere presence of electronics, but the product's capacity to exchange digital information. Signals used only to power or trigger a function, without conveying digitally encoded information, do not amount to a data connection for CRA purposes.

Not necessarily.

The Commission FAQ says websites that do not support the functionality of a product with digital elements are not themselves products with digital elements. If a website supports the functionality of a product and meets the definition of remote data processing, it may fall within scope on that basis.

No, not by itself.

The Commission FAQ says standalone SaaS and other cloud solutions designed and developed outside the responsibility of a manufacturer of a product with digital elements are not themselves products with digital elements. Where such a service meets the definition of remote data processing for a product, it can fall within scope on that basis.

Remote data processing is in the product boundary when three conditions align: data processing happens at a distance, the relevant software is designed and developed by the manufacturer or under the manufacturer's responsibility, and the product would be unable to perform one of its functions without that processing.

This means the CRA question is narrower than "does the product use cloud infrastructure?" A manufacturer-operated API or database service that is necessary for a mobile app function can be part of the product, while unrelated back-office systems or generic third-party SaaS usually need separate risk and supplier assessment rather than being treated as the product's own remote data processing.

Generally no.

The CRA applies to products made available on the market. The Commission FAQ relies on the Blue Guide to explain that placing on the market does not take place where a product is manufactured for one's own use.

Generally no, unless they are separately placed on the market.

The Commission FAQ gives this example directly for development and configuration tools.

The manufacturer is the party that develops, manufactures, or has the product designed, developed, or manufactured, and markets it under its own name or trademark. The importer is the EU-established party that places on the market a product bearing the name or trademark of a person established outside the Union. The distributor is another supply-chain party that makes the product available on the Union market without affecting its properties.

Those labels matter because the scope answer does not by itself allocate every obligation. A branded reseller may be the manufacturer, a third-country direct-sales setup still needs an EU-established responsible operator for Article 4 of Regulation (EU) 2019/1020 tasks, and an online marketplace is not a CRA economic operator for a product merely because it hosts an offer.

An importer or distributor becomes the manufacturer for CRA purposes if it places the product on the market under its own name or trademark, or if it carries out a substantial modification of a product that is already on the market.

A separate person that substantially modifies a product and then makes it available on the market is also treated as the manufacturer. The manufacturer obligations apply to the affected part of the product, or to the product as a whole where the substantial modification affects the cybersecurity of the whole product.

Yes, under specific conditions.

Article 4(3) allows unfinished software that does not comply with the CRA to be made available for the limited period required for testing, provided it carries a visible sign stating that it does not comply and is not being made available for purposes other than testing.

It can still be in scope.

The March 2026 draft guidance explains that the CRA applies based on placement on the market, not on when the product was originally designed. So a product designed before 11 December 2027 can still fall within the CRA if it is first placed on the EU market on or after 11 December 2027.

As a rule, only if they are substantially modified from that date onward.

Article 69(2) says products placed on the market before 11 December 2027 are subject to the CRA only if, from that date, they are substantially modified. Article 14 reporting obligations are the express exception, and the Commission FAQ says those obligations start applying on 11 September 2026.

No.

Those products are excluded, as are products specifically designed to process classified information.

No.

The Commission FAQ says dual-use products remain subject to the CRA when made available on the market unless they are developed or modified exclusively for national security or defence purposes.

The CRA does not apply to:

- products to which Regulation (EU) 2017/745 on medical devices applies

- products to which Regulation (EU) 2017/746 on in vitro diagnostic medical devices applies

- products to which Regulation (EU) 2019/2144 on vehicle type approval applies

- products certified in accordance with Regulation (EU) 2018/1139 on civil aviation

- equipment within the scope of Directive 2014/90/EU on marine equipment

Yes.

The Commission FAQ says Delegated Regulation (EU) 2025/1535 also excludes products with digital elements falling within the scope of Regulation (EU) No 168/2013 on two- or three-wheel vehicles and quadricycles, except L1e category vehicles designed to pedal.

Yes.

Article 2(5) allows the Commission to adopt delegated acts limiting or excluding the CRA for products covered by other Union rules that address all or some of the same risks, where the regulatory framework remains coherent and the sectoral rules achieve the same or a higher level of protection.

Yes.

The CRA excludes spare parts made available to replace identical components in products with digital elements where those spare parts are manufactured according to the same specifications as the components they replace.

Yes.

The CRA does not prevent Member States from setting additional cybersecurity requirements for procurement or use for specific purposes, including national security or defence procurement or use, as long as those requirements are consistent with Union law and are necessary and proportionate.

Yes.

The draft guidance says it does not matter whether the code is uncompiled, compiled, or interpreted. If a manufacturer provides computer code to customers as part of a commercial activity, that code is placed on the market for CRA purposes even if the customer still has to adapt or compile it before use.

Yes. For the ordinary manufacturer regime, free and open-source software falls within CRA product scope when it is made available on the market in the course of a commercial activity. Recital 18 says free and open-source software that is not monetised by its manufacturer should not be considered commercial activity.

A free repository release therefore is not enough by itself. The facts that matter are who places the software on the Union market, whether that specific software is monetised by that actor, and whether the actor is instead functioning as an open-source software steward for software intended for commercial activities.

No.

The draft guidance says public sharing of free and open-source computer code in repositories is not by itself placing that code on the market. It also says unfinished code shared during design and development, and sample or demo code provided in tutorials or training materials, is not considered placed on the market.

Yes.

The Commission FAQ gives the example of an offline text editor or calculator that does not itself initiate communications but runs on a host operating system that does. In that situation, the software can still be indirectly connected within the CRA meaning.

Not by itself.

The draft guidance says a data connection requires digital information to be deliberately encoded and capable of being decoded as data at the destination. Signals used only to power or trigger a function do not create a CRA data connection. The Commission FAQ's electric-toothbrush example illustrates the same boundary.

Yes.

The draft guidance says systems composed of multiple hardware and software elements that operate together to perform a certain function can be a single product with digital elements where that system is placed on the market as a single product. Their complexity, long lifecycle, or reliance on older components does not exclude them from scope by itself.

No. The finished-product manufacturer remains responsible for the cybersecurity of the product it places on the market, including integrated components. A component supplier may have its own CRA duties if the component is itself a product with digital elements placed on the market separately, but that does not transfer the finished-product manufacturer's obligations.

The manufacturer may rely on upstream conformity work where it is relevant, but still has to exercise due diligence, assess whether the component compromises the finished product, and address vulnerabilities in integrated components during the support period.