Scope GuideEU Cyber Resilience Act

Cyber Resilience Act Products with Digital Elements Scope

Decide whether software, hardware, connected products, components, cloud functions, and open-source releases fall within CRA scope.

Ground the scope call in Article 2 and Article 3 before assigning manufacturer, importer, distributor, or open-source steward responsibilities.

Back to main artifactReview sources
Author
Sorena AI
Published
Mar 4, 2026
Updated
May 25, 2026
Sections
6

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Mar 4, 2026
Updated May 25, 2026
Overview

The CRA scope question is not simply whether a product contains code. Start with three conditions: the item must be a product with digital elements, it must be made available on the Union market, and its intended purpose or reasonably foreseeable use must include a direct or indirect logical or physical data connection to a device or network. Then check Article 2 exclusions and the special boundaries for remote data processing, components, free and open-source software, and economic-operator roles.

Section 1

Start with the CRA Article 2 and Article 3 scope test

Article 3 defines a product with digital elements as a software or hardware product and its remote data processing solutions, including software or hardware components placed on the market separately. The Commission FAQ lists standalone software, downloadable apps, programs, firmware, integrated circuits, motherboards, and sensors as examples that can qualify when the other scope conditions are met.

Article 2 adds the connection requirement. The product's intended purpose or reasonably foreseeable use must include a direct or indirect logical or physical data connection to a device or network. The FAQ treats indirect connections seriously: software that does not itself communicate may still be indirectly connected through the host system on which it runs.

  • Record the product form: standalone software, hardware, firmware, embedded system, separately marketed component, or system made of several elements.
  • Record how data can move: API, file, network socket, browser session, email protocol, USB, Ethernet, Wi-Fi, Bluetooth, NFC, fieldbus, or another logical or physical interface.
  • Do not treat ordinary electronics as enough. The scope issue is whether digital information can be exchanged, directly or indirectly.
  • Check the Union-market fact separately from the technical definition; internal tools built only for the manufacturer's own use are generally outside placement-on-market analysis unless separately supplied.
Recommended next step

Turn CRA scope analysis into reusable evidence

Research Copilot helps teams capture the product boundary, remote-processing analysis, component status, open-source commercial-activity notes, exclusions, and economic-operator roles with citations.

Research workflow
Open Research Copilot for CRA scope

Prepare cited answers for product boundaries, Article 2 exclusions, remote data processing, open-source status, and operator roles.

Explore next step
Talk to Sorena
Talk through CRA scope implementation

Review how your current product catalog, component inventory, and release channels map to CRA scope.

Explore next step
Section 2

Do not let remote data processing swallow every cloud service

Remote data processing is part of the product only when the Article 3(2) definition is met: processing takes place at a distance, the relevant software is designed and developed by the manufacturer or under its responsibility, and the product would not perform one of its functions without it. Recital 11 gives the useful pattern: a mobile app that needs a manufacturer-provided API or database service for one of its functions can bring that remote processing inside the product boundary.

That does not mean every hosted system behind a product is in scope as remote data processing. The CRA and Commission materials distinguish product-function software from surrounding infrastructure, general connectivity, analytics, websites that only provide information, and third-party SaaS that the manufacturer did not design or commission.

  • Include remote software that directly enables a product function and was designed by, or under the responsibility of, the manufacturer.
  • Exclude ordinary websites, documentation portals, marketing pages, and support pages when they do not support a product function.
  • Treat general-purpose third-party SaaS differently from manufacturer-responsible remote processing; it may create risk and due-diligence work without becoming CRA remote data processing.
  • For technical documentation, describe relevant remote processing and third-party cloud reliance where it affects the product's cybersecurity risk assessment or conformity evidence.
Section 3

Separate integrated components from external dependencies

An integrated software or hardware component forms part of the product with digital elements. A remote data processing solution can also form part of the product if it meets Article 3(2). Other outside systems may remain external dependencies, but Article 13 still requires the manufacturer to assess cybersecurity risks affecting the product and to exercise due diligence when integrating third-party components.

This distinction matters because a component supplier's CE marking, update practice, vulnerability history, or security evidence can support the finished-product assessment, but it does not transfer the finished-product manufacturer's CRA responsibility. The manufacturer remains responsible for the product as placed on the market.

  • Integrated component: part of the product; assess it in the finished-product risk assessment and component due-diligence record.
  • Remote data processing solution: part of the product only when the Article 3(2) dependency and manufacturer-responsibility test is met.
  • External dependency: not part of the product boundary, but still relevant if its failure or compromise creates product cybersecurity risk.
  • If an integrated component has a vulnerability, Article 13 requires the manufacturer to address it in the product and inform the component manufacturer or maintainer where applicable.
Section 4

Check Article 2 exclusions before assigning CRA work

Even where the product appears to meet the products-with-digital-elements definition, Article 2 can remove it from the CRA. The main grounded exclusions include products covered by the EU medical device and in vitro diagnostic medical device regulations, products covered by the vehicle type-approval regulation, products certified under the civil aviation framework, marine equipment, identical spare parts made to replace components to the same specifications, and products developed or modified exclusively for national security or defence purposes.

The exclusion should be documented against the specific legal basis, not a shorthand label. Some sector boundaries require a cross-check against the sector law and the exact product status, such as whether the product is actually covered or certified under the named regime.

  • Medical devices and in vitro diagnostic medical devices: check whether the relevant EU medical device regulation applies.
  • Vehicle, aviation, and marine exclusions: verify the product is within the cited Union regime instead of assuming all transport-related software is excluded.
  • Identical spare parts: confirm they replace an identical component and are manufactured to the same specifications.
  • National security and defence: distinguish exclusive defence or classified-information products from dual-use products made available on the market.
Section 5

Treat free and open-source software as a commercial-activity question

Open-source status does not by itself decide CRA scope. The CRA focuses on whether the software is supplied for distribution or use on the Union market in the course of a commercial activity. Recitals 15, 18, and 19 draw boundaries for monetisation, donations, regular releases, repository hosting, and open-source software stewards.

For a scope record, separate the software publisher's role from the integrating manufacturer's role. A non-commercial FOSS component may remain outside the manufacturer regime for its publisher, while a manufacturer that integrates it into a commercial product still has due-diligence and vulnerability-handling duties for the finished product.

  • Commercial indicators can include charging for the software, monetising related services, conditioning use on personal-data processing for non-security reasons, or donations that exceed design, development, and provision costs.
  • Regular releases, the way development was funded, and repository hosting do not automatically make FOSS commercial.
  • The sole act of hosting code on an open repository, package manager, or collaboration platform does not by itself make the host a distributor.
  • A legal person that systematically supports specific FOSS intended for commercial activities may be an open-source software steward, with tailored Article 24 obligations rather than ordinary manufacturer CE-marking duties.
Section 6

Translate the scope answer into economic-operator consequences

Once a product is in scope, the next question is role allocation. The CRA distinguishes manufacturer, authorised representative, importer, distributor, and other persons subject to obligations for manufacture or market availability. A company that markets a product under its own name or trademark can be the manufacturer even when another party built it.

Importers and distributors have real checks, but they are not second manufacturers by default. Importers check conformity assessment, technical documentation, CE marking, declaration of conformity, user information, and manufacturer traceability obligations before placing the product on the market. Distributors verify marking, documentation, traceability, and necessary documents before making the product available. Either role can become the manufacturer if it markets the product under its own name or substantially modifies it.

  • For each channel, identify who develops or brands the product, who first places it on the Union market, and who later makes it available.
  • For non-EU manufacturers, confirm that an EU-established operator can perform the required market-surveillance-facing tasks.
  • For marketplaces and repositories, distinguish intermediation or hosting from actually distributing, branding, or commercially supplying the product.
  • Keep the product boundary, Article 2 exclusion analysis, remote-processing status, component list, and operator role assignment together because each one changes the evidence a market surveillance authority may ask to see.
Primary sources

References and citations

Draft Commission guidance on the Cyber Resilience Act
ec.europa.eu
Referenced sections
  • Draft Commission guidance used only for non-final interpretive examples on remote data processing, open-source commercial activity, support periods, and interaction with other EU legislation.
"remote data processing solutions and free and open-source software"
European Commission CRA FAQs, January 2026
ec.europa.eu
Referenced sections
  • Commission implementation FAQ used for practical scope examples, including standalone software, firmware, hardware components, direct and indirect connections, websites, SaaS boundaries, own-use tools, exclusions, and operator checks.
"products with digital elements"
European Commission Cyber Resilience Act policy page
digital-strategy.ec.europa.eu
Referenced sections
  • Commission policy overview confirming that the CRA applies to connectable software and hardware products, introduces manufacturer cybersecurity requirements, and uses CE marking and national market surveillance for enforcement.
"connectable hardware and software"
Regulation (EU) 2024/2847, Cyber Resilience Act
data.europa.eu
Referenced sections
  • Primary legal source for Article 2 scope and exclusions, Article 3 definitions, manufacturer and economic-operator roles, component due diligence, and open-source steward obligations.
"software or hardware product and its remote data processing solutions"
Related guides

Explore more topics

CRA Applicability Test for Products With Digital Elements
Check whether the EU Cyber Resilience Act applies to a hardware, software, firmware, open-source, or connected product before conformity planning.
CRA Article 14 Reporting Obligations for Vulnerabilities and Incidents
Article 14 guide to CRA reports for actively exploited vulnerabilities and severe product-security incidents, including deadlines, CSIRT routing, users, and evidence.
CRA Blue Guide Concepts FAQ | Placing on the Market, Making Available, Distance Sales
CRA FAQ explaining Blue Guide market-access concepts for products with digital elements: placing on the market, making available, imports, CE marking, operator roles, online sales, stock, and testing exceptions.
CRA CE Marking FAQ | Conformity Assessment, EU Declaration, Evidence
Practical CRA CE marking answers for products with digital elements: conformity assessment, EU declaration, technical documentation, standards, software placement, and launch evidence.
CRA Component Due Diligence FAQ | Third-Party Software, FOSS, SBOMs
Cyber Resilience Act FAQ on manufacturer due diligence for integrated components, third-party software, FOSS dependencies, SBOMs, vulnerability handling, and evidence records.
CRA Conformity Assessment and CE Marking
How to choose a Cyber Resilience Act conformity route, prepare technical documentation, issue the EU declaration of conformity, and affix CE marking.
CRA Conformity Assessment Routes FAQ | Module A, Module B+C, Module H, Important and Critical Products
Cyber Resilience Act FAQ on when manufacturers can use module A, when module B+C or module H is required, and how important and critical products affect the route.
CRA Cybersecurity Risk Assessment FAQ | Article 13, Annex I, Updates
CRA FAQ on Article 13 cybersecurity risk assessments, Annex I applicability, intended purpose, foreseeable use, technical documentation, and update evidence.
CRA deadlines and compliance calendar | EU Cyber Resilience Act
Track the Cyber Resilience Act entry into force, staged application dates, Article 14 reporting deadlines, transitional rules, and review dates.
CRA Declaration of Conformity FAQ | Annex V, Simplified Declaration, CE Marking
FAQ on the Cyber Resilience Act EU Declaration of Conformity: Annex V contents, simplified Annex VI wording, CE marking link, technical documentation, retention, updates, and operator duties.
CRA Economic Operators FAQ | Manufacturers, Importers, Distributors, Authorised Representatives
CRA FAQ on economic-operator roles: manufacturers, importers, distributors, authorised representatives, substantial modification, traceability, and evidence controls.
CRA Essential Cybersecurity Requirements FAQ | Annex I Part I and Part II
CRA FAQ on Annex I product cybersecurity requirements, vulnerability handling, secure-by-default design, risk assessment, documentation, lifecycle duties, and user information.
CRA Essential Cybersecurity Requirements in Annex I
A grounded guide to the Cyber Resilience Act Annex I requirements for product security, vulnerability handling, secure-by-design controls, documentation, and evidence.
CRA Hardware and Software Boundaries FAQ | Product Scope, Components, RDPS
FAQ on Cyber Resilience Act hardware and software boundaries: combined products, standalone software, source code, components, remote data processing, SaaS and market-placement changes.
CRA Harmonised Standards FAQ | Presumption of Conformity, Common Specifications
Cyber Resilience Act FAQ on how harmonised standards, common specifications, certification schemes, and OJ publication affect CRA conformity evidence.
CRA Important and Critical Products FAQ | Annex III, Annex IV, Conformity Assessment
FAQ on CRA important and critical products, Annex III and Annex IV classification, core functionality, and conformity assessment consequences.
CRA Integrated Components and Dependencies FAQ | Third-Party Software and SBOM Evidence
Cyber Resilience Act FAQ on integrated components, third-party software, remote data processing, SBOM-style evidence, upstream fixes, FOSS dependencies, and manufacturer responsibility.
CRA Interplay With EU Product Laws FAQ | RED, Machinery, Data Act
Grounded CRA FAQ on overlap with the Radio Equipment Directive, Machinery Regulation, GPSR, Data Act, exclusions, declarations, documentation, and existing certificates.
CRA Known Exploitable Vulnerabilities at Launch FAQ
FAQ for Cyber Resilience Act launch decisions: known exploitable vulnerabilities, CVEs, component flaws, secure-by-default settings, release gates, Article 14 reporting, and evidence.
CRA Legacy Products FAQ | Pre-11 December 2027 Products
Cyber Resilience Act FAQ on products placed on the market before 11 December 2027, Article 14 reporting, substantial modification, distributor stock, spare parts, and records.
CRA Manufacturer Obligations FAQ | Article 13, Annex I, CE Marking
FAQ for Cyber Resilience Act manufacturers covering Article 13 duties, risk assessment, Annex I, vulnerability handling, support periods, documentation, conformity assessment, reporting, CE marking, and evidence controls.
CRA Market Surveillance and Enforcement FAQ | Authorities, Corrective Action, Safeguards
Cyber Resilience Act FAQ on market-surveillance authorities, investigations, corrective action, withdrawal, recall, safeguards, sweeps, documentation access, and penalties.
CRA Module B+C FAQ | EU-Type Examination, Conformity to Type, Notified Bodies
CRA Module B+C FAQ explaining EU-type examination, conformity to type, notified-body evidence, production control, CE marking, declarations, and certificate changes.
CRA Module H FAQ | Full Quality Assurance, Notified Body Surveillance, CE Marking
CRA Module H FAQ explaining the full-quality-assurance route, notified-body assessment, quality-system scope, technical documentation, CE marking, declarations, and records.
CRA Notified Bodies FAQ | Scope, Modules B+C and H, Certificates
Practical CRA FAQ on when notified bodies are needed, how CRA bodies are designated, what their notified scope means, and how Module B+C and Module H assessments work.
CRA Open-Source Software FAQ | FOSS Scope, Stewards, Manufacturers
Cyber Resilience Act FAQ for free and open-source software: commercial activity, steward duties, manufacturer due diligence, vulnerability handling, public documentation, and user obligations.
CRA Over-the-Air Updates FAQ
Cyber Resilience Act FAQ on OTA updates, automatic security updates, secure update distribution, support-period evidence, and offline update paths.
CRA penalties and fines FAQ | Article 64 fine caps
FAQ on EU Cyber Resilience Act Article 64 penalties: maximum fine tiers, turnover caps, national enforcement, economic operators, reporting duties, and open-source steward carve-outs.
CRA Penalties and Fines: Article 64 Caps and Enforcement Context
Article 64 of the EU Cyber Resilience Act sets administrative fine ceilings for Annex I, manufacturer, reporting, economic-operator, notified-body, and information-request breaches.
CRA Product Families FAQ | Variants, Shared Assessments, Family Reuse, Conformity Scope
CRA FAQ on product families, variant grouping, shared technical documentation, conformity evidence, and when cybersecurity-relevant differences need separate assessment.
CRA Products With Digital Elements Scope FAQ
EU Cyber Resilience Act FAQ on products with digital elements, software, firmware, remote data processing, components, exclusions, market placement, and CRA operator boundaries.
CRA Remote Data Processing Solutions FAQ | Product Scope, Cloud and Backend Boundaries
FAQ on how the EU Cyber Resilience Act treats remote data processing solutions, manufacturer-controlled backends, third-party cloud services, SaaS, risk assessment, documentation, and user information.
CRA Reporting Obligations FAQ | Article 14, CSIRTs, ENISA, User Notices
Cyber Resilience Act FAQ on Article 14 reporting for actively exploited vulnerabilities and severe incidents, including timing, CSIRT routing, ENISA access, user notices, and evidence.
CRA Requirements | Annex I, Manufacturer Duties and CE Evidence
Map Cyber Resilience Act requirements from Annex I to manufacturer duties, vulnerability handling, user information, technical documentation, declaration of conformity, and CE marking evidence.
CRA SBOM and Vulnerability Management Template
Build a CRA-ready SBOM and vulnerability handling record with component inventory, triage, remediation, disclosure, reporting, update, and technical documentation fields.
CRA Secure-by-Default FAQ | Default Configuration and Annex I Controls
Cyber Resilience Act FAQ on secure-by-default configuration, automatic security updates, attack surface reduction, authentication, data minimisation, user information, and tailor-made products.
CRA Security Updates vs Functionality Updates FAQ
Cyber Resilience Act FAQ on classifying security updates, functionality updates, support-period duties, automatic updates, user notices, and substantial-modification review.
CRA Substantial Modification FAQ | Updates, Repairs, Manufacturer Duties
Cyber Resilience Act FAQ on when software updates, repairs, spare parts, and post-market changes become substantial modifications and trigger CRA manufacturer, evidence, and conformity duties.
CRA Support Period FAQ | Expected Product Lifetime, Security Updates, User Information
Practical CRA FAQ on how manufacturers determine support periods, disclose support end dates, keep security updates available, and document support-period evidence.
CRA Tailor-Made Products FAQ | Bespoke Products, Market Placement, Evidence
FAQ on when a bespoke product may be treated as tailor-made under the EU Cyber Resilience Act, what the carve-out changes, and what manufacturers still need to document.
CRA Technical Documentation FAQ | Annex VII Evidence and Technical File
CRA FAQ explaining Annex VII technical documentation, risk assessment evidence, conformity assessment files, vulnerability handling records, product families, RDPS, language, and authority access.
CRA Transition Period FAQ | Entry Into Force, Application Dates, Reporting, Legacy Products
CRA FAQ on the transition period covering entry into force, 2026 reporting, 2027 application, legacy products, stock, customs timing, and software versions.
CRA Update Availability and Software Archives FAQ
FAQ on CRA security-update availability, support-period notices, optional public software archives, historical versions, and Article 13(10) software-version limits.
CRA User Information and Transparency FAQ | Annex II Instructions
Practical CRA FAQ on Annex II user instructions, support-period disclosure, vulnerability contacts, update notices, importer and distributor information.
CRA vs RED Cybersecurity Delegated Act
Compare the EU Cyber Resilience Act with the RED cybersecurity delegated act for connected and radio equipment, including scope, timing, evidence, and transition treatment.
CRA vs UK PSTI Act | Cyber Resilience Act Comparison
Compare grounded EU Cyber Resilience Act duties with UK PSTI planning points, with UK legal details clearly marked for separate source review.
CRA Vulnerability Handling and Disclosure | Article 14 Reporting and Security Updates
How EU Cyber Resilience Act manufacturers should run vulnerability intake, remediation, coordinated disclosure, Article 14 reporting, secure updates, and evidence records.
CRA Vulnerability Handling FAQ | Support Periods, Components, Reporting
Practical CRA FAQ on vulnerability handling: SBOMs, remediation, coordinated disclosure, component issues, security updates, support periods, Article 14 reporting, and user notices.
Cyber Resilience Act Module A FAQ | Internal Production Control
FAQ on when CRA Module A internal production control is available, when it is blocked, and what documentation, testing, standards, and evidence it still requires.
EU CRA Compliance Program for Manufacturers and Economic Operators
Build a Cyber Resilience Act compliance program around product scope, Annex I security requirements, conformity assessment, technical documentation, vulnerability reporting, and market surveillance.
EU Cyber Resilience Act Checklist for Product Security and CE Marking
A CRA checklist for products with digital elements: scope, Annex I security controls, vulnerability handling, Article 14 reporting, technical documentation, conformity assessment, CE marking, and support-period evidence.
EU Cyber Resilience Act Core Functionality FAQ | CRA Product Classification
CRA FAQ on core functionality, product boundaries, remote data processing, integrated components, ancillary functions, and software changes that affect product classification.
EU Cyber Resilience Act FAQ
Direct CRA FAQ answers on scope, economic-operator roles, essential requirements, vulnerability reporting, conformity assessment, CE marking, support periods, and market surveillance.
EU Cyber Resilience Act Repairs and Spare Parts FAQ
CRA FAQ for repairs, spare parts, legacy products, security updates, substantial modification, and responsibility after product changes.
EU Cyber Resilience Act Technical Documentation and Audit File
Build an audit-ready CRA technical file around Article 31 and Annex VII: product scope, risk assessment, vulnerability handling, conformity evidence, testing, and retention.