What kinds of products are NOT regulated by the CRA?

The following are NOT regulated by the Cyber Resilience Act (CRA):

• Services
• Software as a service (SaaS) (already regulated by NIS 2 and/or DORA)
• Products that do not contain software
• Products already covered by other regulations or directives: civil aviation equipment (already covered by 2018/1139), marine equipment (already covered by 2014/90), medical devices (already covered by 2017/745 and 2017/746), and motor vehicles (already covered by 2019/2144)
• Products exclusively designed for national security or defence purposes
• Products specifically designed to process classified information

It is worth noting however, that the intent of the EU legislators is to harmonize the various regulations mentioned above with the CRA in the near future.