What kinds of products are NOT regulated by the CRA?
The following are NOT regulated by the Cyber Resilience Act (CRA):
- Services
- Software as a service (SaaS) (already regulated by NIS 2 (Directive (EU) 2022/2555) and/or DORA (Regulation (EU) 2022/2554)) and websites, unless used to process data for a product that is regulated by the CRA (see 🌐 Remote Data Processing Solutions FAQ list)
- Products that do not contain software
- Products already covered by other regulations or directives: civil aviation equipment (already covered by Regulation (EU) 2018/1139), marine equipment (already covered by Directive (EU) 2014/90), medical devices (already covered by Regulation (EU) 2017/745 and Regulation (EU) 2017/746), and motor vehicles (already covered by Regulation (EU) 2019/2144)
- Products exclusively designed for national security or defence purposes
- Products specifically designed to process classified information
It is worth noting however, that the intent of the EU legislators is to harmonize the various regulations mentioned above with the CRA in the near future.
© 2025
ORC WG Authors
• CC BY 4.0
• Source
•
Disclaimer
Disclaimer: The information contained in this FAQ is of a general nature only and is not intended to address the specific circumstances of any particular individual or entity. It is not necessarily comprehensive, complete, accurate, or up to date. It does not constitute professional or legal advice. If you need specific advice, you should consult a suitably qualified professional.