CRA FAQ

 Open Regulatory Compliance Working Group Orc mascott

Are products meant to be used for national security or defence purposes excluded from the CRA?

The CRA “does not apply to products with digital elements developed or modified exclusively for national security or defence purposes or to products specifically designed to process classified information” (Article 2.7).

If a product with digital elements is not specifically and exclusively developed or modified for national security or defence purposes, or not specifically designed to process classified information, it falls under the scope of the CRA. So-called “dual-use” products that have both civilian and defence applications are therefore subject to the CRA when made available on the market, unless they are modified exclusively for national security or defence purposes.

Member States may subject products with digital elements that are in scope of the CRA to additional cybersecurity requirements for their procurement or use for specific purposes, provided that such requirements are consistent with Member States’ obligations laid down in Union law and that they are necessary and proportionate for the achievement of those purposes, as foreseen by Article 5(1).

© 2025 European Union • CC-BY 4.0 • “FAQs on the Cyber Resilience Act” p.12–13 (PDF) •
Disclaimer

Disclaimer: This document is prepared by the Commission services and should not be considered as representative of the European Commission’s official position. The replies to the FAQs do not extend in any way the rights and obligations deriving from applicable legislation nor introduce any additional requirement. The expressed views are not authoritative and cannot prejudge any future actions the European Commission may take, including potential positions before the Court of Justice of the European Union, which is competent to authoritatively interpret Union law.