CRA FAQ

The CRA applies to "products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network" (Article 2(1)), with the exception of products with digital elements that are exempted from its scope, as set out in Article 2(2), 2(3) and 2(4).

Three cumulative elements help to understand if a product with digital elements is subject to the CRA:

• Whether it meets the definition of a product with digital elements (see also entry 1.2 What is a product with digital elements? Are stand-alone software or firmware products with digital elements?);

• Whether it is made available on the market;

• Whether its intended purpose or reasonably foreseeable use include a direct or indirect logical or physical data connection to a device or network (see also 1.3 What is a direct or indirect logical or physical data connection to a device or network? and 4.1.4 What are intended purpose and reasonably foreseeable use, and how do they affect the cybersecurity risk assessment?).

A product with digital elements is defined as "a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately" (Article 3(1)).

Remote data processing is defined as "data processing at a distance for which the software is designed and developed by the manufacturer, or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions" (Article 3(2)).

Software is defined as "the part of an electronic information system which consists of computer code" (Article 3(4)).

Hardware is defined as "a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data" (Article 3(5)).

Electronic information system is defined as "a system, including electrical or electronic equipment, capable of processing, storing or transmitting digital data" (Article 3(7)).

A product with digital elements can take many forms, for example:

• Standalone software that can be downloaded and installed on a device, e.g. a mobile app that can be downloaded via an app store, or a program that can be downloaded via a website;

• Software intended for integration into an electronic information system, when placed separately on the market, e.g. firmware or software meant to be embedded into hardware devices;

• Software that is placed on the market together with a hardware product, whether pre-loaded on the hardware or not, e.g. the drivers that are necessary for a printer to work properly, the operating system in a laptop, or the tools used to design and program FPGAs;

• Various types of hardware, such as more foundational components (e.g. integrated circuits, motherboards; sensors); consumer devices (e.g. smartphones, laptops, smart fridges); complex devices (e.g. industrial IoT devices, machinery).

A product with digital elements also includes its remote data processing solutions.

As stated in Recital 12, websites that do not support the functionality of a product with digital elements are not themselves products with digital elements. Websites that support the functionality of a product with digital elements may fall in scope of the CRA to the extent that they meet the definition of remote data processing (Article 3(2)).

Similarly, services, such as standalone Software-as-a-Service (SaaS) or other cloud solutions designed and developed outside the responsibility of a manufacturer of a product with digital elements are not themselves products with digital elements. Where, on the other hand, such services meet the definition of remote data processing, they fall within the scope of the CRA.

The concept of remote data processing will be part of separate guidance.

A physical connection is defined as "a connection between electronic information systems or components implemented using physical means, including through electrical, optical or mechanical interfaces, wires or radio waves" (Article 3(9)).

A logical connection is defined as "a virtual representation of a data connection implemented through a software interface" (Article 3(8)).

An indirect connection is defined as "a connection to a device or network, which does not take place directly but rather as part of a larger system that is directly connectable to such device or network" (Article 3(10)).

Under certain conditions, all products with digital elements integrated in or connected to a larger electronic information system can serve as an attack vector for malicious actors. As a result, even hardware and software considered to be less critical can facilitate the initial compromise of a device or network, enabling malicious actors to gain privileged access to a system or to move laterally across systems. Manufacturers should therefore ensure that all products with digital elements are designed and developed in accordance with the essential cybersecurity requirements laid down in this Regulation. That obligation relates to both products that can be connected physically via hardware interfaces and products that are connected logically, such as via network sockets, pipes, files, application programming interfaces or any other types of software interface. As cyber threats can propagate through various products with digital elements before reaching a certain target, for example by chaining together multiple vulnerability exploits, manufacturers should also ensure the cybersecurity of products with digital elements that are only indirectly connected to other devices or networks (Recital 9).

A physical connection can be direct, for example, when a product with digital elements connects via a USB cable (e.g. a printer connecting to a laptop); via an Ethernet cable (e.g. a PC connecting to a router); via a fibre optic cable (e.g. a fibre-optic router connecting to the internet service provider's network) or a copper cable (e.g. an industrial fieldbus such as PROFIBUS connecting a sensor to a programmable logic controller); via radio waves, such as via Wi-Fi (e.g. a point-of-sale (POS) terminal that connects to a shop's network), Bluetooth (e.g. a Bluetooth headset connecting to a smartphone), near-field communication technology (e.g. a door lock connecting to an NFC tag).

A logical connection can be direct, for example, when a product with digital elements initiates or manages communication with other devices or networks (e.g. a browser establishing an HTTPS session to access a website, or an email client initiating an IMAP or SMTP exchange); or it can be indirect, when a product with digital elements does not itself initiate the communication but runs on a host system that does (e.g. an offline text editor or a calculator that are indirectly connected via the operating system).

Products with digital elements can simultaneously have more than one form of data connection to other devices or networks.

On the other hand, a product with digital elements does not have a direct or indirect data connection when its intended purpose or reasonably foreseeable use do not include such connection to other devices or networks. Some examples of products that would not fall in scope of the CRA include:

• a dishwasher with embedded firmware controlling dishwashing cycles, but with no capability to connect to other devices or networks;

• a basic calculator with embedded firmware performing arithmetic operations, but with no capability to connect to other devices or networks;

• an electronic toy with embedded firmware playing pre-recorded light and sound effects, but with no capability to connect to other devices or networks;

• a coffee machine with embedded firmware that sets brew times or coffee strength via a control panel, but with no capability to connect to other devices or networks

• an electric toothbrush with a wireless charging station, but with no capability to connect to other devices or networks.^[1]

"Products with digital elements that have been placed on the market before 11 December 2027 are subject to the requirements of the CRA only if, from that date, they are subject to a substantial modification" (Article 69(2)).

"By way of derogation, the obligations laid down in Article 14 shall apply to all products with digital elements that fall within the scope of this Regulation, even if placed on the market before 11 December 2027" (Article 69(3)).

The CRA applies to products placed on the market before 11 December 2027 only if those products are substantially modified after that date. See also 7.1 When does the CRA start applying?

For example, a manufacturer places on the market a smart TV in mid-2027. The manufacturer is not required to comply with the CRA for this product with digital elements. In 2028, it releases a software update, which does not qualify as a substantial modification, to fix a bug that causes apps running on the TV to crash after some usage time. The manufacturer is not required to bring the smart TV in conformity with the CRA, as it would not be substantially modifying it.

In 2029, that manufacturer releases a software update that qualifies as a substantial modification, for example because it modifies the original intended functions by enabling the smart TV to control smart home systems. In that case, the manufacturer is required to bring the smart TV into compliance with the CRA.

See also 7.2 A manufacturer develops a product type before the CRA applies. Can it continue to manufacture products identical to that type after the CRA applies?

A derogation to this general rule, however, applies to reporting obligations laid down in Article 14. Manufacturers are required to notify actively exploited vulnerabilities and severe incidents having an impact on the security of the product with digital elements for all products with digital elements falling within the scope of the CRA, including products that have been placed on the market before 11 December 2027 (Article 69(3)). See for further explanation 5.3 Does a manufacturer need to report actively exploited vulnerabilities or severe incidents for products placed on the market before the CRA applies?

"Placing on the market is considered not to take place where a product is manufactured for one's own use" (The 'Blue Guide' on the implementation of EU product rules 2022^[1], section 2.3).

The CRA applies when a product with digital elements is placed on the market (and subsequent instances of making that product available). The Blue Guide on the implementation of EU product rules 2022 (henceforth, the Blue Guide) clarifies that placing on the market is not considered to take place when a product is manufactured for one's own use.^[2]

For example, development and configuration tools developed by the manufacturer of a product with digital elements for its own use are not in scope of the CRA, unless they are placed on the market as separate products.

"Member States shall not prevent the making available on the market of unfinished software which does not comply with this Regulation, provided that the software is made available only for a limited period required for testing purposes with a visible sign clearly indicating that it does not comply with this Regulation and that it will not be available on the market for purposes other than testing" (Article 4(3)).

Manufacturers can release non-compliant unfinished software for testing purposes, such as alpha versions, beta versions or release candidates, provided that that software is made available only for the time necessary to test it and gather feedback and that it is accompanied by a visible sign indicating its non-compliance.

Recital 37 further clarifies that "manufacturers should ensure that software made available under those conditions is released only following a risk assessment and that it complies to the extent possible with the security requirements relating to the properties of products with digital elements laid down in this Regulation. Manufacturers should also implement the vulnerability handling requirements to the extent possible. Manufacturers should not force users to upgrade to versions only released for testing purposes".

"Manufacturers may maintain public software archives enhancing user access to historical versions. In those cases, users shall be clearly informed in an easily accessible manner about risks associated with using unsupported software" (Article 13(11)).

Manufacturers are allowed to maintain public software archives for historical versions of their products with digital elements that are no longer made available on the market. Users should be clearly informed of the risks that may stem from using software that is no longer supported.

The CRA "does not apply to products with digital elements developed or modified exclusively for national security or defence purposes or to products specifically designed to process classified information" (Article 2.7).

If a product with digital elements is not specifically and exclusively developed or modified for national security or defence purposes, or not specifically designed to process classified information, it falls under the scope of the CRA. So-called "dual-use" products that have both civilian and defence applications are therefore subject to the CRA when made available on the market, unless they are modified exclusively for national security or defence purposes.

Member States may subject products with digital elements that are in scope of the CRA to additional cybersecurity requirements for their procurement or use for specific purposes, provided that such requirements are consistent with Member States' obligations laid down in Union law and that they are necessary and proportionate for the achievement of those purposes, as foreseen by Article 5(1).

The CRA does not apply to products with digital elements:

• to which Regulation (EU) 2017/745 on medical devices and Regulation (EU) 2017/746 on in vitro diagnostic medical devices apply;

• to which Regulation (EU) 2019/2144 on type-approval requirements for motor vehicles and their trailers, and systems, components and separate technical units intended for such vehicles, as regards their general safety and the protection of vehicle occupants and vulnerable road users applies;

• certified in accordance with Regulation (EU) 2018/1139 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency; see also section 2.1 Regulation (EU) 2018/1139 on common rules in the field of civil aviation.

The CRA also does not apply to equipment that falls within the scope of Directive 2014/90/EU on marine equipment; see also section 2.2 Directive (EU) 2014/90 on marine equipment.

Delegated Regulation (EU) 2025/1535 also excludes from the application of the CRA products with digital elements that fall within the scope of Regulation (EU) No 168/2013 on the approval and market surveillance of two- or three-wheel vehicles and quadricycles, with the exception of L1e category vehicles designed to pedal.