Free tool

CRA Scope & Class Checker

Not sure if the EU Cyber Resilience Act applies to your product? Answer a few plain-English questions and get a tailored steer: whether it applies, in what role, which product class, which conformity assessment route, and what to do next.

Step 1 of 3

Does your product have digital elements - software, or hardware that contains software and can connect to a network or another device?

The CRA covers "products with digital elements" (PDEs): any software, or any hardware that incorporates software and is capable of connecting to a device or network, including the manufacturer's own remote data processing for that product. Standalone components sold separately also count. Pure pen-and-paper tools, purely mechanical hardware, and products with no software and no network connectivity are outside scope.

The short version

How CRA scope works

Four things decide whether the CRA lands on you and what it demands: your product type, your link to the EU market, your role, and your product class. Here is each in plain English.

TL;DR

The CRA applies if you place on the EU market a product with digital elements - software, or hardware containing software that can connect to a device or network. Your role (manufacturer, importer, distributor or open-source steward) sets how much you have to do. For manufacturers, your product class (Default, Important Class I/II, or Critical) sets which conformity assessment route you must follow. Two key dates: Article 14 reporting obligations apply from 11 Sep 2026; all other duties from 11 Dec 2027.

Products with digital elements

A "product with digital elements" (PDE) is any software, or any hardware product that incorporates software and is capable of connecting to a device or network, directly or indirectly. The CRA also reaches the manufacturer's own remote data processing for that product, and components sold separately. Regulation (EU) 2024/2847, Art. 3(1)

The key exclusions are: pure SaaS and cloud services with no client-side software (covered by NIS2); medical devices (MDR/IVDR); motor vehicles under EU type-approval rules; civil aviation products under EASA regulation; and marine equipment under the Marine Equipment Directive. Non-commercial open-source software is outside the full obligation set, though open-source stewards have lighter duties. European Commission, CRA summary

Roles in the supply chain

Your role decides how much work you do. A manufacturer is the company that designs, develops or produces a PDE and places it on the market under its own name or trademark. Manufacturers carry the fullest duties: cybersecurity risk assessment, essential requirements, SBOM, vulnerability handling, coordinated vulnerability disclosure (CVD), security updates, conformity assessment, CE marking, EU Declaration of Conformity, technical documentation, and incident reporting.

An importer places on the EU market a product made outside the EU. Its core duty is to verify the manufacturer has completed their conformity obligations before placing the product on the market. A distributor makes available a product already on the EU market; it verifies the CE marking and documentation are in place. An open-source software steward - an organisation that commercially supports an open-source project - has a lighter set of duties under Article 24 and cannot be fined under the CRA's penalty regime.

Product classes set the conformity route

About 90% of products fall in the Default class, where self-assessment (internal production control) is permitted. Important Class I (Annex III - web browsers, password managers, consumer VPNs, IAM, OS, container runtimes, PKI, smart-home hubs, connected toys, health wearables) allows self-assessment only if you fully apply harmonised standards; otherwise third-party assessment is required. Important Class II (Annex III - firewalls, IDS/IPS, tamper-resistant microprocessors and microcontrollers) always requires a third-party notified body. Critical products (Annex IV - HSMs, smartcards, secure elements, smart meter gateways) face the strictest route, including a possible EU cybersecurity certificate. Regulation (EU) 2024/2847, Annex III and IV

Guidance and implementing acts are still developing

ENISA and the European Commission are working on harmonised standards, implementing acts defining product categories, and guidance on the SBOM and CVD requirements. Some details - including the precise boundary of Important Class I for certain product types - may be refined before the December 2027 full-application date. We will update this tool and tell subscribers of The CRA Brief when guidance moves.

Scope questions people ask

Does the CRA apply to pure SaaS and cloud services?

Generally no - fully cloud-hosted services where the customer runs no software themselves are outside CRA scope and instead fall under NIS2 (Directive (EU) 2022/2555). However, if your service also ships a client application, a downloadable software component, or an SDK, that element is a product with digital elements and falls within the CRA. The line is whether any software is distributed to and run by the end user.

Is open-source software covered by the CRA?

It depends on the role. Open-source software that is commercialised - for example sold, monetised, or bundled with support services - is treated as a product with digital elements and the publisher takes on manufacturer duties. Purely non-commercial open-source projects are outside the full obligation set, but the organisation or individual that acts as an open-source steward does have a lighter set of duties under Article 24: maintaining a security policy and cooperating on vulnerability disclosure. Importantly, stewards cannot be fined under the CRA's penalty regime.

What is the difference between Important Class I and Important Class II?

Both classes are in Annex III and face stricter rules than the Default class. Class I products (web browsers, password managers, consumer VPNs, IAM tools, operating systems for non-critical infrastructure, container runtimes, PKI software, smart-home hubs, connected toys, health wearables) may self-assess if they fully apply harmonised standards; otherwise they need a third-party notified body. Class II products (firewalls, IDS/IPS systems, tamper-resistant microprocessors and microcontrollers) always require a third-party assessment - self-assessment is never permitted. Critical products in Annex IV (HSMs, smartcards, smart meter gateways) face the strictest route and may need an EU cybersecurity certificate.

What are the CRA deadlines?

There are two key dates. The vulnerability and incident reporting obligations under Article 14 apply from 11 September 2026. All other CRA obligations - essential requirements, conformity assessment, CE marking, SBOM, security update duties - apply from 11 December 2027. There is no company-size exemption from the full deadline, though micro and small enterprises may benefit from simplified procedures under some harmonised standards.

As a distributor, do I need to do a conformity assessment?

No. Distributors do not conduct their own conformity assessment. Your job is to verify that the product bears the CE marking and that the required documentation (EU Declaration of Conformity, technical documentation instructions) accompanies it before you make it available. If you have reason to believe a product is not conformant, you must not make it available and must inform the manufacturer or importer. If you substantially modify the product or place it on the market under your own name, you become the manufacturer and take on the full obligations.

This is guidance to help you understand the CRA, not legal advice. For decisions specific to your business, confirm with the official sources we link or a qualified adviser.

Sources

  1. [1]Regulation (EU) 2024/2847 (CRA), full text on EUR-Lexretrieved 8 Jun 2026
  2. [2]European Commission, CRA summary and overviewretrieved 8 Jun 2026
  3. [3]European Commission, Cyber Resilience Act policy pageretrieved 8 Jun 2026