In-scope product (CRA scope)
A product with digital elements that falls within the scope of the CRA (Art. 2) and is therefore subject to its requirements. In-scope products are those that have a direct or indirect logical or physical data connection to a device or network and are made available on the EU market in the course of a commercial activity. Several product categories are explicitly excluded from CRA scope.
Source citations
See also
What is in scope?
The CRA applies to:
"products with digital elements whose intended purpose or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network" (Art. 2(1))
...that are made available on the EU market in the course of a commercial activity.
A product with digital elements includes both:
- Hardware with embedded software (e.g. smart home devices, routers, medical wearables)
- Software supplied as a product (including as a download, SaaS frontend, or integrated service)
The connectivity requirement is satisfied by, among other things:
- TCP/IP network connections
- Bluetooth, Wi-Fi, Zigbee, or other wireless protocols
- USB, serial, or other wired protocols
- APIs consumed by other networked software
Products excluded from CRA scope
| Excluded category | Reason / governing law |
|---|---|
| Medical devices (Class IIa/IIb/III and in-vitro diagnostic devices) | MDR (EU) 2017/745, IVDR (EU) 2017/746 |
| Type-approved motor vehicles | Regulation (EU) 2019/2144 |
| Civil aviation equipment | Regulation (EU) 2018/1139 |
| Marine equipment | Directive 2014/90/EU |
| Military and national security equipment | Art. 2(6) exclusion |
| Products already subject to sector-specific EU law providing equivalent cybersecurity requirements | Case-by-case assessment |
Non-commercial FOSS
Free and open-source software developed and supplied outside the course of a commercial activity is out of scope (Art. 2(1), read with recitals 15–18). Commercial FOSS and monetised open-source projects are in scope.
Standalone SaaS
Pure software as a service (with no client-side software component installed on the user's device) is not a PDE and is therefore not directly in scope of the CRA. However, any client application (app, library, SDK) connecting to that service is in scope. The remote data processing solution (RDPS) of a PDE is in scope as part of that PDE.