Cyber Resilience Act: Which companies and products are covered by the CRA?

When does the CRA apply in principle?

As a general rule, the CRA applies to products with digital elements that are made available on the EU market and can have a direct or indirect data connection to a device or network.

The CRA therefore does not primarily attach to specific industries or sectors, but rather to the product itself. As a result, not only IT and software companies may be affected, but also, among others, machinery manufacturers, distributors, importers, manufacturers of connected components, and providers of digital product functionalities.

The three key questions are therefore the following: Is there a product with digital elements? Does its intended purpose or reasonably foreseeable use also involve a direct or indirect logical or physical connection to devices or networks? And is the product with digital elements made available in the EU?

Which products fall within the scope of the CRA?

In particular, the CRA covers connected hardware, software products, digital components, and certain product-related remote data processing solutions.

The term product with digital elements is broad. It includes hardware and software products, provided they can establish a connection to devices or networks, as well as their remote data processing solutions. The connection may be physical or logical, for example via Wi-Fi, Bluetooth, Ethernet, USB, an API, or a cloud interface. Software and hardware components may also be placed on the market separately.

Product type	Typical examples	CRA relevance
Connected hardware	Routers, sensors, smart home devices, industrial control systems	Generally relevant
Software products	Operating systems, apps, desktop software, security software	Generally relevant
Digital components	Firmware, software modules, separately marketed hardware components	Generally relevant
Product-related cloud functions	Cloud integration of a smart home system or connected machine	Generally relevant
Purely analogue products	Products without digital functions and without connectivity	Generally not relevant

It is important to note that a product does not have to be particularly critical in order to fall within the scope of the CRA. Even everyday digital products may be covered if they are capable of being connected.

Practical example: A machine without a digital interface does not fall within the scope of the CRA solely because of its industrial use. However, if it is sold with a connected control system, remote maintenance functionality, or cloud connectivity, the CRA may become relevant.

For a CRA assessment, the product’s technical connectivity is therefore more decisive than, for example, the provider’s industry or level of criticality.

Which Companies May Be affected by the CRA?

Manufacturers, importers, and distributors of products with digital elements are particularly affected.

The CRA looks at a company’s role in the supply chain. The decisive factor is therefore not only who developed a product, but also who imports it, distributes it, offers it under its own brand, or substantially modifies it.

Role	When is it relevant?
Manufacturer	Anyone who develops, manufactures, or has a product with digital elements designed, developed, or manufactured, or markets it under their own name or trademark, is a manufacturer.
Importer	Anyone who places a product with digital elements from a third country on the EU market may be an importer.
Distributor	Anyone who makes a product with digital elements available on the EU market without substantially modifying it may be a distributor.

For many companies, distinguishing between distributor, importer, and manufacturer will be particularly important. Anyone who merely resells a product has different obligations from a company that develops it itself or at least offers it under its own brand or modifies it technically.

The roles and obligations of economic operators are regulated under the CRA particularly for manufacturers, importers, and distributors. In addition, the Regulation also recognizes special roles such as open-source software stewards.

Companies should therefore determine their CRA role based on their actual market and supply-chain function in relation to the specific products with digital elements, not based on their internal self-description.

When are distributors or importers treated as manufacturers themselves?

Distributors or importers may be treated as manufacturers if they distribute a product under their own name or trademark or substantially modify it.

This legal fiction of manufacturer status is particularly important in practice. Anyone who appears externally as the provider of a digital product or makes security-relevant changes may thereby fall within the scope of the manufacturer obligations under the CRA.

Typical cases include:

• distribution under one’s own brand;
• private-label or white-label products;
• rebranding of digital products;
• technical modifications before resale;
• security-relevant changes to hardware or software.

Practical example: A wholesaler purchases connected cameras from outside the EU and sells them under its own brand in Germany. Even though it did not develop the cameras itself, it may be deemed a manufacturer under the CRA.

Anyone who relabels digital products, sells them under their own brand, or substantially modifies them should therefore always examine whether they assume a manufacturer role under the CRA.

Which products are exempt from the CRA?

Certain product groups are exempt if they are already regulated by specific EU legal frameworks. Here too, the decisive factor is the specific product, not the industry of the respective economic operator.

The CRA is not intended to duplicate existing sector-specific regimes. For that reason, there are exemptions for certain product areas, such as medical devices, vehicles, aviation products, or marine equipment. These exemptions should, however, always be examined in detail.

Category of products with digital elements	Relevant legal framework or special regime
Medical devices and in vitro diagnostic medical devices	MDR and IVDR
Certain motor vehicles, trailers, systems, components, and separate technical units insofar as they fall under Regulation (EU) 2019/2144	EU type-approval and vehicle safety law
Products with digital elements certified under Regulation (EU) 2018/1139	EU aviation safety law
Marine equipment	EU marine equipment directive
Products for national security or defence	Relevant special legal regimes

Exemptions should always be assessed on a product-by-product basis; there is no blanket exemption for an entire industry.

What applies to SaaS, open source, and legacy products?

SaaS, open source, and legacy products cannot be assessed across the board. They must be evaluated on the basis of market availability, commercialization, product linkage, and the extent of modifications.

SaaS and cloud: As a general rule, pure SaaS offerings are not the main target of the CRA. They are more likely to fall under the NIS 2 Directive or the German BSI Act. However, SaaS may fall within the scope of the CRA if they themselves constitute elements of products with digital functionalities or are required as remote data processing solutions for a product with digital elements. The decisive factor is the specific technical and contractual classification.

Open source: Non-commercial free and open-source software benefits from privileged treatment under the CRA.

Legacy products: Products placed on the market before 11 December 2027 are, in principle, not fully subject to the CRA requirements, provided they are not substantially modified. However, the reporting obligations under Article 14 CRA also apply to legacy products. In the event of a substantial modification, the product is treated as a new product and must ensure full CRA conformity.

Quick check: does our product fall within the scope of the CRA?

An initial assessment can be made using five review questions. They do not replace a detailed legal analysis, but they help provide quick orientation.

1. Does the product qualify as a product with digital elements within the meaning of the CRA?
2. Is there a possibility of connectivity?
3. Is the product made available on the EU market?
4. What role does your company play?
5. Does an exemption or special situation app

Conclusion: the scope of the CRA should be assessed on a product-by-product basis

The Cyber Resilience Act affects companies not because they belong to a certain industry, but because they make digital or connected products available on the EU market. The decisive factors are the type of product, its connectivity, the company’s market role, and possible exemptions.

Companies should therefore assess at an early stage which products with digital elements they offer, import, or distribute. Special cases such as SaaS, open source, private label, substantial product modifications, and legacy products are particularly important in this context. Anyone who classifies these issues correctly will be in a much better position to determine whether, and in what role, the CRA is relevant.