Scope and Exclusions Under the Cyber Resilience Act

Article 2(1) applies the CRA to products with digital elements that are placed on the market or put into service in the EU, where those products have a direct or indirect logical or physical data connection to a device or network. This captures a very broad range of hardware and software products — from consumer IoT devices and industrial sensors to operating systems, firmware, and standalone software applications.

The key qualifying condition is the network or device connection. A purely mechanical product with no digital components falls outside the scope. However, a product that includes an embedded microcontroller with network capability, even if that capability is not its primary function, is likely within scope. Manufacturers of complex multi-component systems should assess each component independently as well as the system as a whole.

Products regulated under the EU Medical Device Regulation (MDR, Regulation 2017/745) and the In Vitro Diagnostic Medical Devices Regulation (IVDR, Regulation 2017/746) are excluded from CRA scope. These regulations already impose cybersecurity requirements on medical devices, including post-market surveillance and incident reporting obligations.

Manufacturers of medical devices that connect to networks must still comply with MDR/IVDR cybersecurity requirements, which are enforced through notified bodies and the EUDAMED database. The practical effect of the exclusion is that medical device manufacturers do not face dual obligations under both the CRA and MDR/IVDR — the sector-specific regime prevails.

Note that this exclusion applies to the device itself. Software that is a medical device (SaMD) is excluded, but general-purpose software that interfaces with a medical device but is not itself a medical device is not automatically excluded.

Products regulated under EU aviation safety rules (EASA Regulation 2018/1139) are excluded from the CRA. Aviation-specific cybersecurity requirements apply through EASA certification processes, which include security assessments for software and systems in aircraft.

Vehicles type-approved under UNECE WP.29 cybersecurity regulations (implemented in the EU through Regulation 2019/2144) are similarly excluded. The UNECE WP.29 framework already requires vehicle manufacturers to implement cybersecurity management systems and maintain them throughout the vehicle lifecycle.

These exclusions reflect the EU legislature's preference for avoiding regulatory duplication in safety-critical sectors where sector-specific cybersecurity frameworks already exist and are enforced by specialist bodies. Manufacturers operating in these sectors should document which regulatory framework applies to each product line.

Products intended exclusively for military or national security purposes are excluded from the CRA's scope. This exclusion reflects the constitutional limits of EU competence in defence and national security matters, which remain primarily within member state jurisdiction.

The exclusion applies to products specifically designed, manufactured, and used for military or national security purposes. Dual-use products — those sold to both civilian and military customers — are not automatically excluded. If a product is placed on the general civilian market, even if the manufacturer also supplies it to defence customers, the CRA applies to the civilian market version.

Manufacturers of dual-use products should carefully assess which version of their product is subject to CRA obligations and ensure that civilian market versions comply accordingly.

Article 2 makes clear that not-for-profit open-source software distributed freely is generally outside the CRA's commercial scope. However, this exclusion is narrower than it might appear. Open-source software that is monetised — through support contracts, managed services, or integration into commercial products — falls within scope through the commercial entity that monetises it.

The CRA introduces the concept of 'open-source software stewards' — foundations and organisations that systematically supply open-source software — and creates a lighter-touch obligation regime for them. Stewards do not bear the full obligations of a manufacturer but must cooperate with manufacturers who use their components and must maintain a CVD policy.

For most commercial software companies that use open-source components, the CRA obligations flow to the manufacturer of the final product, not to the upstream open-source project maintainers.

The CRA applies to products 'placed on the market' — meaning made available to third parties through a commercial distribution channel. Custom-built products manufactured for a single customer's specific use, and not made available more broadly, occupy a grey zone that may be addressed in implementing guidance.

Products developed entirely in-house for internal use, with no distribution to third parties, are generally not within scope. However, manufacturers who sell or license products to external customers, even under bespoke contracts, are likely within scope. The key question is whether the product is made available to parties beyond the manufacturer's own organisation.