← CRA Guide
Article 3

Scope — Which Products Are Covered by the CRA?

Article 3 defines the CRA's scope. Understanding whether your product falls within scope is the essential first step in CRA compliance planning. The regulation applies broadly to hardware and software products with network connectivity sold in the EU, with a defined set of exclusions for products already covered by other sector-specific regulations.

Effective: September 2026Applies to: Manufacturers, importers, and distributors of products with digital elements sold in the EU market
Free compliance portal →

What Is a 'Product with Digital Elements'?

The CRA defines a product with digital elements as any software or hardware product (and its remote data processing solutions) that:

  1. Can connect — directly or indirectly — to another device or network
  2. Is placed on the EU market (sold to EU customers) after the application date
  • Physical hardware devices with embedded software (IoT devices, routers, industrial controllers)
  • Standalone software applications (both desktop and mobile)
  • Operating systems and firmware
  • Software components sold as part of a larger product

Key test: Does the product have any form of network connectivity, even indirect? If yes, it is likely in scope.

CRA reference:Article 3(1), Recital 13

What Is Excluded from CRA Scope?

Article 3 excludes products already subject to equivalent cybersecurity requirements under other EU regulations:

  • Medical devices — Covered by MDR (Medical Device Regulation) and IVDR
  • Motor vehicles — Covered by UNECE WP.29 and the EU type-approval framework
  • Civil aviation products — Covered by EASA regulations
  • Marine equipment — Covered under the Marine Equipment Directive
  • Military and national security products — Excluded from EU internal market law entirely

Important: Products that partially overlap with these sectors but are not specifically regulated by sector-specific legislation may still be in scope. For example, a health and fitness tracker that is not classified as a medical device is not excluded from the CRA.

CRA reference:Article 3(2), Recital 15–18

The SaaS and Cloud Services Question

Pure Software as a Service (SaaS) and cloud services are generally not covered by the CRA. The CRA focuses on products placed on the market — i.e., products that are downloaded, installed, or shipped as physical goods.

  • Software that is downloaded and installed on a device (mobile apps, desktop applications) is in scope.
  • Hardware products that rely on cloud connectivity for their primary function are in scope (the hardware product, not the cloud service itself).
  • If a vendor offers both a downloadable product and a cloud-hosted version, the downloadable product is likely in scope.

This distinction is important for software vendors who offer both SaaS and on-premise deployment options.

CRA reference:Article 3, Recital 12

Who Has Obligations Under the CRA?

The CRA distinguishes between three roles in the supply chain:

  1. Manufacturers — Companies that design, develop, and produce products, or have them designed/produced and sell them under their own name or trademark. Manufacturers bear the primary compliance obligations.
  1. Importers — Companies that bring non-EU products into the EU market. Importers must verify manufacturer compliance and may bear liability if a manufacturer is unreachable.
  1. Distributors — Companies that make products available on the EU market without placing them on the market themselves. Distributors have lighter obligations but must verify that products bear proper CE marking.

For global manufacturers with EU customers, the manufacturer obligations apply regardless of where the manufacturer is based.

CRA reference:Article 3, Articles 17–19

CVD Portal helps you comply with Article 3 automatically.

Public submission portal, 48-hour acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever.

Start your free portal

Frequently asked

Does the CRA apply to open-source software?+

Open-source software that is not commercialised is generally outside CRA scope. 'Commercialised' means the software is provided in the course of a commercial activity — including free software that supports a paid service or subscription. Open-source stewards and foundations are subject to lighter obligations under the CRA compared to commercial manufacturers.

Does the CRA apply to B2B software?+

Yes. The CRA applies to all products placed on the EU market regardless of whether they are sold to businesses or consumers. There is no B2B exemption.

If my product is made outside the EU, does the CRA apply?+

Yes — if you sell or make your product available to EU customers, the CRA applies to you regardless of where you are headquartered or where the product is manufactured. The CRA is a market access requirement, not a jurisdictional one.

What about legacy products sold before September 2026?+

Products placed on the market before the CRA application date are not immediately subject to its requirements. However, products substantially modified after that date, or products that continue to be actively sold after that date under new production runs, will generally need to comply.

Related CRA Articles

Article 10Obligations of Manufacturers — Product Security by DesignArticle 13Coordinated Vulnerability Disclosure Obligations for ManufacturersAnnex IIIImportant Products with Digital Elements — Class I and Class II ClassificationAnnex IVCritical Products with Digital Elements — Highest-Risk Classification

Need a CVD policy that satisfies Article 3?

Download a free CRA-compliant template and deploy it in minutes.

Browse templates →