← CRA Glossary
CRA Legal Terms

Products with Digital Elements (PDE)

A 'product with digital elements' (PDE) is the CRA's term for any hardware or software product that has the ability to process, store, or transmit data and that connects, directly or indirectly, to another device or network. This definition determines whether the CRA applies to a given product.

A 'product with digital elements' (PDE) is the CRA's term for any hardware or software product that has the ability to process, store, or transmit data and that connects, directly or indirectly, to another device or network. This definition determines whether the CRA applies to a given product.

CRA Legal Terms
Free CVD portal →

What Is a Product with Digital Elements?

Article 3(1) of the CRA defines a product with digital elements as 'any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately, whose intended purpose or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.' In plain terms: if a product can connect to another device or network — directly (Bluetooth, Wi-Fi, Ethernet, USB) or indirectly (via a gateway) — it is a PDE. This definition intentionally casts a wide net, covering consumer IoT devices, industrial equipment, software applications, network equipment, mobile apps, and embedded components sold separately.

CRA reference:Article 3(1)

Scope Inclusions and Exclusions

The CRA explicitly excludes certain product categories where sector-specific regulation already applies:

  • Medical devices and in-vitro diagnostic devices (MDR / IVDR apply).
  • Motor vehicles and their cybersecurity (UN Regulation 155 / 156 apply).
  • Civil aviation products (EASA regulations apply).
  • Marine equipment (Marine Equipment Directive applies).
  • Products solely for national security and defence.
  • Products for classified information processing.

Included categories are broad: routers, smart home devices, industrial controllers, wearables, software applications, cloud-connected products, operating systems, and firmware updates. Purely SaaS products with no downloadable component are a grey area under active regulatory interpretation.

CRA reference:Article 2, Article 6

Software as a PDE

Software products are explicitly within scope. Article 3(1) covers 'software products' that process, store, or transmit data and connect to a device or network. This includes:

  • Desktop and mobile applications.
  • Operating systems and hypervisors.
  • Firmware and embedded software.
  • Software components (libraries, SDKs) when placed on the market separately with an independent commercial purpose.

The key question for software is whether it has network connectivity (broadly defined) and whether it has a commercial or professional purpose. Open-source software distributed free of charge without commercial intent benefits from a limited exclusion, but open-source components integrated into commercial products are the manufacturer's responsibility.

CRA reference:Article 3(1), Article 3(37)

Common Classification Uncertainties

Manufacturers frequently face uncertainty about whether their product qualifies as a PDE:

  • Offline devices — a device with no networking capability is not a PDE. However, devices that connect via USB for firmware updates or configuration are PDEs.
  • Remote services — a product's 'remote data processing solutions' are part of the PDE scope; the cloud backend that processes a connected device's data is within scope when considered as part of the product.
  • B2B components — software or hardware components sold to other manufacturers for integration into their products are PDEs if placed on the market with an independent commercial purpose; if sold exclusively as an OEM component integrated before market placement, the finished-product manufacturer bears the compliance obligation.
  • Legacy products — products placed on the market before the CRA's application date continue under the old rules; products still in production after the application date must comply.

CVD Portal makes Products with Digital Elements (PDE) compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

Does the CRA apply to our product if it only connects via Bluetooth to a smartphone app?+

Yes. Bluetooth connectivity is a direct data connection to another device, making the hardware product a PDE. Additionally, the smartphone app that communicates with the device is itself likely a PDE. Both the hardware product and the companion app are subject to CRA requirements. The manufacturer of the combined solution is responsible for CRA compliance across all components they place on the market.

Is a pure SaaS product subject to the CRA?+

A pure SaaS product accessed entirely through a standard web browser with no downloadable component is likely outside the CRA's scope, as it does not constitute a product 'placed on the market'. However, if the SaaS includes a downloadable agent, desktop client, or mobile app, those components are PDEs. The regulatory interpretation of SaaS scope is still evolving; manufacturers in this space should monitor ENISA and European Commission guidance.

If we use third-party components in our product, are we responsible for their CRA compliance?+

Yes. When you integrate a third-party or open-source component into your product and place that product on the market, you are the manufacturer for CRA purposes and bear responsibility for the security of all components. This is why the CRA's SBOM requirement is critical: you must know what is in your product, monitor those components for vulnerabilities, and patch them when CVEs are disclosed. You may contractually require upstream suppliers to provide security patches, but regulatory liability remains with you.

Related terms

EU Cyber Resilience Act (CRA)The EU Cyber Resilience Act (Regulation (EU) 2024/2847) is a horizontal EU regulation that establishes mandatory cybersecurity requirements for products with digital elements placed on the EU market. It entered into force on 10 December 2024, with most obligations applying from 11 December 2027.Annex III Important Product ClassificationAnnex III of the EU Cyber Resilience Act lists product categories classified as 'Important' (Class I or Class II) or 'Critical', which are subject to stricter conformity assessment requirements than the Default class. Most products not listed in Annex III fall into the Default class and can self-certify.Essential Cybersecurity RequirementsThe essential cybersecurity requirements are the mandatory security properties and vulnerability handling obligations set out in Annex I of the CRA that all products with digital elements must satisfy before being placed on the EU market. They are the substantive compliance test at the heart of the CRA.Manufacturer Obligations (CRA)Manufacturer obligations under the EU Cyber Resilience Act are the comprehensive set of cybersecurity duties that apply to any entity that designs, develops, or produces a product with digital elements for the EU market. These obligations span product design, vulnerability handling, market surveillance cooperation, and post-market security support.

CRA articles using this term

Article 3Scope — Which Products Are Covered by the CRA?Article 6Obligations of Importers — CRA Compliance for Non-EU ManufacturersAnnex IIIImportant Products with Digital Elements — Class I and Class II Classification

Browse the full CRA Compliance Checklist

See how Products with Digital Elements (PDE) fits into your complete CRA compliance programme.

View checklists →