CRA Exemptions: Is Your SaaS or Hardware Exempt from the Cyber Resilience Act?

Not every digital product falls under the Cyber Resilience Act. While the regulation is intentionally broad and captures most products with digital elements, there are clear and specific exemptions. Understanding these boundaries helps you determine whether you must comply with the CRA’s security requirements, documentation duties and reporting obligations.

This article clarifies the official exemptions and explains one of the most misunderstood areas in the entire regulation: the difference between standalone cloud services and software that is downloaded or installed.

Disclaimer: This content is provided for informational purposes only. The official text remains the authoritative reference.

Sector specific exemptions under the CRA

Some domains already fall under dedicated EU cybersecurity or safety frameworks. In these cases the Cyber Resilience Act does not apply because another regulation already governs the security of those products.

According to the CRA and the supporting FAQ, the regulation does not apply to:

• medical devices
• motor vehicles
• civil aviation products
• marine equipment

There is also a related exemption for certain two wheel or three wheel vehicles and quadricycles.

A nuance from the FAQ matters here. If a component in these sectors is placed on the market separately and is not certified under the sector legislation, then it can fall under the CRA. For example, some drone components and certain aviation software modules may still count as products with digital elements.

Exemption for identical spare parts

The CRA excludes spare parts that:

• function the same as the original part
• do not change the product’s digital characteristics or behaviour

This exemption covers parts intended only to replace an existing component without modifying how the product connects or processes data. The FAQ emphasises that once a spare part alters functionality or adds new digital features, the exemption no longer applies.

Exemption for national security, defence and classified systems

The CRA does not apply to products that are developed or modified exclusively for national security or defence purposes or that are specifically designed to handle classified information.

This exemption is narrower than many companies assume. Dual use products do not automatically fall outside CRA. A component is exempt only when its development purpose is exclusively linked to defence or classified use. If a product can also be supplied for civilian markets, CRA obligations may still apply.

SaaS, cloud services and digital services: are they exempt

One of the most frequent questions concerns cloud services, especially SaaS. The CRA draws a clear distinction between products with digital elements and standalone services.

Standalone SaaS accessed through a browser is not considered a CRA product

The Cyber Resilience Act regulates products, not services. A service such as SaaS, PaaS or IaaS is not a product with digital elements unless it forms part of the essential remote data processing for a CRA regulated product.

This matters because a browser session is not considered a product placed on the EU market. Standalone cloud services designed and developed outside the responsibility of a manufacturer of a product with digital elements fall under other frameworks, most notably NIS2. This point is explicitly stated in the CRA recitals and clarified again in the FAQ.

The moment you offer anything downloadable that needs a data connection to function, CRA applies

The distinction becomes critical when a SaaS company distributes any form of downloadable software. If you provide:

• a desktop application
• a mobile application
• an installable agent
• a command line tool
• any downloadable binary or library

then you are placing a digital product on the EU market. At that moment the CRA applies in full.

The exception is only if the product functions without any data connection, such as a standalone calculator. This is not under the CRA.

The FAQ also clarifies the consequence for cloud backends. When a downloadable product requires a cloud service to function, that backend becomes part of the product’s remote data processing. It is therefore included in CRA scope even though standalone SaaS would not be.

Short version to remember

SaaS accessed only through a browser is not a CRA product.

Any downloadable or installable component with a data connection is a CRA product.

The cloud backend required for that downloaded product automatically becomes part of the CRA product.

This reflects the legal definition of a product with digital elements, which includes its remote data processing when that processing is essential for its intended functionality.

Summary of CRA exemptions

The Cyber Resilience Act does not apply to:

• medical devices
• motor vehicles
• civil aviation products certified under aviation rules
• marine equipment
• some categories of two wheel and three wheel vehicles
• identical spare parts
• products developed exclusively for national security, defence or classified use
• standalone cloud services that do not form part of a CRA product’s remote data processing

However, the Cyber Resilience Act does apply when:

• a company distributes any downloadable software
• that software depends on a cloud backend to perform its intended function
• components are sold separately on the market and have digital functionality

For many SaaS companies the decisive question is simple. Do you offer anything users can download and requires a data connection. If yes, the CRA applies.

Why CRA exemptions matter

Determining whether your product is exempt helps you understand whether you must prepare for:

• essential cybersecurity requirements
• CE marking
• vulnerability handling and update obligations
• reporting actively exploited vulnerabilities
• traceability requirements and technical documentation

Clear exemption analysis prevents unnecessary work and helps teams focus on the products and components that truly fall under the Cyber Resilience Act.

---