Understanding whether the Cyber Resilience Act (CRA) applies to your organisation is the first essential step toward planning for CRA compliance. This article offers a clear, structured overview of CRA scope, based strictly on the regulation’s definitions and supported by insights from the European Commission’s preliminary FAQs.
Disclaimer: This content is provided for informational purposes only. The official text remains the authoritative reference.
Does Your Product Contain Digital Elements? (CRA Scope Step 1)
The Cyber Resilience Act applies to all products with digital elements that are made available on the EU market. This includes software, hardware and remote data processing components that are essential to the functioning of a product.
The CRA FAQ clarifies that three cumulative criteria determine applicability:
- The item is a product with digital elements
- It is placed on the EU market
- Its intended purpose or reasonably foreseeable use includes a direct or indirect logical or physical data connection
Services alone are not covered unless they support a product with digital elements. This distinction is the foundation for understanding where your organisation sits in the CRA landscape.
What Is a “Product with Digital Elements” Under the CRA?
The CRA defines a product with digital elements as:
“a software or hardware product and its remote data processing solutions.”
This definition is intentionally broad. It includes the product itself as well as any cloud-based processing that is essential for the product to perform one of its functions.
Examples of products with digital elements
The CRA explicitly includes:
- standalone software
- mobile apps
- desktop software
- agents
- firmware
- libraries
- development tools
- plugins
- SDKs
Software components placed on the market separately are also covered.
An important nuance is that a product is in scope only if its intended purpose includes a data connection. A downloadable app that operates entirely offline with no connection capability would not fall under CRA.
A web app accessed through the browser is not automatically a “product with digital elements”
Browser-based access alone does not constitute a product placed on the market. This is confirmed by the FAQ. Websites are not products unless they support a CRA product as remote data processing.
The FAQ also reinforces that:
- standalone SaaS, delivered only as a cloud service, is not a product with digital elements
- but if that SaaS is necessary for an app, firmware, or downloadable tool to function, then it becomes part of the broadened CRA scope
This nuance matters. The line is not between browser and downloadable, but between product and service, and whether the service is essential for the product’s functionality.
Installable software is generally in scope
If a company distributes an installable file (.exe, .dmg, .apk, .ipa), it is legally placing a product with digital elements on the EU market. Provided that the product’s intended use includes a data connection, the CRA applies. Even lightweight wrappers, shells or webviews count as installable software.
A mobile app is a product with digital elements under the CRA
Any app offered on an app store is in CRA scope, if the app relies on a connected backend to function:
- the app is regulated under the CRA
- the backend counts as essential remote data processing
This aligns directly with the CRA’s definition.
Practical example: Miro
If Miro existed only as a browser-accessed website, it would fall outside CRA and instead be subject to frameworks such as NIS2.
But because Miro offers installable desktop and mobile apps, those products fall under the CRA, and their associated backend services are treated as remote data processing.
If your organisation builds, distributes or maintains any installable software, no matter how thin the wrapper, your product is very likely within CRA applicability.
Is the Product Made Available on the EU Market? (CRA Scope Step 2)
Making a product “available on the market” means offering it for distribution or use in the EU, regardless of whether the company is EU-based.
Two criteria determine this:
1. The product is offered commercially
To fall under the CRA, the product must be provided as part of a commercial activity.
Therefore:
- Non-commercial open-source projects are excluded
- Internal-use-only tools are excluded
- Beta versions can be released, but only if clearly marked as non-compliant and available for limited testing
2. The product is accessible to EU users
If EU users can download or access the product, it is considered placed on the market, even if the company is located elsewhere.
This makes most global SaaS and software vendors subject to CRA obligations as soon as they offer installable software in the EU.
Are There Any CRA Exemptions?
The CRA explicitly excludes several categories because they fall under other cybersecurity frameworks:
- Medical devices
- Motor vehicle products
- Civil aviation equipment
- Marine equipment
Additional exclusions include:
- Spare parts that function exactly like the original
- Products developed exclusively for national security, defence or classified processing
The FAQ adds important nuance:
Components intended for integration into exempt products may themselves be in scope if placed on the market separately.
Why Determining CRA Scope Matters
Understanding whether the Cyber Resilience Act applies to your product is foundational for everything that follows:
- CRA reporting obligations
- Essential cybersecurity requirements
- Vulnerability handling processes
- Conformity assessment and CE marking
The FAQ adds one more critical point:
Reporting obligations apply to all products ever placed on the market, even those released before 11 December 2027.
This alone has major implications for software teams that rely on older codebases or long-standing applications.
The CRA shifts the EU market from “best effort” security to mandatory, demonstrable cybersecurity compliance. Identifying your scope early gives your team the clarity and time to build the right processes before the 2026 and 2027 deadlines.
ScanDog is an AI-powered Application Security Posture Management (ASPM) platform that helps development teams build secure software faster. With advanced vulnerability prioritization, reachability analysis, and AI-assisted remediation, ScanDog cuts through the noise of false positives to focus on what truly matters.