CRA Scope Explained: Is Your Digital Product Included?

The Cyber Resilience Act (CRA) introduces cybersecurity requirements for many digital products. While the main obligations will apply from late 2027, the reporting obligations will apply already from September 2026. This makes it important for manufacturers to determine whether their product falls within the scope of the CRA.

What is the scope of CRA

The scope of the CRA is broader than the cybersecurity requirements under the Radio Equipment Directive (RED). The CRA applies to products with digital elements whose intended and/or reasonably foreseeable use includes a direct or indirect data connection to a device or network.

“Product with digital elements” includes hardware and software products and its remote data processing solutions. The CRA also applies to software and hardware when they are placed on the market separately.

Exceptions to CRA

There are multiple exceptions to CRA where products are covered by other regulations.

CRA is not applicable to devices that are covered under the following regulations and directives:

• Medical Device Regulation - (EU) 2017/745
• In Vitro Diagnostic Regulation - (EU) 2017/746
• Vehicle General Safety / Type-Approval Regulation - (EU) 2019/2144
• Civil aviation - (EU) 2018/1139
• Marine Equipment Directive - 2014/90/EU

Additional exclusions and restrictions apply to products developed exclusively for national security or defence purposes.

CRA classification

Products that fall within the scope of the CRA are divided into four categories, each associated with different conformity requirements.

• Default
  Most products fall into this category and are subject to the essential cybersecurity requirements defined in the CRA.
• Class 1
  A product is considered a Class 1 important product if its core functionality matches a category listed in Annex III. This includes categories such as operating systems and virtual private networks (VPN).
• Class 2
  A product is considered a Class 2 important product if its core functionality matches a category listed in Annex III. This includes categories such as hypervisors and firewalls.
• Critical
  A product is considered a critical product if its core functionality matches a category listed in Annex IV. This includes categories such as smart meter gateways and smartcards.

The full list of Class 1, Class 2 and Critical categories is provided at the bottom of this article.

Important dates

Reporting obligations - 11 September 2026
Manufacturers shall notify the relevant authorities (CSIRT and ENISA) about actively exploited vulnerabilities once they become aware of them.

Main obligations of CRA will apply from 11 December 2027

Conclusion

Determining whether a product falls within the scope of the CRA is therefore an important first step in preparing for future compliance.

While the CRA introduces cybersecurity requirements for a broad range of products, detailed guidance and harmonized standards remain under development, and further clarification is expected as implementation progresses.

Reference - Important products with digital elements

The CRA defines certain categories of products as “important products” in Annex III. These are divided into Class I and Class II based on the core functionality of the product.

Class I

1. Identity management systems and privileged access management software and hardware, including authentication and access control readers (including biometric readers)
2. Standalone and embedded browsers
3. Password managers
4. Software that searches for, removes, or quarantines malicious software
5. Products with digital elements with the function of virtual private networks (VPN)
6. Network management systems
7. Security information and event management (SIEM) systems
8. Boot managers
9. Public key infrastructure and digital certificate issuance software
10. Physical and virtual network interfaces
11. Operating systems
12. Routers, modems intended for connection to the internet, and switches
13. Microprocessors with security-related functionalities
14. Microcontrollers with security-related functionalities
15. Application-specific integrated circuits (ASIC) and field-programmable gate arrays (FPGA) with security-related functionalities
16. Smart home general-purpose virtual assistants
17. Smart home products with security functionalities, including smart door locks, security cameras, baby monitoring systems, and alarm systems
18. Internet-connected toys covered by Directive 2009/48/EC with social interactive features (e.g. speaking or filming) or location tracking
19. Personal wearable products with health monitoring functions (not covered by MDR/IVDR), or wearables intended for use by children

Class II

1. Hypervisors and container runtime systems supporting virtualised execution environments
2. Firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS)
3. Tamper-resistant microprocessors
4. Tamper-resistant microcontrollers

Critical products

1. Hardware Devices with Security Boxes
2. Smart meter gateways within smart metering systems as defined in Article 2, point (23) of Directive (EU) 2019/944 and other devices for advanced security purposes, including for secure cryptoprocessing
3. Smartcards or similar devices, including secure elements