Global Market Access: Nemko Group AS Testing Services

CRA Scope Explained: Is Your Digital Product Included?

Written by Øyvind Storhaug | June 5, 2026

 

The Cyber Resilience Act (CRA) introduces cybersecurity requirements for many digital products. While the main obligations will apply from late 2027, the reporting obligations will apply already from September 2026. This makes it important for manufacturers to determine whether their product falls within the scope of the CRA.

What is the scope of CRA

The scope of the CRA is broader than the cybersecurity requirements under the Radio Equipment Directive (RED). The CRA applies to products with digital elements whose intended and/or reasonably foreseeable use includes a direct or indirect data connection to a device or network.

“Product with digital elements” includes hardware and software products and its remote data processing solutions. The CRA also applies to software and hardware when they are placed on the market separately.

Exceptions to CRA

There are multiple exceptions to CRA where products are covered by other regulations.

CRA is not applicable to devices that are covered under the following regulations and directives:

  • Medical Device Regulation - (EU) 2017/745
  • In Vitro Diagnostic Regulation - (EU) 2017/746
  • Vehicle General Safety / Type-Approval Regulation - (EU) 2019/2144
  • Civil aviation - (EU) 2018/1139
  • Marine Equipment Directive - 2014/90/EU

Additional exclusions and restrictions apply to products developed exclusively for national security or defence purposes.

CRA classification

Products that fall within the scope of the CRA are divided into four categories, each associated with different conformity requirements.

  • Default
    Most products fall into this category and are subject to the essential cybersecurity requirements defined in the CRA.
  • Class 1
    A product is considered a Class 1 important product if its core functionality matches a category listed in Annex III. This includes categories such as operating systems and virtual private networks (VPN).
  • Class 2
    A product is considered a Class 2 important product if its core functionality matches a category listed in Annex III. This includes categories such as hypervisors and firewalls.
  • Critical
    A product is considered a critical product if its core functionality matches a category listed in Annex IV. This includes categories such as smart meter gateways and smartcards.

The full list of Class 1, Class 2 and Critical categories is provided at the bottom of this article.

Important dates

Reporting obligations - 11 September 2026
Manufacturers shall notify the relevant authorities (CSIRT and ENISA) about actively exploited vulnerabilities once they become aware of them.

Main obligations of CRA will apply from 11 December 2027

Conclusion

Determining whether a product falls within the scope of the CRA is therefore an important first step in preparing for future compliance.

While the CRA introduces cybersecurity requirements for a broad range of products, detailed guidance and harmonized standards remain under development, and further clarification is expected as implementation progresses.

 

Reference - Important products with digital elements

The CRA defines certain categories of products as “important products” in Annex III. These are divided into Class I and Class II based on the core functionality of the product.

Class I

  1. Identity management systems and privileged access management software and hardware, including authentication and access control readers (including biometric readers)
  2. Standalone and embedded browsers
  3. Password managers
  4. Software that searches for, removes, or quarantines malicious software
  5. Products with digital elements with the function of virtual private networks (VPN)
  6. Network management systems
  7. Security information and event management (SIEM) systems
  8. Boot managers
  9. Public key infrastructure and digital certificate issuance software
  10. Physical and virtual network interfaces
  11. Operating systems
  12. Routers, modems intended for connection to the internet, and switches
  13. Microprocessors with security-related functionalities
  14. Microcontrollers with security-related functionalities
  15. Application-specific integrated circuits (ASIC) and field-programmable gate arrays (FPGA) with security-related functionalities
  16. Smart home general-purpose virtual assistants
  17. Smart home products with security functionalities, including smart door locks, security cameras, baby monitoring systems, and alarm systems
  18. Internet-connected toys covered by Directive 2009/48/EC with social interactive features (e.g. speaking or filming) or location tracking
  19. Personal wearable products with health monitoring functions (not covered by MDR/IVDR), or wearables intended for use by children

Class II

  1. Hypervisors and container runtime systems supporting virtualised execution environments
  2. Firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS)
  3. Tamper-resistant microprocessors
  4. Tamper-resistant microcontrollers

 

Critical products

  1. Hardware Devices with Security Boxes
  2. Smart meter gateways within smart metering systems as defined in Article 2, point (23) of Directive (EU) 2019/944 and other devices for advanced security purposes, including for secure cryptoprocessing
  3. Smartcards or similar devices, including secure elements

 

 
View full post