Blog | OCT 31, 2025
Am I Affected by the EU Cyber Resilience Act (CRA)?
The Cyber Resilience Act (CRA) is a new EU regulation that imposes cybersecurity requirements on a broad range of digital products. If you are wondering whether this law affects you or your business, it likely means you manufacture, sell, or use products with digital elements. In this article, we explain who the CRA applies to, which products fall under its scope, and who is exempt, using the official CRA text as our guide. We also outline key timelines for compliance.
Understanding the Cyber Resilience Act
The Cyber Resilience Act (Regulation (EU) 2024/2847) was published in the Official Journal of the EU in 2024. It entered into force in December 2024 and applies progressively between September 2026 and December 2027.
The CRA establishes essential cybersecurity requirements for the design, development, and production of products with digital elements and sets out obligations for economic operators: manufacturers, importers, distributors, and authorized representatives. Its goal is to make both hardware and software secure by design and resilient throughout their lifecycle.
It is a horizontal regulation, meaning it applies across industries and covers nearly all products with digital elements. Its purpose is to establish a single baseline for cybersecurity across the EU market.
Products Covered Under the CRA
The CRA’s scope is very broad. It covers any “product with digital elements” that is made available on the EU market and whose intended or foreseeable use includes any direct or indirect data connection to a device or network. In simpler terms, if a product contains software or digital hardware and can connect (even indirectly) to the internet or another device, it’s likely covered.
Product with digital elements: The regulation defines this as “a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately”. This definition means both physical devices and software (including standalone software, apps, firmware, etc.) are in scope. Even individual components (like a smart sensor or a software library) count if they are marketed separately.
Direct or indirect connection: The CRA explicitly includes products with either direct connections (e.g. a computer or IoT device connecting to a network itself) or indirect connections (e.g. a device that is part of a larger networked system). Essentially any device or program that can communicate data to another device or network, even via another system, is covered. For example, a smart appliance that connects to a phone app, or an offline device that connects via a hub, would both fall under the CRA’s scope due to that network connectivity.
Examples of in-scope products: Personal computers, servers, smartphones, tablets, networking equipment, IoT gadgets (like smart home devices, wearables, connected appliances), industrial control systems, software applications (including cloud-connected apps), and so on. The law casts a wide net to cover the modern digital ecosystem.
If your product includes digital elements, meaning software, hardware, or a combination that can directly or indirectly exchange data with another device or network, it should be assumed to fall within the scope of the CRA, unless a specific exclusion applies.
Who Does the CRA Apply To?
If your business is involved in making available any covered product on the EU market, you have obligations under the CRA. The regulation identifies several roles, collectively termed “economic operators”, who need to comply with the CRA:
Manufacturers: Anyone who develops or manufactures a product with digital elements (or has it designed/manufactured by others) and markets it under their name or brand. Notably, it doesn’t matter whether you sell the product for profit or give it away – if it’s under your name/trademark, you are the manufacturer in the eyes of the law. For example, a company offering a free mobile app or open-source tool under its brand is still considered a “manufacturer” responsible for that product’s cybersecurity. Manufacturers bear the primary responsibility to ensure products meet the CRA’s requirements (secure by design, free of known vulnerabilities, etc.) and to handle vulnerabilities throughout the product’s lifecycle.
Importers: Any entity based in the EU that takes a product with digital elements from a manufacturer and places it on the EU market. If you import gadgets or software from abroad to sell in Europe, you must verify those products comply with the CRA.
Distributors: Any entity in the supply chain (other than the manufacturer or importer) that makes the product available on the market. Distributors (including retailers) must ensure that the products they are selling carry the required CE marking and that they don’t sell products they know are non-compliant.
In practical terms, most companies involved in producing or selling connected digital products in the EU are affected. There is no general exemption for size – small startups and large firms alike need to comply (though authorities plan to provide support and simplified documentation for smaller enterprises to ease compliance). Consumers or end-users do not have direct obligations under the CRA; the burden is on the supply side to deliver secure products. However, users will be indirectly affected in that they should receive more secure products and may benefit from longer support (e.g. security updates for the product’s expected lifetime).
Geographical Scope of the CRA
The Cyber Resilience Act applies based on where the product is made available, not where it is designed or produced.
In practice, this means:
Any product with digital elements placed on the EU market, including those developed or manufactured outside the EU, must comply with the CRA’s requirements.
Non-EU manufacturers (for example, those in the US, UK, or Asia) are directly affected if their products are sold or distributed in the EU.
Importers and distributors are legally responsible for verifying compliance before placing such products on the market.
The CRA is expected to be incorporated into the European Economic Area (EEA) Agreement, meaning companies targeting Norway, Iceland, or Liechtenstein should anticipate equivalent obligations once that process is completed.
Northern Ireland will likely follow EU rules under the existing market alignment framework.
The geographical reach of the CRA is therefore global in effect: any company whose connected products reach the EU market - whether directly or through intermediaries - must comply with the regulation’s cybersecurity, reporting, and documentation requirements.
Exemptions and Exclusions: Who Is Not Affected?
While the CRA’s scope is broad, certain products and scenarios are explicitly excluded. You might not be affected by the CRA if your product falls into one of these categories:
Medical Devices: Products regulated by the EU Medical Devices Regulation (Regulation (EU) 2017/745) are exempt. Likewise, in vitro diagnostic medical devices (Regulation (EU) 2017/746) are excluded. These devices already have cybersecurity requirements under their own sectoral regulations.
Automotive: Products with digital elements that fall under the EU vehicle type-approval regulation for general safety (Regulation (EU) 2019/2144) are not covered. In practice, this means many digital systems in cars, trucks, and other vehicles are governed by automotive-specific rules instead of the CRA.
Aviation: If a product has been certified under EU aviation safety laws (Regulation (EU) 2018/1139, which covers aircraft and aviation equipment certification), it is outside the CRA’s scope. Aviation has its own rigorous cybersecurity provisions.
Marine Equipment: Digital products that are considered marine equipment and fall within the scope of the Marine Equipment Directive (2014/90/EU) are excluded from the CRA.
National Security and Defense: Products developed or modified exclusively for national security or defense purposes, or specifically designed to handle classified information, are exempt from the CRA. Military and intelligence-related systems are not subject to this civilian market regulation.
Non-digital products: By definition, if something has no digital elements or connectivity (for example, a purely mechanical tool), the CRA does not apply. This is more of a definitional clarification than an exemption.
It’s important to note that these exclusions are narrowly defined. Unless your product clearly fits one of the above categories, assume the CRA applies. Many industries will have overlap, but the law attempts to avoid double-regulation by deferring to sector-specific regimes when those offer equivalent or higher cybersecurity protection.
What About Open-Source Software?
One notable aspect of the CRA is how it treats free and open-source software (FOSS). Regulators recognized the importance of not stifling open-source contributors. The CRA applies only to software that is supplied in the course of a commercial activity. In the recitals, the law clarifies that “free and open-source software made available on the market, and therefore supplied for distribution or use in the course of a commercial activity, should fall within the scope”, but that providing open-source software that is not monetized by its developers is not considered a commercial activity.
In practice, if you are an individual developer releasing open-source code for free, you are not subject to the CRA. Simply publishing code on GitHub or an app store without commercial intent does not count as placing a product on the market. The CRA explicitly excludes contributors whose open-source code is not under their commercial responsibility.
However, there are scenarios where open-source software can fall under CRA scope: for example, if a company packages an open-source project into a product (or service) that it offers commercially (even if the software itself is free, the commercial context matters).
The CRA also introduces the concept of an open-source software steward (Article 24): organizations that commercially maintain or distribute open-source projects. They don’t have full manufacturer obligations but must maintain a documented cybersecurity policy, cooperate with EU market surveillance authorities on security issues, and report vulnerabilities or major incidents when directly involved in development or if their infrastructure is affected.
In short, non-commercial open-source development is outside the CRA’s scope, but once open-source software is part of a commercial activity or stewardship, cybersecurity and reporting duties apply.
Timeline: When Do CRA Obligations Kick In?
The Cyber Resilience Act is already in force (as of 2024), but most of its provisions will start to apply after a transition period to give companies time to adapt. Here are the key dates:
Main compliance deadline – December 2027: The majority of CRA requirements (e.g. meeting cybersecurity design standards, vulnerability handling, technical documentation) apply from 11 December 2027. This means that by that date, any new product with digital elements placed on the EU market must fully comply with the CRA’s rules. In effect, end of 2027 is the point after which non-compliant products can no longer be sold in the EU.
Vulnerability reporting – September 2026: An important obligation under the CRA is that manufacturers must report any actively exploited vulnerabilities and incidents affecting the security of their products. These reporting obligations take effect earlier, from 11 September 2026 (corresponding to Article 14 of the CRA).
Conformity assessment framework – June 2026: The provisions for notifying and involving conformity assessment bodies (e.g. for products deemed “critical” that require third-party certification) apply from 11 June 2026.
)
What does this timeline mean for you? If you determine that the CRA affects your products or operations, you should begin compliance preparations now. The transition period is roughly three years, which is significant but not excessive given the potentially extensive work involved (e.g. implementing “security by design” in product development). By September 2026, internal systems (for vulnerability reporting) should be in place, and by December 2027 your products should meet all CRA requirements.
Existing Products and Transition Period
Products with digital elements already placed on the EU market before 11 December 2027 are not subject to retroactive CRA compliance. They can continue to be used, provided they are not substantially modified after that date.
While most CRA requirements apply only to products placed on the EU market on or after 11 December 2027, Article 69(3) introduces one important exception. All products with digital elements - including those already on the market before that date - must comply with the vulnerability reporting duties set out in Article 14 once those obligations take effect on 11 September 2026.
Manufacturers may still choose to maintain security updates for older products, but this is not a legal requirement under the CRA itself.
Next Steps Toward Cyber Resilience Compliance
The Cyber Resilience Act affects a vast array of products and companies. If you produce or deal in any kind of connected hardware or software in the EU, chances are the CRA will apply to you. The law’s scope includes practically all digital products that connect to networks, and it holds manufacturers (as well as importers and distributors) responsible for cybersecurity across the product lifecycle. Only a few specialized domains (medical, automotive, aviation, etc.) are carved out due to having their own rules.
For anyone asking "Am I affected by the CRA?", the safest assumption is: Yes, unless you fit one of the narrow exclusions. But we still have you covered - follow this link to take a quick-test on our CRA Knowledge Hub Page. Now is the time to familiarize yourself with the CRA’s requirements and assess your product portfolio. With compliance deadlines in September 2026 and December 2027, organizations should use the lead time to bolster their development practices, documentation, and incident response processes. The ultimate goal is to ensure that by the end of 2027, products in the EU market are cyber resilient by design, reducing the significant risks posed by insecure digital devices in today’s connected world.
Now, what’s next?! Discover how Tributech’s CRA & IoT/OT consulting approach helps manufacturers translate regulatory requirements into practical implementation and compliance roadmaps, or explore our CRA Knowledge Hub for detailed guidance, cross-media resources and updates.
Download the extended Guide on our dedicated CRA Knowledge Hub Page.
Blog | OCT 31, 2025
)
)
)
)