This document is under active development and has not been finalised.
Skip to content

1.1 Scope

1.1.1 Scope of Application

Pursuant to Art. 2 CRA, this regulation applies to products with digital elements that are made available on the EU market and whose intended or reasonably foreseeable use includes a direct or indirect data connection.

1.1.2 Affected Product Categories

Software Products

CategoryExamplesCRA-relevant
Web ApplicationsAPIs, Frontends, MicroservicesYes
Container ImagesDocker-based servicesYes
Desktop Applications.NET WPF/WinForms, MAUIYes
NPM PackagesPublicly published librariesYes
NuGet Packages.NET LibrariesYes

Firmware / Embedded

CategoryPlatformCRA-relevant
ESP32 FirmwareESP-IDF, ArduinoYes
STM32 FirmwareHAL, CMSISYes
Zephyr RTOSZephyr OSYes
PlatformIO BuildsCross-PlatformYes

Infrastructure

CategoryExamplesCRA-relevant
Docker Compose StacksMulti-container deploymentsYes (as part of the product)
CI/CD PipelinesGitHub Actions WorkflowsNo (internal tooling)

1.1.3 Exemptions (Art. 2(2) CRA)

The following are not subject to the CRA:

  • Open-source software that is not made available in the course of a commercial activity
  • SaaS services (fall under NIS2, not CRA) – unless remote data processing is an integral part of the product
  • Products subject to sector-specific EU legislation (e.g. medical devices, motor vehicles, aviation)

1.1.4 Transitional Provision / Grandfathering (Art. 69)

Products with digital elements placed on the market before 11.12.2027 are subject to the requirements of the CRA only if, from that date, they undergo a substantial modification. Existing products are therefore grandfathered (out of scope) and only fall within the scope of application through a substantial modification on or after 11.12.2027.

Example: A firmware released in 2026 remains outside the CRA scope – until a security update in 2028 replaces the authentication mechanism and thus constitutes a substantial modification.

What qualifies as a substantial modification is described under Substantial Modifications.

1.1.5 Product Catalogue

ACTION REQUIRED

For each CRA-relevant product, an individual classification and documentation must be carried out. Use the template at Product Description as a basis.

The product catalogue is maintained on a product-specific basis. Each product receives:

  1. Unique Identifier (Product name + Version)
  2. CRA Product Class (Standard / Class I / Class II / Critical)
  3. Support Period (at least 5 years or expected lifetime)
  4. Responsible Person (Product Owner / Security Lead)
  5. SBOM Reference (Link to current SBOM)
  6. Declaration of Conformity (Link to EU DoC)

Documentation licensed under CC BY-NC 4.0 · Code licensed under MIT