The Cyber Resilience Act (Regulation (EU) 2024/2847, the CRA) establishes a harmonised EU framework imposing cybersecurity requirements for products with digital elements made available on the Union market. In force since 10 December 2024, the CRA will fully apply from 11 December 2027. With earlier implementation milestones already approaching, organisations should assess whether, and how, the CRA applies to their products.
Against that timeline, EU-level implementation measures have begun to take shape. By the end of 2025, the European Commission had launched a dedicated CRA webpage and adopted the long-awaited Implementing Regulation (Commission Implementing Regulation (EU) 2025/2392) providing technical descriptions for “important” and “critical products”, which in turn determine the applicable conformity assessment route. We will return to these conformity pathways in the second part of this three-part CRA blog post series. Further implementation guidance is expected in 2026, making the coming year a key period for organisations preparing for CRA compliance.
Before turning to substantive requirements, three preliminary questions arise: which products fall within the CRA’s scope, who is responsible for compliance, and when do the relevant requirements apply?
Material scope – what is covered?
The material scope of the CRA is subject to a set of cumulative conditions, and specified exclusions.
“Products with digital elements”
First, the CRA applies to “products with digital elements” (PDEs), as defined in Article 3(1). This is a broad category covering both hardware and software. It includes common connected devices, such as smart home devices, security cameras, and wearable fitness trackers, as well as standalone software, such as mobile apps. PDEs are not limited to finished products. They also include software or hardware components that are placed on the market separately, including those supplied to another manufacturer for integration into their own products. In addition, the scope of a PDE may extend to certain backend functionality where it qualifies as a “remote data processing solution” under Article 3(2). This applies when the solution is designed and developed by, or under the responsibility of, the manufacturer and when the PDE requires the solution to perform one of its functions. For example, a smart security camera that relies on a manufacturer-operated cloud service for video processing may bring that backend cloud service within the CRA's scope as part of the security camera itself.
The “connectivity” criterion
Second, the CRA applies to PDEs only where they meet the “connectivity” criterion set out in Article 2(1). This criterion is satisfied where the PDE’s intended purpose, or reasonably foreseeable use, involves a direct or indirect, logical or physical data connection to a device or to a network. In practice, the criterion is met where the PDE is designed, or can typically be expected, to exchange data with a device or a network, whether wirelessly or via a cable. For hardware, this includes wireless connections such as Wi-Fi or Bluetooth as well as physical data interfaces such as USB. For software, this includes software applications that connect to the internet or another network, or that exchange data with other devices, for example to synchronise or back up data to cloud storage or to receive updates.
PDEs “made available on the market”
Third, the CRA applies only where a PDE is made available on the Union market in the course of a commercial activity. This is not limited to sales. It also covers other forms of supply, including free distribution, provided that the supply forms part of a commercial strategy or results in an indirect economic benefit, such as through subscriptions, advertising, or other forms of monetisation. This condition is assessed by reference to the first supply on the Union market.
Excluded products
The CRA also excludes products from its scope. For example, certain categories of products are excluded if they are already regulated under specific EU legislation, such as medical devices, certain motor vehicles, or civil aviation products. Products developed or modified exclusively for national defence or national security purposes are also excluded, as are certain spare parts replacing identical components manufactured to the same specifications. Open-source software made available outside the course of a commercial activity likewise falls outside the CRA's scope.
Personal scope – who is responsible?
The CRA allocates obligations by reference to the relevant economic operator. The central role is the manufacturer, with role-specific duties also applying to importers and distributors.
Manufacturers, who develop or manufacture a PDE (or have it designed, developed or manufactured) and place it on the market under their own name or trademark, bear the majority of CRA obligations. These include ensuring that PDEs meet the essential cybersecurity requirements, completing the applicable conformity assessment, maintaining technical documentation and implementing arrangements for handling vulnerabilities and reporting.
Importers and distributors have supply-chain obligations. Importers must ensure that PDEs are not placed on the Union market unless the required compliance elements are in place, and cooperate with market surveillance authorities. Distributors, which make PDEs available after they have been placed on the Union market, must act with due care, verify that key compliance elements accompany the product, and ensure traceability and cooperation across the supply chain.
Finally, the CRA includes role-shift rules. An importer or distributor may be treated as the manufacturer where it places a PDE on the Union market under its own name or trademark, or where it carries out a substantial modification and then makes the PDE available. A “substantial modification” is a change to the PDE that affects compliance with the essential cybersecurity requirements, or results in a change to the intended purpose for which the PDE has been assessed. Further Commission guidance on the application of this concept is expected in 2026.
Territorial scope – where does it apply?
The CRA’s territorial scope is not determined by the place of establishment of the manufacturer or other economic operators. A PDE falls within the CRA’s scope where it is made available on the Union market, whether by an EU-based importer placing a non-EU product on the Union market, a distributor supplying it further down the supply chain, or a manufacturer supplying directly to customers in the EU (including via online channels). For non-EU manufacturers, this means that CRA compliance must be ensured before the PDE is first placed on the Union market.
Temporal scope – when do requirements apply?
The CRA applies on a phased timeline. It entered into force on 10 December 2024, and its substantive obligations will apply from 11 December 2027. Certain obligations, including mandatory reporting obligations for actively exploited vulnerabilities and severe incidents, apply earlier, namely from 11 September 2026.
Whether a PDE is subject to the CRA’s substantive obligations depends on when it is placed on the Union market. Market placement is assessed per unit, not per product line. The relevant date is when each individual PDE is first made available on the Union market, not when the product line was first launched.
The CRA includes a transitional rule for PDEs placed on the Union market before 11 December 2027. They are not required to comply with the CRA’s full post-2027 requirements solely because they remain in use after 2027 or continue to be supported. However, the reporting obligations apply from 11 September 2026 and extend to in-scope PDEs already on the Union market. In addition, a pre-2027 PDE may become subject to the CRA in full from 11 December 2027 if it undergoes a substantial modification.
PDEs placed on the Union market on or after 11 December 2027 must comply with the CRA’s full requirements. This includes new product launches and ongoing sales of existing models.
***
A clear understanding of the CRA’s scope is a necessary first step for organisations that develop, manufacture, import, or distribute PDEs for the Union market. Identifying which products fall within scope, which entity bears manufacturer responsibility, and how the CRA’s phased application affects existing and future product lines will be central for compliance planning and to managing operational and legal risks as the CRA becomes fully applicable.