EU Cyber Resilience Act Product Scope FAQ
The CRA applies to any "product with digital elements" (PDE) sold on the EU market whose intended or reasonably foreseeable use includes a direct or indirect connection to a device or network — hardware, software, and components alike. The following is a list of impacted product categories. The exclusions listed are defined in Article 2 of Regulation (EU) 2024/2847 and reflect sectors already governed by equivalent EU cybersecurity legislation.
| Product Category | In Scope? | Notes |
|---|---|---|
| IoT devices (smart home cameras, thermostats, doorbells, etc.) | ✅ In Scope | Core target of the CRA; network connectivity is inherent |
| Consumer electronics (smart TVs, tablets, wearables, fitness trackers) | ✅ In Scope | Covered if capable of connecting to a device or network |
| Industrial control systems & OT devices (PLCs, SCADA, sensors with connectivity) | ✅ In Scope | Includes IIoT and connected factory equipment |
| Networking equipment (routers, switches, firewalls, modems) | ✅ In Scope | Often classified as Important or Critical under Annex III |
| Software products (desktop apps, mobile apps, operating systems) | ✅ In Scope | Applies to standalone software placed on the market commercially |
| Remote data processing solutions (manufacturer-operated cloud backends required for product function) | ✅ In Scope | In scope only when designed by the manufacturer and required for the product to function |
| Hardware components sold separately (microcontrollers, chipsets, modules) | ✅ In Scope | Components placed on the market independently are covered |
| Connected toys & children's products | ✅ In Scope | Explicitly cited by the European Commission as a primary use case |
| Payment terminals & devices handling financial data | ✅ In Scope | May fall into stricter Important or Critical classification tiers |
| Medical devices & in vitro diagnostic devices | ❌ Excluded | Governed by EU MDR (2017/745) and IVDR (2017/746), which already impose cybersecurity lifecycle requirements |
| Motor vehicles & automotive systems | ❌ Excluded | Covered by Regulation (EU) 2019/2144 and UNECE vehicle cybersecurity rules; note: components sold separately outside this regime may remain in scope |
| Civil aviation products | ❌ Excluded | Certified under Regulation (EU) 2018/1139 (EASA framework) |
| Marine equipment | ❌ Excluded | Falls under Marine Equipment Directive 2014/90/EU |
| National defense & national security products | ❌ Excluded | Must be developed or modified exclusively for defense/security purposes; dual-use products remain in scope |
| Non-commercial open-source software | ❌ Excluded | Software developed and distributed outside any commercial activity is out of scope; open-source integrated into a commercial product is covered under the manufacturer's obligations |
| Products not placed on the EU market (internal use, R&D prototypes) | ❌ Excluded | Products not supplied in the course of a commercial activity fall outside scope |
| Identical spare parts (replacing components to same specification) | ❌ Excluded | Narrow exclusion under Article 2(6); any deviation from identical specs removes this exemption |
| Pure SaaS / cloud services (not tied to a specific product's functionality) | ❌ Excluded | Standalone cloud services without a connected PDE fall outside scope; may be subject to NIS2 instead |
Scope determination requires product-by-product analysis. Some categories — particularly automotive components sold independently, open-source software used in commercial products, and cloud services linked to a hardware device — require careful review.
If you're unsure whether your products are in scope, contact the BG Networks team.