EU Cyber Resilience Act — is your product in scope?

The Cyber Resilience Act (CRA, Regulation (EU) 2024/2847) makes cybersecurity a condition of selling a product in the EU. From 11 December 2027, a "product with digital elements" without a CE mark for the CRA cannot be placed on the EU market; vulnerability reporting starts a year earlier. This guide explains who is in scope, the single line that decides it, your risk class, and what you have to produce.

What the CRA is

It's the first EU law to make cybersecurity a market-access requirement rather than a back-office risk. It covers any product with digital elements — anything with software or a network connection: apps, SDKs, IoT and smart devices, routers, industrial controllers, and standalone software. If you make, import or distribute it into the EU, you're potentially in scope. Non-compliance carries fines up to €15 million or 2.5% of global turnover.

Who's in scope — and the line that decides it

The deciding factor is whether something is installed or shipped versus consumed purely as a website. Pure cloud SaaS — a browser-based platform delivered as a service, with nothing installed — is generally outside the CRA. Hardware and installed software are inside.

What you ship	In scope?
A downloadable or mobile app (incl. an app-store wallet app)	In scope
An SDK, library or component other developers embed	In scope
Hardware, or firmware in a device (e.g. a hardware wallet)	In scope
A cloud back-end required for a shipped product to function	In scope
Only a website / web platform users log into (nothing installed)	Likely out

For a crypto firm, that usually means a downloadable wallet or mobile app is in scope, a hardware wallet is in scope, and a browser-only exchange is likely out. A DORA-compliant firm is not automatically CRA-compliant: the CRA and DORA have different scopes, owners and reporting routes, so if you also manufacture a product with digital elements you have a separate set of obligations.

Your risk class

Default — most products: self-assessment (Annex VIII, Module A).
Important, Class I (Annex III) — security-function products such as password managers, VPNs, firewalls and identity managers: you can self-assess only if you apply the harmonised standards; otherwise a notified body must assess you.
Important, Class II — higher-criticality products such as operating systems, industrial firewalls and PKI: third-party assessment by a notified body.
Critical (Annex IV) — smartcards, secure elements: may require a European cybersecurity certification.

If your product handles keys, identity or security (a crypto wallet that holds private keys, say), expect to be on the stricter "important" route.

What you must produce

A technical documentation file structured to Annex VII;
A machine-readable software bill of materials (SBOM) covering at least your top-level dependencies;
A vulnerability-handling process and a coordinated-disclosure policy;
Security updates across the product's declared support period;
An EU Declaration of Conformity (Annex V) and the CE mark.

Key dates11 Sep 2026 · 11 Dec 2027Vulnerability & incident reporting to ENISA begins 11 Sep 2026 (24h early warning, 72h assessment). CE-marking is required to place the product on the EU market from 11 Dec 2027.

Is your product in scope? Find out in 60 seconds

Run the free scope check →

No signup · nothing uploaded · runs in your browser

This guide is general information, not legal advice. The CRA's scope and timelines can change — confirm the current requirement against Regulation (EU) 2024/2847 and, where needed, qualified counsel before you rely on it.