Which products and companies fall in scope of the CRA?

Manufacturers want clarity on whether their products are considered products with digital elements (hardware or software) and thus subject to CRA obligations, including questions about embedded software, firmware, components, or updates.

What exactly counts as a product with digital elements?

• A product with digital elements (PDE) is any hardware or software product that contains software and is intended to connect, directly or indirectly, to a device or a network. This includes industrial machines, embedded systems, controllers, gateways, and related software placed on the EU market.

Does firmware or a software-only product trigger CRA compliance?

• Firmware is explicitly considered software and is fully in scope. Software-only products (commercial software, embedded software, management or control software) are also in scope when placed on the EU market. Only non-commercial open-source software is partially excluded.

Are products sold before the 2027 deadline subject to full compliance?

• Products placed on the EU market before 11 December 2027 do not require full CRA compliance. However, substantial software or firmware updates after that date may trigger CRA obligations, as the product can be considered newly placed on the market. Vulnerability and incident reporting obligations apply earlier (from 2026).