Blackfort Technology

Does the Cyber Resilience Act Apply to Your Product?

Understand first, then act

The first question every business needs to answer about the Cyber Resilience Act is not "What do I have to do?" — but "Am I affected, and in which role?"

The answer depends on what you manufacture or distribute and what role you play in the supply chain. The check below provides a schematic, non-binding initial assessment — not a legal opinion, but a structured starting point for your internal review.

What the interactive check does

In a few steps, the check guides you through the key questions:

  • Is this a "product with digital elements" within the meaning of Regulation (EU) 2024/2847?
  • What is your role — manufacturer, importer or distributor?
  • Does your product fall under one of the recognised exceptions (e.g. medical devices, aviation, vehicle type-approval)?
  • Which product class might your product typically fall into — default, important (Class I or II) or critical?

The result shows you which obligations may typically apply — so you know where to start.

Please note: This check does not replace a legal or technical individual assessment. The definitive classification of your product depends on specific technical and legal characteristics that only an individual analysis can determine.

Who is affected by the CRA? The three roles explained

The regulation applies to all actors in the supply chain for products with digital elements. The obligations that apply to you depend critically on the role you play.

Manufacturer

Manufacturers are natural or legal persons who develop or produce a product with digital elements — or have it developed or produced — and place it on the EU market under their own name or brand. This applies even when the product is offered free of charge. Manufacturers bear the most extensive obligations: security by design, vulnerability handling, SBOM, technical documentation, CE marking and reporting obligations from 11 September 2026.

Importer

Importers bring products with digital elements from third countries onto the EU market. They must verify that the manufacturer has fulfilled its obligations before placing the product on the market. If they cannot verify compliance, they may typically not place the product on the market.

Distributor

Distributors make products available on the EU market without manufacturing or importing them. Due diligence obligations apply to them as well — they must check whether the product meets CRA requirements before passing it on.

Role comparison: typical CRA obligations at a glance
Obligation Manufacturer Importer Distributor
Security by design Yes No (verification duty) No (verification duty)
Technical documentation / SBOM Yes Ensure availability Duty to pass on
CE marking Yes (affixes marking) Verify before placing on market Verify before placing on market
Reporting obligations from 11 Sep 2026 Yes Duty to forward Duty to forward

Who is not affected? Recognised exceptions

The CRA does not apply to products already equivalently regulated by other EU legislation. The most important exemption areas typically include:

  • Medical devices — regulated by MDR (EU) 2017/745 and IVDR (EU) 2017/746
  • Motor vehicles — covered by EU vehicle type-approval regulation
  • Aviation products — regulated by the EASA framework

Important: these exemptions only apply where the relevant sectoral legislation provides equivalent protection. Classification in individual cases requires careful interpretation — when in doubt, an individual assessment should be carried out.

Special provisions also apply to open-source software: open-source stewards are subject to a lighter regime. Commercial manufacturers placing open-source software on the market may also benefit from simplified conformity pathways under certain conditions.

For a systematic review of eligibility — including roles and exceptions — we recommend the detailed article: Cyber Resilience Act — am I affected? Roles & exceptions explained.

Product classes: which conformity assessment applies?

Not all products with digital elements are treated equally. The CRA distinguishes three risk-based categories that determine how demanding the conformity assessment process is.

CRA product classes and conformity assessment (schematic)
Class Typical products (examples) Conformity assessment
Default Mobile apps, computer games, smart speakers, memory chips Self-assessment (Module A)
Important — Class I (Annex III) Identity and access management software, browsers, password managers, VPN, SIEM, PKI, network monitoring Self-assessment only when harmonised standards or common specifications are applied; otherwise notified body required
Important — Class II (Annex III) Hypervisors, container runtimes, firewalls, intrusion detection and prevention systems, tamper-resistant microprocessors and microcontrollers Notified body mandatory (Module B+C or Module H)
Critical (Annex IV) Smart cards, secure elements, smart meter gateways Notified body or mandatory EU cybersecurity certification scheme

The precise classification of a specific product depends on technical descriptions set out in Implementing Regulation (EU) 2025/2392. In many cases, an individual assessment is required. The examples above are schematic and do not constitute a binding legal determination for your product.

More on product classes and conformity pathways: CRA product classes: default, Class I/II and critical — classification & assessment routes.

What comes after the check?

The eligibility check gives you initial orientation. For concrete implementation, the following next steps are recommended:

  1. Prioritise reporting obligations: From 11 September 2026, binding deadlines apply for reporting actively exploited vulnerabilities and severe incidents — this is the first hard deadline. CRA reporting obligations from 11 September 2026
  2. Determine product class: Clarify early on whether your product might be classified as default, important or critical — this significantly affects the effort required for conformity assessment.
  3. Build your SBOM: The software bill of materials is a prerequisite for fast vulnerability handling and for meeting reporting obligations. SBOM requirements under the CRA
  4. Get the full picture: All manufacturer obligations in context: Cyber Resilience Act: requirements, deadlines & obligations for manufacturers

Frequently asked questions

What is a product with digital elements?
The CRA covers hardware and software products that have a direct or indirect logical or physical data connection to a device or network. This typically includes connected devices, industrial control systems, security software, but also simple apps and smart home devices. The precise delineation depends on the individual case.
Does the CRA also apply to free software?
Yes. The regulation applies regardless of whether a product is provided for a fee or free of charge. Free software made available on the EU market is typically subject to CRA requirements — provided the provider qualifies as a manufacturer under the regulation.
From when do I need to act?
The first hard deadline is 11 September 2026: from that date, reporting obligations apply for actively exploited vulnerabilities and severe incidents. The full product requirements (security by design, SBOM, CE marking, etc.) apply from 11 December 2027. Given the effort required for conformity assessment and process establishment, preparation should begin now.
Does the CRA also apply to SMEs and small software manufacturers?
Yes — the CRA contains no general exemption for small or medium-sized enterprises. All manufacturers of products with digital elements placed on the EU market are in principle subject to its requirements. Micro-enterprises benefit from certain eased provisions in specific areas, but are not fully exempt.
What if my product falls under medical device or vehicle regulations?
Products already regulated by equivalent sectoral EU legislation — such as medical devices under MDR/IVDR or motor vehicles under vehicle type-approval regulation — are exempt from the CRA. The decisive question is whether the sectoral framework actually provides equivalent cybersecurity protection; this boundary must be assessed on a case-by-case basis.

Let's talk about your CRA readiness

Have a rough sense of where your product stands? Talk to Christian Gebhardt at Blackfort Technology about concrete next steps — no-obligation initial conversation, no overhead.

Request a first call Check eligibility
The content on this website provides general technical and organizational information on the Cyber Resilience Act (Regulation (EU) 2024/2847) and does not constitute legal advice. Blackfort Technology provides technical/organizational IT-security and compliance consulting, not legal services.