
Last updated: 2026-07-18
For manufacturers in the health space, one of the first and most consequential questions about the Cyber Resilience Act (Regulation (EU) 2024/2847) is: does my product fall under it at all? The CRA explicitly excludes medical devices – but the exclusion is narrower than many assume. This page frames the boundary in technical-organizational terms. It is orientation, not a legally binding classification of your specific product.
Why medical devices are excluded
The CRA is a horizontal cybersecurity regulation for "products with digital elements" (PDE). It excludes medical devices via Art. 2(2)(a) (MDR) and in-vitro diagnostics via Art. 2(2)(b) (IVDR). The rationale is to avoid double regulation: the MDR and IVDR already impose essential requirements on programmable systems, including cybersecurity – for the MDR, for example, in Annex I §17. The EU legislator therefore does not move these products into a "rule-free zone" but leaves them in a different, equally demanding regime.
Excluded vs. in scope
What matters is the product's intended purpose, not the market segment. The following comparison is illustrative and does not replace a regulatory classification:
| Excluded from the CRA (under MDR/IVDR) | Within CRA scope (not a medical device) |
|---|---|
| Software with a medical intended purpose under the MDR (e.g. diagnostic, therapy, findings software) | Wellness, fitness and lifestyle software without a medical intended purpose |
| In-vitro diagnostics and their associated software under the IVDR | General health apps that are not a medical device |
| Programmable medical devices placed on the market as a medical device | Hospital and practice administration IT (billing, scheduling, resources) |
| Accessories that are themselves classified as a medical device / IVD | General IT infrastructure, network components, wearables without a medical intended purpose |
The right-hand column is the heart of the misunderstanding: these products are "health-adjacent" but precisely not medical devices – and thus ordinary PDEs under the CRA. Whether a specific product sits left or right is a classification question that must be examined individually.
A decision structure for your product
1. Examine the intended purpose
Does the product, by its intended purpose, meet the definition of a medical device (MDR) or an in-vitro diagnostic (IVDR)? Only if yes does the exclusion under Art. 2(2)(a)/(b) apply. This classification is the actual pivot of the whole question.
2. Separate components and accessories
The PDE assessment is product-based (Art. 3(1)) and covers components placed on the market separately. An accessory or standalone component not itself classified as a medical device can be a PDE in its own right within CRA scope – even if the main product falls under the MDR.
3. Weigh integral cloud/backends
Integral remote data processing (Art. 3(2)) – a backend without which a product function would not run – is treated as part of the PDE under the CRA. For MDR/IVDR products, the respective regime governs accordingly. The allocation must be documented cleanly for each component.
4. Resolve mixed portfolios
Many providers have a portfolio of medical devices and non-medical devices. Both must be considered separately: one product may fall under the MDR, the next under the CRA. A blanket "we are medtech, so we are out" assumption does not hold.
Why the boundary is so easily misdrawn
The misjudgement usually stems from two shortcuts. First, "health-related" is equated with "medical device" – legally these are separate categories. Second, it is assumed that proximity to the MDR exempts the entire company; in reality, each product is classified on its own. Getting this wrong carries a double risk: either unnecessary CRA effort for a genuine medical device – or, more seriously, placing a product that is actually subject to the CRA on the market without CRA conformity assessment and CE marking.
The general application of the CRA – Annex I requirements, conformity assessment and CE marking – applies from 11 December 2027. Anyone operating at the medtech/IT boundary should establish the allocation on a reliable footing well before then, because conformity obligations, documentation and processes differ fundamentally depending on the regime. Whether there is any exposure at all can be structured via our scope check; for classifying CRA-relevant products, the CRA product classes provide further orientation.
Frequently asked questions
Are all health apps excluded from the Cyber Resilience Act?+
What determines whether a product falls under the MDR/IVDR or the CRA?+
Does the CRA exclusion mean medical devices have no cybersecurity duties?+
Can part of my portfolio fall under the CRA and another part under the MDR?+
By when must the boundary be clarified?+
Sources
- https://eur-lex.europa.eu/eli/reg/2024/2847/oj/eng
- https://digital-strategy.ec.europa.eu/en/policies/cra-summary
- https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Cyber_Resilience_Act/cyber_resilience_act_node.html
- https://eur-lex.europa.eu/eli/reg/2017/745/oj
- https://eur-lex.europa.eu/eli/reg/2017/746/oj
- https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202402847
This content provides general technical and organizational information on the Cyber Resilience Act (Regulation (EU) 2024/2847) and does not constitute legal advice (no legal services within the meaning of the German RDG).