A product with digital elements is hardware or software placed on the EU market whose intended or reasonably foreseeable use involves a direct or indirect data connection to another device or network. Three gates decide it: the product form, the commercial market placement, and the connection. The connection is the test teams underestimate the most. This page walks through each gate, the cloud-specific cases, and the sectors that fall outside CRA scope.
Summary
- Scope is connection-based. Hardware or software placed on the EU market is in scope when its intended or reasonably foreseeable use includes a data connection to another device or network.
- The Regulation lists four forms. Software products, hardware products, components placed on the market separately, and remote data processing solutions supplied by the manufacturer.
- Three connection types apply. Logical, physical, and indirect. The indirect clause is the broadest catch and reaches any product that touches a network through a larger system.
- Some sectors are excluded. Medical devices, motor vehicles, certified civil aviation products, marine equipment, spare parts, and national-security or defence products all fall outside; see Who must comply for each sector's governing regulation.
The CRA's scope in four numbers: the test that brings a product in, the forms it recognises, the three ways a connection counts, and the sectors that fall outside.
What counts as a product with digital elements?
To put it simply, ask three questions. The product is in CRA scope only if all three answers are yes.
- Is it a software product, a hardware product, a component placed on the market separately, or a remote data processing solution? These are the four forms covered, detailed in the next section.
- Will it be placed on the EU market in the course of a commercial activity? Both paid and free-of-charge supply count as long as the activity is commercial.
- Does its intended or reasonably foreseeable use include a direct or indirect data connection to another device or network? The connection types are covered in the data-connection test below.
In plain English, the definition covers software products, hardware products, separately marketed software or hardware components, and the remote processing services the manufacturer supplies as part of the product.
The CRA itself is Regulation (EU) 2024/2847. For the broader context (what the regulation covers, the key dates, and the penalties), see What is the Cyber Resilience Act.
Forms of a product with digital elements
The Regulation recognises four forms. Any one of them can apply to your product.
- Software product. Operating systems, firewalls, password managers, antivirus suites, browsers, browser extensions, downloadable mobile apps, and developer libraries shipped commercially.
- Hardware product. Routers, IoT sensors, smart cameras, industrial PLCs, smart-home devices, and fitness trackers. Anything that talks over Wi-Fi, Bluetooth, Ethernet, cellular, or an industrial fieldbus.
- Component placed on the market separately. Software or hardware shipped on its own for integration into another system. Firmware sold as a separate product, software libraries supplied to OEMs, and embedded modules all qualify.
- Remote data processing solution. Cloud or remote services the manufacturer designs and provides as part of the product, where the absence of the service would prevent the product from performing one of its functions. The canonical example is a smart-home manufacturer's cloud that lets users control the device remotely. A pure cloud SaaS without a tied product is generally outside the Regulation; SaaS, PaaS, and IaaS as such fall under Directive (EU) 2022/2555 (NIS2).
The decisive test is the data connection, not the form factor.
The data-connection test
Any one of three connection types is enough to bring a product into scope, as long as the product's intended or reasonably foreseeable use includes that connection.
| Connection type | Plain meaning | Real-world example |
|---|---|---|
| Logical | A virtual data path through a software interface | A REST API call between a microservice and a backend |
| Physical | A link through electrical, optical, or mechanical interfaces, wires, or radio | Ethernet cable, Bluetooth pairing, RS-485 industrial bus |
| Indirect | A connection that reaches a device or network through a larger system that is itself directly connectable | Sensor that only reaches the internet through a local hub |
The indirect-connection clause is the most commonly underestimated. A sensor that talks only to a local gateway is in scope if the gateway reaches the internet, even though the sensor itself has no IP stack.
When a cloud service falls inside the CRA
A cloud or SaaS component sits inside the product's CRA conformity scope only when all three of these apply. The European Commission's March 2026 draft guidance (Communication Ares(2026)2319816) walks manufacturers through these conditions step by step.
- Does the solution process data at a distance? If the cloud service does not actually process data remotely, it is not a remote data processing solution.
- Would the product fail to perform one of its functions without this solution? A backend that is optional or merely enriching does not bring the cloud into scope; the absence of the service has to prevent the product from delivering a function it advertises.
- Is the solution designed by or under the responsibility of the manufacturer? An off-the-shelf third-party SaaS that the product happens to use is not a remote data processing solution. A bespoke service developed under the manufacturer's responsibility can be.
Any "no" to one of these takes the cloud component out of the RDPS scope.
Out of RDPS does not mean out of obligation. Even when a cloud service does not qualify as a remote data processing solution, the manufacturer still has component due-diligence obligations where the service is integrated into the product. The security obligation shifts from conformity assessment to component management; it does not disappear.
The Commission illustrates the test with five concrete scenarios: a banking app, a smart thermostat, an e-Reader, an industrial robot, and a cellular network device. The guidance remains in draft pending finalisation across all EU language versions. It also treats a manufacturer-run mobile-app backend and a smart-home cloud as useful boundary examples.
What is NOT a product with digital elements
Two threshold tests put a product outside the CRA before the sector question even applies:
- Products with no software, no firmware, and no data connection. A purely mechanical device with no electronics is out of scope at the entry test. A simple analogue thermostat, a passive cable, or a non-electronic hand tool would not be reached.
- Pure cloud-only services without a tied product. A standalone SaaS, PaaS, or IaaS that is not the remote data processing solution of a product is outside the CRA; these cloud service models are governed by Directive (EU) 2022/2555 (NIS2) instead. Websites that do not support the functionality of a product with digital elements are also outside the CRA. The regulation reaches a cloud service only when the manufacturer supplies it as part of a product and the absence of the service would prevent the product from working.
Frequently Asked Questions
Is my Bluetooth-only device in scope of the CRA?
Yes. Bluetooth is a physical connection through radio waves, and a device that can pair with a phone, hub, or another Bluetooth host satisfies the scope test. Even if the device never reaches the internet directly, the indirect-connection clause brings it into scope as soon as the paired host reaches a network.
Is SaaS, PaaS, or IaaS in scope of the CRA?
Generally no. Software as a Service, Platform as a Service, and Infrastructure as a Service are governed by Directive (EU) 2022/2555 (NIS2), not by the CRA. A cloud service falls under the CRA only when it is designed and provided by the manufacturer of a product with digital elements and the absence of the service would prevent the product from performing one of its functions. The canonical in-scope example is a smart-home manufacturer's cloud that lets users control the device remotely.
Is our mobile app's backend API in scope of the CRA?
Yes, if the manufacturer of the app designs and develops the backend and the app needs it to function. A mobile application requiring access to an API or database provided by the manufacturer's service brings that service into CRA scope as a remote data processing solution.
Does firmware shipped inside our own hardware count as a separate component?
No, not unless you also place the firmware on the market separately. Firmware bundled inside a hardware product you sell is part of that product, not a standalone component. If you also sell the firmware on its own, for example as an update package, an OEM SDK, or a standalone download, then the separately sold firmware version can be independently in scope.
Is a downloadable mobile app a product with digital elements?
Yes, when supplied in the course of a commercial activity. A mobile app distributed through an app store or as a download is a software product made available on the market. Paid and free commercial apps are both in scope. The fact that an app store distributes the app does not shift CRA responsibility to the store; the manufacturer is the entity that markets the app under its own name or trademark. The product also has to meet the connection test, which most apps satisfy through their intended network or device-API use.