The CRA applies to any product with digital elements that connects, directly or indirectly, to a device or network and lands on the EU market. If that test is satisfied and you are not carved out by Article 2, your next question is which role you play under Article 3: manufacturer, importer, distributor, authorised representative, or open-source steward. This page is the sorting machine before you commit to a deep article.
Summary
- The scope test is one sentence (Article 2(1)). It turns on a "direct or indirect logical or physical data connection to a device or network", which is broader than most teams assume.
- Article 2 carves out five product families. Medical devices, motor vehicles, civil aviation, marine equipment, and products developed or modified exclusively for national security, defence, or classified-information processing.
- Three economic-operator roles do most of the work. Manufacturer (Article 13 and 14), importer (Article 19), distributor (Article 20).
- Watch the deemed-manufacturer trap (Article 22). Substantially modify a product after it was placed on the market, and you become the manufacturer for the affected part or the whole product.
- Open-source stewards have a lighter regime (Article 24). A documented cybersecurity policy and a cooperation duty, not the full manufacturer load.
- Multiple roles stack to the strictest. When you fit more than one definition, the heaviest obligation set applies.
Four anchors that decide whether the CRA applies to you and how heavily: the scope test, the carve-outs, the role axis, and the modifier trap.
The scope gate: is your product covered?
Article 2(1) defines the CRA's scope in a single sentence:
"This Regulation applies to products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network."
The most consequential phrase is "direct or indirect logical or physical data connection". Article 3 defines what each component means. The translation into plain English:
| Connection type | Plain meaning | Real-world example |
|---|---|---|
| Logical (Article 3(8)) | A virtual data path implemented through a software interface. | A REST API call between a microservice and a backend; an MQTT topic between an IoT device and a broker. |
| Physical (Article 3(9)) | A connection through electrical, optical, or mechanical interfaces, wires, or radio waves. | An Ethernet cable; a Bluetooth pairing; an RS-485 industrial bus. |
| Indirect (Article 3(10)) | A connection that runs through a larger system that is itself directly connectable. | A sensor that talks only to a local hub, where the hub itself reaches the internet. The sensor is in scope through the hub. |
In practice, the indirect-connection clause is the broadest catch. A sensor that talks only to a local hub is in scope if the hub itself is connectable. A medical accessory that pairs to a phone over Bluetooth is in scope through the phone. A factory PLC that reaches the internet only through an industrial gateway is in scope through the gateway. Industrial and IoT manufacturers who assume "no Wi-Fi means no CRA" miss this clause and miss the regulation entirely.
A "product with digital elements" is then defined in Article 3(1) as a software or hardware product and its remote data processing solutions, including software or hardware components placed on the market separately. Standalone components shipped on the market also fall in scope.
Article 2 carve-outs
Article 2 paragraphs 2 to 8 list what is excluded from the CRA:
| What's carved out | Source |
|---|---|
| Medical devices and in vitro diagnostic medical devices | Reg. (EU) 2017/745 (MDR), Reg. (EU) 2017/746 (IVDR) |
| Motor vehicles | Reg. (EU) 2019/2144 |
| Civil aviation products | Reg. (EU) 2018/1139 |
| Marine equipment | Dir. 2014/90/EU |
| Spare parts replacing identical components made to the same specifications | Article 2(6) |
| Products developed or modified exclusively for national security or defence | Article 2(7) |
| Information whose disclosure would be contrary to a Member State's essential security interests | Article 2(8) |
Article 2(5) further allows the Commission to limit or exclude the CRA's application where another Union act already covers the same risks at an equivalent or higher level of protection.
For the cybersecurity tier of your product (default, important Class I, important Class II, or critical), see CRA product classification and CRA conformity assessment.
The role axis: which economic operator are you?
Article 3 defines four roles relevant to operators placing products on the EU market.
You are a manufacturer (Article 3(13)) if you develop or have designed and manufactured a product with digital elements and market it under your own name or trademark, paid or free. Manufacturers carry the full obligation set under Article 13: risk-based design, vulnerability handling under Annex I Part II, technical documentation under Annex VII, EU Declaration of Conformity, CE marking, and Article 14 reporting of severe incidents and actively exploited vulnerabilities. Selling under your own brand a product designed and built by an OEM still makes you the manufacturer. See CRA manufacturer obligations.
You are an importer (Article 3(16)) if you are established in the Union and place on the EU market a product with digital elements that bears the name or trademark of a person established outside the Union. Article 19 requires importers to verify, before placing the product, that the manufacturer has carried out the conformity assessment, drawn up the technical documentation, affixed the CE marking, and provided the EU Declaration of Conformity and required user information. Importers must keep documentation for ten years and cooperate with market surveillance authorities. See CRA importer obligations.
You are a distributor (Article 3(17)) if you are in the supply chain, other than the manufacturer or importer, and you make a product available on the Union market without affecting its properties. Article 20 requires distributors to verify, before making the product available, that the CE marking is affixed, the EU Declaration of Conformity is available, and the manufacturer has provided the required information and instructions. See CRA distributor obligations.
You are an authorised representative (Article 3(15)) if you are established in the Union and have a written mandate from a non-EU manufacturer to act on its behalf. A non-EU manufacturer placing products on the EU market must appoint an authorised representative under Article 18; the AR is the EU-based point of contact for market surveillance authorities. See CRA authorised representative.
The deemed-manufacturer trap: Article 22
Article 22(1) creates a "deemed manufacturer" role: anyone other than the manufacturer, importer, or distributor who carries out a substantial modification of a product and then makes the modified product available on the market is treated as the manufacturer for that product, with the full Article 13 and 14 obligations attached.
Article 22(2) sets the scope of those obligations. If the modification only affects part of the product, the deemed-manufacturer duties cover that part. If the modification has an impact on the cybersecurity of the whole product, they cover the whole product.
A "substantial modification" is defined in Article 3(30) as a change made after the product was placed on the market that either affects the product's compliance with the essential cybersecurity requirements in Annex I Part I, or alters the intended purpose for which the product was originally assessed. Two patterns trigger this in practice: re-flashing or repackaging a third-party device with custom firmware, and integrating a third-party product into a system in a way that changes its intended purpose. In either case, the modifier inherits Article 13 and 14 obligations for the affected part, or for the whole product if cybersecurity is touched overall.
Brand-labelling under your own name is not Article 22; it is the Article 3(13) definition of manufacturer. If you sell a third-party product under your own brand, you are the manufacturer from the start, not a deemed manufacturer.
Open-source software stewards: Article 24
An open-source software steward (Article 3(14)) is a legal entity, other than a manufacturer, whose purpose is to systematically support the development of specific open-source products intended for commercial activities and to ensure their viability. In practice, stewards are typically foundations or non-profit legal entities that sustain an upstream project itself, not companies that ship open-source software inside their own products.
The duties are narrower than the manufacturer regime but still concrete:
- Document a cybersecurity policy (Article 24(1)) that fosters secure development of the project and effective vulnerability handling by its developers, encourages voluntary vulnerability reporting under Article 15, and supports information sharing within the open-source community.
- Cooperate with market surveillance authorities (Article 24(2)) on reasoned request, including by providing the cybersecurity policy documentation.
This regime does not apply to most companies that ship open-source software inside a commercial product. If you take an open-source library, integrate it into a product you market, and place that product on the EU market under your own name, you are a manufacturer, not a steward.
Decision tree: identify your compliance path
| If you ... | You are a ... | Go to ... |
|---|---|---|
| Design or have manufactured a product with digital elements that you place on the EU market under your name or trademark | Manufacturer (Articles 13 and 14) | Manufacturer obligations |
| Are EU-established and place a product on the EU market that bears the name or trademark of a non-EU person | Importer (Article 19) | Importer obligations |
| Are in the supply chain (not manufacturer or importer) and make a product available on the EU market without affecting its properties | Distributor (Article 20) | Distributor obligations |
| Carry out a substantial modification of a product before placing it on the market | Deemed manufacturer (Article 22) | Full Article 13 and 14 obligations apply for the affected part or whole product |
| Are a non-EU manufacturer placing products on the EU market | Manufacturer (Articles 13 and 14) and must appoint an Authorised Representative (Article 18) | Authorised representative |
| Are a legal entity systematically supporting an open-source project as your core purpose, not commercial distribution | OSS steward (Articles 3(14) and 24) | OSS steward regime |
If you fall into more than one role, the strictest obligation set applies. A company that develops a product, brands it, and places it on the EU market is a manufacturer regardless of which subcontractors did the design or build; a company that imports a non-EU product and substantially modifies it before placing it inherits manufacturer obligations under Article 22 in addition to its importer status.
Frequently Asked Questions
My product is only on a local network. Is the CRA still in scope?
Probably yes. The scope test covers any indirect connection: a product is in scope if it connects through a larger system that is itself connectable. A sensor on a local hub, a Bluetooth peripheral that pairs with a phone, or a PLC behind an industrial gateway all sit in scope through the device they connect to. The narrow case where the CRA does not apply is a product with no software, no firmware, and no path to any other device or network at all (Articles 2(1) and 3(10)).
I run a SaaS service. Does the CRA apply to me?
Generally no. SaaS sits under NIS2, not the CRA. The CRA applies to a software or hardware product placed on the market. A pure cloud-hosted service does not meet that definition. The exception is a remote data processing solution supplied by the manufacturer: a cloud component that is necessary for the product to perform its functions is in scope as part of that product. SaaS that also ships an installable client (a desktop or mobile app, an SDK, an on-prem agent) puts the installable part in scope (Article 3(1) and (2)).
We resell unmodified hardware under our own brand. Manufacturer or distributor?
Manufacturer. Anyone who markets a product under their own name or trademark is the manufacturer, regardless of who designed or built it. Brand-labelling an OEM product is the textbook case, and you inherit the full Article 13 and 14 obligation set. This is not the deemed-manufacturer route; you are the manufacturer from the start (Article 3(13); not Article 22).
We use open-source libraries in our product. Are we a steward under Article 24?
No. Stewards are typically foundations or non-profit legal entities that systematically support an open-source project as their core purpose. A company that takes an open-source library, integrates it into a commercial product, and places that product on the EU market is a manufacturer for that product. The lighter regime is for the entity sustaining the upstream project, not for downstream consumers of it (Articles 3(14) and 24; manufacturer obligations at Articles 13 and 14).
A non-EU company sells direct to EU consumers via our marketplace. Who is responsible?
It depends on the chain. The non-EU manufacturer must appoint an authorised representative; if it does not, an EU-established importer (the operator placing the product on the EU market) inherits some of the duties. A marketplace that only intermediates and does not place products on the market itself is generally not the importer; if the marketplace owns the listing or fulfils the order from EU stock, it crosses into importer territory. Check the actual transaction flow before deciding (Articles 18 and 19).