The Cyber Resilience Act applies to any product with digital elements that connects, directly or indirectly, to a device or network and lands on the EU market. If that test is satisfied and you are not in a carve-out, your next question is which role you play in the EU supply chain: manufacturer, importer, distributor, authorised representative, or open-source steward. This page is the sorting machine before you commit to a deep article.
Summary
- The scope test is one sentence. It turns on a direct or indirect logical or physical data connection to a device or network, which is broader than most teams assume.
- Core carve-outs include sector regimes, spare parts, and defence cases. Medical devices, motor vehicles, civil aviation, marine equipment, identical spare parts, and products developed or modified exclusively for national security, defence, or classified-information processing.
- Three economic-operator roles do most of the work. Manufacturer, importer, distributor.
- Watch the manufacturer-obligation switch. Importers and distributors that use their own brand or substantially modify a product are treated as manufacturers; other third-party substantial modifiers are covered separately.
- Open-source stewards have a lighter regime. A documented cybersecurity policy and a cooperation duty, not the full manufacturer load.
- Multiple roles stack to the strictest. When you fit more than one definition, the heaviest obligation set applies.
Four anchors that decide whether the CRA applies to you and how heavily: the scope test, the carve-outs, the role axis, and the manufacturer-obligation switch.
Does the CRA apply to your product?
Start with the product, not the legal citation. The first CRA scope test is whether you make software, hardware, or a digital component available on the EU market, and whether its intended or foreseeable use includes a direct or indirect logical or physical data connection to a device or network.
The most consequential phrase is "direct or indirect logical or physical data connection". In plain English:
| Connection type | Plain meaning | Real-world example |
|---|---|---|
| Logical | A virtual data path implemented through a software interface. | A REST API call between a microservice and a backend; an MQTT topic between an IoT device and a broker. |
| Physical | A connection through electrical, optical, or mechanical interfaces, wires, or radio waves. | An Ethernet cable; a Bluetooth pairing; an RS-485 industrial bus. |
| Indirect | A connection that runs through a larger system that is itself directly connectable. | A sensor that talks only to a local hub, where the hub itself reaches the internet. The sensor is in scope through the hub. |
The indirect-connection clause is the broadest catch. A sensor that talks only to a local hub is in scope if the hub itself is connectable. A sensor accessory that pairs to a phone over Bluetooth is in scope through the phone. A factory PLC that reaches the internet only through an industrial gateway is in scope through the gateway. Industrial and IoT manufacturers who assume "no Wi-Fi means no CRA" miss this clause and miss the regulation entirely.
A "product with digital elements" then covers software or hardware products and their remote data processing solutions, including software or hardware components placed on the market separately. Standalone components shipped on the market also fall in scope.
Sectors already regulated elsewhere
Some sectors fall outside the CRA regardless of the threshold tests above, because they are already covered by their own cybersecurity regimes.
| Sector | Governed instead by | Excluded by |
|---|---|---|
| Medical devices | Regulation (EU) 2017/745 (MDR) | Article 2(2), point (a) |
| In-vitro diagnostic medical devices | Regulation (EU) 2017/746 (IVDR) | Article 2(2), point (b) |
| Motor vehicles | Regulation (EU) 2019/2144 | Article 2(2), point (c) |
| Certified civil aviation products | Regulation (EU) 2018/1139 | Article 2(3) |
| Marine equipment | Directive 2014/90/EU | Article 2(4) |
| Spare parts (replacing identical components) | Not applicable; out of scope by definition | Article 2(6) |
| National security, defence, and classified-information products | Member State competence | Article 2(7) |
The Commission may also limit or exclude application of the CRA where another Union act already covers the same risks at an equivalent or higher level of protection.
For the cybersecurity tier of your product (default, important Class I, important Class II, or critical), see CRA product classification and CRA conformity assessment.
CRA roles: manufacturer, importer, distributor, or authorised representative?
Once a product is in scope, your CRA duties depend on what you do in the EU supply chain: whose brand is on the product, who brings it into the Union, who makes it available, and whether anyone changes it before resale.
Manufacturer
You ship the product under your own name or trademark. You develop or have designed and manufactured a product with digital elements and market it under your own brand, paid or free. Manufacturers carry the full obligation set: risk-based design, vulnerability handling, technical documentation, EU Declaration of Conformity, CE marking, and reporting of severe incidents and actively exploited vulnerabilities. Selling under your own brand a product designed and built by an OEM still makes you the manufacturer. See CRA manufacturer obligations.
Importer
You are EU-established and place a non-EU-branded product on the EU market. Before placing the product, you must verify that the manufacturer has carried out the conformity assessment, drawn up the technical documentation, affixed the CE marking, and provided the EU Declaration of Conformity and required user information. Importers must keep documentation for ten years and cooperate with market surveillance authorities. See CRA importer obligations.
Distributor
You make a product available on the Union market without affecting its properties. You are in the supply chain, other than the manufacturer or importer. Before making the product available, you must verify that the CE marking is affixed, the EU Declaration of Conformity is available, and the manufacturer has provided the required information and instructions. See CRA distributor obligations.
Authorised representative
You are EU-established under a written mandate from a manufacturer. The CRA lets a manufacturer appoint an authorised representative by written mandate, but the appointment is not automatic or mandatory just because the manufacturer is outside the EU. The representative acts within the mandated tasks. See CRA authorised representative.
Product modifications: when you become the manufacturer
You sit in the supply chain after a third-party manufacturer. Run the next two checks before you assume you stay an importer or distributor.
Putting your own brand on someone else's product makes you the manufacturer from the start, not a deemed manufacturer.
A substantial modification affects compliance with the essential cybersecurity requirements, or alters the intended purpose for which the product was originally assessed.
Changing someone else's product can make you responsible as the manufacturer. An importer or distributor is treated as a manufacturer if it sells the product under its own name or trademark, or substantially modifies a product already on the market. The same manufacturer treatment applies to any other natural or legal person that substantially modifies a product and then makes the modified product available.
For other third-party modifiers, the responsibility follows the cybersecurity impact: the manufacturer duties apply to the part of the product affected by the modification, unless the change affects the cybersecurity of the whole product; in that case, the duties cover the whole product.
A "substantial modification" is a change made after the product was placed on the market that either affects the product's compliance with the essential cybersecurity requirements, or alters the intended purpose for which the product was originally assessed. Two patterns trigger this most often: re-flashing or repackaging a third-party device with custom firmware, and integrating a third-party product into a system in a way that changes its intended purpose.
Brand-labelling under your own name is not a substantial-modification trigger; it is the manufacturer definition itself, and applies from the start.
Open-source software stewards
An open-source software steward is a legal entity, other than a manufacturer, whose purpose is to systematically support the development of specific open-source products intended for commercial activities and to ensure their viability. In practice, stewards are typically foundations or non-profit legal entities that sustain an upstream project itself, not companies that ship open-source software inside their own products.
The duties are narrower than the manufacturer regime but still concrete:
- Document a cybersecurity policy that fosters secure development of the project and effective vulnerability handling by its developers, encourages voluntary vulnerability reporting, and supports information sharing within the open-source community.
- Cooperate with market surveillance authorities on reasoned request, including by providing the cybersecurity policy documentation.
This regime does not apply to most companies that ship open-source software inside a commercial product. If you take an open-source library, integrate it into a product you market, and place that product on the EU market under your own name, you are a manufacturer, not a steward.
Decision tree: identify your compliance path
| If you ... | You are a ... | Go to ... |
|---|---|---|
| Design or have manufactured a product with digital elements that you place on the EU market under your name or trademark | Manufacturer | Manufacturer obligations |
| Are EU-established and place a product on the EU market that bears the name or trademark of a non-EU person | Importer | Importer obligations |
| Are in the supply chain (not manufacturer or importer) and make a product available on the EU market without affecting its properties | Distributor | Distributor obligations |
| As importer or distributor, sell under your own name or trademark, or substantially modify a product already placed on the market | Manufacturer obligations apply | Full manufacturer obligations apply |
| As another third party, substantially modify a product and make it available on the market | Manufacturer obligations apply | Full manufacturer obligations apply for the affected part or whole product |
| Are a non-EU manufacturer placing products on the EU market and appoint an EU mandate-holder | Manufacturer, with an authorised representative acting only within the written mandate | Authorised representative |
| Are a legal entity systematically supporting an open-source project as your core purpose, not commercial distribution | OSS steward | OSS steward regime |
If you fall into more than one role, the strictest obligation set applies. A company that develops a product, brands it, and places it on the EU market is a manufacturer regardless of which subcontractors did the design or build; an importer or distributor that substantially modifies a product already placed on the market is treated as a manufacturer.
Common Pitfalls
| Pitfall | Why it fails |
|---|---|
| "We're only on a local network, so the CRA doesn't apply." | The indirect-connection clause catches anything that reaches a connectable system through a hub, phone, or gateway. |
| "We rebrand the OEM product, so we're the distributor." | Selling under your own name or trademark makes you the manufacturer from the start, not a deemed manufacturer. |
| "We use open-source libraries in our product, so we qualify as a steward." | Stewards sustain upstream projects as their core purpose; downstream consumers of open-source software are manufacturers for the product they ship. |
| "Our marketplace only intermediates non-EU sellers, so we have no duties." | A marketplace that holds EU stock or owns the listing crosses into importer territory and inherits the verification and retention duties. |
Frequently Asked Questions
My product is only on a local network. Is the CRA still in scope?
Probably yes. The scope test covers any indirect connection: a product is in scope if it connects through a larger system that is itself connectable. A sensor on a local hub, a Bluetooth peripheral that pairs with a phone, or a PLC behind an industrial gateway all sit in scope through the device they connect to. The narrow case where the CRA does not apply is a product with no software, no firmware, and no path to any other device or network at all.
I run a SaaS service. Does the CRA apply to me?
Generally no. SaaS sits under NIS2, not the CRA, which applies to a software or hardware product placed on the market. A pure cloud-hosted service does not meet that definition. The exception is a remote data processing solution supplied by the manufacturer: a cloud component that is necessary for the product to perform its functions is in scope as part of that product. SaaS that also ships an installable client (a desktop or mobile app, an SDK, an on-prem agent) puts the installable part in scope.
We resell unmodified hardware under our own brand. Manufacturer or distributor?
Manufacturer. Anyone who markets a product under their own name or trademark is the manufacturer, regardless of who designed or built it. Brand-labelling an OEM product is the textbook case, and you inherit the full manufacturer obligation set. This is not the deemed-manufacturer route; you are the manufacturer from the start.
We use open-source libraries in our product. Are we a steward?
No. Stewards are typically foundations or non-profit legal entities that systematically support an open-source project as their core purpose. A company that takes an open-source library, integrates it into a commercial product, and places that product on the EU market is a manufacturer for that product. The lighter regime is for the entity sustaining the upstream project, not for downstream consumers of it.
A non-EU company sells direct to EU consumers via our marketplace. Who is responsible?
It depends on the chain. The CRA allows the non-EU manufacturer to appoint an authorised representative by written mandate, but the importer question turns on who places the product on the EU market and which operator is EU-established. A marketplace that only intermediates and does not place products on the market itself is generally not the importer; if the marketplace owns the listing or fulfils the order from EU stock, it crosses into importer territory. Check the actual transaction flow before deciding.