NEW: CRA vulnerability reporting begins 11 September 2026 — is your product ready? Check now →

Your obligations

Who does the CRA actually affect?

If your product has a network connection and you place it on the EU market, the CRA almost certainly applies. Here's the long-form version of what that means for each group.

Quick scope check

Is my product in scope?

  1. 1.

    Does it have a digital element?

    Software, firmware, or hardware with a logical or physical network interface — direct or indirect.

  2. 2.

    Is it placed on the EU market?

    Sold, licensed, distributed, or made available to users in the EU. Free apps in EU stores count.

  3. 3.

    Is there commercial intent?

    Direct sales, paid support, advertising, or development sponsored by a commercial entity.

  4. 4.

    Is it covered by a sector-specific EU rule?

    Medical devices (MDR), automotive, civil aviation — those rules take precedence.

Yes, yes, yes, no? You're in scope. Time to start preparing.
📱

Mobile App Developers

Most Android and iOS apps are default-category products. You self-assess against the 21 essential requirements, draw up a Declaration of Conformity, and apply CE marking — even though it appears in the app-store listing rather than on physical packaging.

You will need to publish a vulnerability-disclosure policy, accept reports through a documented channel, and produce an SBOM of all third-party libraries and SDKs your app ships.

Apps that handle authentication, identity, or password management may fall into Class I — Important, which requires either fully harmonised standards or a notified body.

Default category in most cases
🏢

SMEs and startups

The CRA explicitly recognises the burden on smaller companies. Microenterprises (under 10 employees) and SMEs (under 50) get some relief on the 24-hour early warning timing and have access to a dedicated ENISA helpdesk.

Reporting obligations still apply, and the essential requirements are not waived. Most SMEs will land in the default category and self-assess.

There is no fee exemption for notified-body assessments — only Class I and Class II products need them, so most SMEs are unaffected.

Limited exemptions only
📦

Open-source maintainers

Pure non-commercial open source is out of scope. A hobby project on GitHub with no monetisation, no donations tied to features, and no commercial sponsorship is exempt.

Once OSS has commercial intent — paid support, dual licences, hosted versions, sponsored development for a commercial roadmap — it falls under the open-source steward role. Stewards must keep a vulnerability disclosure policy and notify ENISA of actively exploited vulnerabilities, but they don't need to apply CE marking.

When OSS is bundled into a commercial product, the manufacturer of that product carries full CRA obligations for the bundled OSS. This is why SBOMs become important — you can't take responsibility for what you can't enumerate.

Steward role for funded projects
🌐

Non-EU businesses selling into the EU

The CRA applies to anyone placing a product on the EU market, regardless of where the company is based. A US developer publishing an Android app in the EU app stores is in scope. So is a UK SaaS that ships a desktop client to EU customers.

Manufacturers established outside the Union must appoint an EU-based authorised representative who acts as the contact point for market-surveillance authorities and CSIRTs.

Reports go through the CSIRT designated by the Member State where the authorised representative is established. The ENISA Single Reporting Platform routes the report automatically.

Authorised representative required
🔌

IoT and connected hardware

Smart-home products, wearables, industrial IoT, and any embedded device with a network interface fall under the CRA. Many products that look "default" actually fall into Class I when they include identity, authentication, or network-management functions.

Hardware-software combinations need an SBOM that covers both the firmware and the bundled OS or libraries. The SBOM must follow a recognised standard — CycloneDX or SPDX in practice.

Devices in critical infrastructure scenarios (smart-meter gateways, industrial firewalls, HSMs) are Class II — Critical and require third-party certification.

Higher risk category likely
🚢

Importers and distributors

Importers and distributors carry independent verification duties. Before placing a product on the EU market they must check that the manufacturer has carried out the conformity assessment, that the CE marking is affixed, and that the technical documentation exists.

If a non-EU manufacturer fails to comply, the importer becomes the legal manufacturer for CRA purposes. Supply-chain due diligence is now a legal obligation, not a best practice.

Distributors must keep records of who they purchased from and who they sold to for 10 years.

New liability exposure

Free Compliance Assessment

Is Your Product CRA Ready?

Get a free personalised CRA compliance briefing for your specific product type — delivered to your inbox. No spam, no sales calls.

  • Understand your exact product category (default, Class I, or Class II)
  • Get a checklist of your specific obligations and deadlines
  • Receive guidance on SBOM, vulnerability management, and reporting
  • Early access to our CRA Compliance Manager tool (launching 2026)
  • Weekly CRA news digest — ENISA updates, regulatory guidance

Get Your Free CRA Brief

Takes 60 seconds · Completely free

🔒 No spam. Unsubscribe anytime. Processed in accordance with GDPR.