Does the CRA apply to components sold separately?

Yes. Article 3(1) of Regulation (EU) 2024/2847 defines 'product with digital elements' as including software or hardware components placed on the market separately. If you sell a firmware module, a security chipset, or a software library as a standalone product, it requires its own Art. 31 documentation.

My product connects only via Bluetooth, not the internet. Is it in scope?

Yes. Article 2(1) covers any product whose intended purpose includes a direct or indirect logical or physical data connection to a device or network. Bluetooth, Zigbee, Z-Wave, LoRa, USB, and LAN connections all qualify as data connections under this definition.

How do I know if my product is Class I, Class II, or Critical?

Annex III of Regulation (EU) 2024/2847 lists 19 Important Class I categories (including routers, operating systems, VPNs, password managers, smart home devices) and 4 Class II categories (firewalls, hypervisors, intrusion detection systems, tamper-resistant microprocessors/microcontrollers). Annex IV lists Critical products. If your product does not match any listed category, it is Default. CRACheck's Product Classifier automates this determination.

What if my product is both under the CRA and under a sector-specific directive?

Article 12 of Regulation (EU) 2024/2847 addresses overlap with other Union harmonisation legislation. For products subject to both the CRA and sector-specific requirements (e.g., RED 2014/53/EU, Machinery Regulation 2023/1230), a single set of technical documentation may be drawn up per Article 31(3), combining the CRA requirements with those of the sector-specific act.

Are purely mechanical products excluded?

Products without software, firmware, or any digital element are not products with digital elements as defined in Article 3(1) and are therefore outside the scope of Article 2(1). A purely mechanical lock, a hand tool without connectivity, or a passive cable is not covered.

Is this a subscription?

No. One-time payment. The licence includes a 30-day editing window and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, by activating the licence you give express consent for the immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are accepted only for reproducible technical defects.

What if the regulation changes?

If the regulation is amended during the validity of your licence, you can regenerate the document with the updated version of the generator at no additional cost.

You have a product catalogue with 40 SKUs — routers, firmware modules, a desktop application, a sensor gateway. You need to know which of them fall under Regulation (EU) 2024/2847 and which do not. Article 2(1) defines the scope. Annex III classifies the important ones. CRACheck's Product Classifier answers the question per product in under two minutes.

The Cyber Resilience Act applies to products with digital elements whose intended purpose or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network (Article 2(1) of Regulation (EU) 2024/2847). That definition covers standalone software, firmware, embedded systems, IoT devices, networking equipment, industrial controllers, consumer electronics, and connected hardware components placed on the market separately. The regulation further classifies products as Default, Important Class I (Annex III, 19 categories), Important Class II (Annex III, 4 categories), or Critical (Annex IV) — each with different conformity assessment requirements under Article 32. CRACheck classifies your product and generates the 8-document Art. 31 dossier in 15–25 minutes. €149 per product.

Generate CRA Dossier — €149 Free: check your product classification

€149 one-time payment per product · 8 PDF documents in ZIP · 15–25 minutes · 100% in your browser

CRA scope at a glance

23+

Product categories explicitly listed in Annex III + Annex IV

Art. 2(1)

Scope article — any product with digital elements and a data connection

Product classifications: Default, Important I, Important II, Critical

How to determine if your product is in scope

Identify whether your product has digital elements

Article 3(1) defines "product with digital elements" as any software or hardware product and its remote data processing solutions. If your product contains or is software, firmware, or connects to a network, it likely qualifies.

Check for exclusions

Article 2(2)–(5) excludes medical devices (Reg. 2017/745, 2017/746), motor vehicles (Reg. 2019/2144), aviation products certified under Reg. 2018/1139, and products for national security or military purposes. If your product falls under one of these, the CRA does not apply.

Run the Product Classifier

CRACheck maps your product against the 19 Class I categories, 4 Class II categories, and the Critical product list. If your product is not listed, it defaults to the Default category.

Understand the conformity assessment implications

Default and Class I (with harmonised standards): Module A internal control. Class I (without harmonised standards): Module A or Module B+C or H. Class II and Critical: Module B+C or H through a notified body (Art. 32(2)–(3)).

Generate the technical documentation

Regardless of classification, every in-scope product needs Art. 31 + Annex VII documentation. CRACheck produces the 8-document dossier.

Download and file per product

Each product in your catalogue requires its own dossier. Download, sign the declaration, store for 10 years (Art. 13(18)).

Common scope mistakes

❌

SCOPE CONFUSION

Assuming "no internet connection" means no CRA obligation

Article 2(1) covers not only internet-connected products but any product with a direct or indirect logical or physical data connection to a device or network. A Bluetooth sensor, a USB-connected module, or a device communicating via LAN is in scope even without internet access.

❌

CLASSIFICATION ERROR

Treating all in-scope products as Default category

Annex III of Regulation (EU) 2024/2847 lists 19 Important Class I categories (identity management, browsers, password managers, VPNs, routers, operating systems, smart home devices, etc.) and 4 Class II categories (hypervisors, firewalls, tamper-resistant microprocessors). A router manufacturer cannot claim Default classification.

❌

COMPONENT OVERSIGHT

Ignoring software components placed on the market separately

Article 3(1) explicitly includes "software or hardware components being placed on the market separately". If you sell a firmware module, an SDK, or a security library as a standalone product, it is an independent product with digital elements under the CRA — requiring its own documentation.

8 CRA documents per product

CRACheck classifies your product and generates the complete Art. 31 + Annex VII dossier.

Product Classifier

Annex III / Annex IV classification. Conformity assessment module.

Technical Documentation

Art. 31 + Annex VII. Complete dossier.

Risk Assessment

Art. 13(2)–(3). Cybersecurity risk assessment against Annex I.

User Information

Annex II. 9 required information points.

Declaration of Conformity

Art. 28 + Annex V. Ready for signature.

CVD Policy

Annex I Part II point (5). Coordinated vulnerability disclosure.

Notification Template

Art. 14. ENISA 24h/72h/14d notification.

Obligations Calendar

Key dates and milestones.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated in your browser. No data leaves your device.

Scope analysis: consultancy vs CRACheck

🧾 SCOPE ANALYSIS BY A CONSULTANCY

€3,000–€8,000

For a product portfolio scope review. 2–4 weeks turnaround. Product data shared with external consultants.

✓ Last regulatory check: 2 May 2026 · No substantive changes detected · View history