CRA Excluded Products: What the Cyber Resilience Act Skips

CRA exclusions at a glance

Regulations whose products are excluded — MDR, IVDR, Motor Vehicles, Aviation, National Security

Art. 2

The exclusion article — a closed, exhaustive list

€149

Cost per product to generate the Art. 31 dossier if you are NOT excluded

How to check if your product is excluded

Check Art. 2(2) — Medical devices

Products under Regulation (EU) 2017/745 (medical devices) and Regulation (EU) 2017/746 (in vitro diagnostics) are excluded. If your connected device has a medical purpose and is CE-marked under MDR or IVDR, the CRA does not apply.

Check Art. 2(2) — Motor vehicles

Products under Regulation (EU) 2019/2144 (motor vehicle general safety) are excluded. This covers type-approved vehicles and their components. Aftermarket connected accessories not covered by 2019/2144 may still be in CRA scope.

Check Art. 2(3) — Aviation

Products certified under Regulation (EU) 2018/1139 (common rules in civil aviation) are excluded.

Check Art. 2(5) — National security and military

Products developed or modified exclusively for national security or defence purposes are excluded, as are products designed to process classified information.

Check Art. 2(6) — Open-source software

Free and open-source software not placed on the market in the course of a commercial activity is excluded. If the open-source software is commercially distributed, the CRA applies.

If none of the above apply — you are in scope

Run CRACheck's Product Classifier to determine your category (Default, Important Class I/II, or Critical) and generate the 8-document dossier.

Common false exclusion claims

❌

FALSE EXCLUSION

Claiming exclusion because the product is "industrial, not consumer"

Regulation (EU) 2024/2847 does not distinguish between consumer and industrial products. Article 2(1) covers any product with digital elements placed on the EU market with a data connection. Industrial IoT gateways, SCADA controllers, and building automation systems are in scope.

❌

WRONG REGULATION

Assuming RED 2014/53/EU excludes the product from the CRA

The Radio Equipment Directive is not listed in Art. 2(2) as an exclusion. Products under RED are subject to BOTH RED and the CRA. Article 12 addresses overlap — and Article 31(3) allows a single combined technical documentation set. The CRA adds cybersecurity requirements that RED does not cover.

❌

OPEN SOURCE MISREAD

Assuming all open-source software is excluded

Article 2(6) excludes only free and open-source software that is NOT placed on the market in the course of a commercial activity. If you distribute open-source software commercially — whether by selling it, bundling it with paid hardware, or providing paid support — the CRA applies to it.

8 CRA documents for in-scope products

If your product is not excluded, CRACheck generates the complete Art. 31 + Annex VII dossier.

Product Classifier

Annex III / Annex IV classification. Conformity assessment module.

Technical Documentation

Art. 31 + Annex VII. Complete dossier.

Risk Assessment

Art. 13(2)–(3). Cybersecurity risk assessment against Annex I.

User Information

Annex II. 9 required information points.

Declaration of Conformity

Art. 28 + Annex V. Ready for signature.

CVD Policy

Annex I Part II point (5). Coordinated vulnerability disclosure.

Notification Template

Art. 14. ENISA 24h/72h/14d notification.

Obligations Calendar

Key dates and milestones.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated in your browser. No data leaves your device.

Legal scope opinion vs CRACheck

🧾 LEGAL SCOPE OPINION FROM A LAW FIRM

€3,000–€8,000

Per product for a written scope assessment. 2–4 weeks. Product details shared with external counsel. No documentation output — just an opinion letter.

✓ CRACHECK

€149

Product Classifier (scope + classification) included in the 8-document dossier. 15–25 minutes. 100% browser-side. If the classifier confirms you are in scope, the documentation is already generated.

Two layers of compliance

● LAYER 1

Scope determination + documentation — CRACheck does this

CRACheck classifies your product against the CRA scope (Art. 2) and the Annex III/IV categories, and generates the complete Art. 31 + Annex VII dossier. If the Product Classifier determines your product is excluded, the report documents the legal basis for that exclusion.

∅ LAYER 2

Binding legal opinion — Your responsibility

CRACheck's Product Classifier provides a structured, regulation-based classification. It is not a binding legal opinion. If your product sits at the boundary of an exclusion (e.g., a connected device with both medical and consumer functions), consult specialised counsel.

CRACheck gives you the structured analysis and the documentation. A binding scope opinion, if needed, comes from a lawyer.

Enforcement regime

⚖️

CRA: Annex I cybersecurity non-compliance

€15M / 2.5%

Art. 64(2) of Regulation (EU) 2024/2847.

⚖️

CRA: Documentation and conformity assessment failures

€10M / 2%

Art. 64(3) of Regulation (EU) 2024/2847.

⚖️

CRA: Misleading information to authorities

€5M / 1%

Art. 64(4) of Regulation (EU) 2024/2847.

Alternatives compared

Criterion	Law firm scope opinion	Self-assessment (reading the OJ)	Industry association guidance	CRACheck
Scope determination	Written opinion	Your interpretation	General, not product-specific	Automated per Art. 2 + Annex III/IV
Documentation included	No	No	No	8 PDFs per Art. 31 + Annex VII
Price	€3,000–€8,000	€0 + internal hours	Free or membership fee	€149 per product
Time	2–4 weeks	Days	N/A	15–25 minutes

Mixed portfolio — some excluded, some in scope? Each in-scope product needs its dossier.

Volume pricing: €99/product (pack 10), €79/product (pack 30). Run the Product Classifier first to confirm which SKUs require documentation.

Request Volume Pricing

Commercial enquiries via hello@solidwaretools.com

What CRACheck guarantees and what it does not

CRACheck generates a structured document set according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy, completeness, and truthfulness of that information is your responsibility as the manufacturer.

We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct. We do not guarantee that a specific document will be accepted by a market surveillance authority in a particular case.

CRACheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.

Frequently asked questions — CRA exclusions

Are toys excluded from the CRA?

No. Toys are not listed in Article 2(2)–(5) of Regulation (EU) 2024/2847. Internet-connected toys with social interactive features or location tracking are explicitly listed as Important Class I in Annex III point 18. They require CRA documentation.

Is a connected building automation system excluded?

No. Building automation controllers, smart thermostats, and connected HVAC systems are not excluded under Article 2(2)–(5). If they have digital elements and a data connection, Article 2(1) applies. They must comply with the CRA and produce Art. 31 documentation.

My device has both medical and consumer functions. Is it excluded?

If the device falls under Regulation (EU) 2017/745 (MDR), the CRA exclusion in Article 2(2)(a) applies to the extent the device is covered by MDR. However, if the device has functions outside the scope of MDR — for example, consumer wellness features not qualifying as medical — the CRA may apply to those non-medical aspects. This is a boundary case that benefits from specialised legal advice.

Does the exclusion for motor vehicles cover aftermarket accessories?

The exclusion in Article 2(2)(c) covers products under Regulation (EU) 2019/2144 — primarily type-approved vehicles and their OEM components. Aftermarket connected accessories (dashcams, OBD-II dongles, connected car chargers) that are not covered by 2019/2144 type approval may fall under the CRA.

Are government or public sector products excluded?

Article 2(5) excludes products for national security, defence, or military purposes, and products designed to process classified information. Standard government procurement of commercial products (office hardware, networking equipment, software) does not trigger an exclusion — the CRA applies to those products.

Is this a subscription?

No. One-time payment. The licence includes a 30-day editing window and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, by activating the licence you give express consent for the immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are accepted only for reproducible technical defects.

What if the regulation changes?

If the regulation is amended during the validity of your licence, you can regenerate the document with the updated version of the generator at no additional cost.

Official legal sources

Regulation (EU) 2024/2847 — Cyber Resilience Act — full text

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.