Are toys excluded from the CRA?

No. Toys are not listed in Article 2(2)–(5) of Regulation (EU) 2024/2847. Internet-connected toys with social interactive features or location tracking are explicitly listed as Important Class I in Annex III point 18. They require CRA documentation.

Is a connected building automation system excluded?

No. Building automation controllers, smart thermostats, and connected HVAC systems are not excluded under Article 2(2)–(5). If they have digital elements and a data connection, Article 2(1) applies. They must comply with the CRA and produce Art. 31 documentation.

My device has both medical and consumer functions. Is it excluded?

If the device falls under Regulation (EU) 2017/745 (MDR), the CRA exclusion in Article 2(2)(a) applies to the extent the device is covered by MDR. However, if the device has functions outside the scope of MDR — for example, consumer wellness features not qualifying as medical — the CRA may apply to those non-medical aspects. This is a boundary case that benefits from specialised legal advice.

Does the exclusion for motor vehicles cover aftermarket accessories?

The exclusion in Article 2(2)(c) covers products under Regulation (EU) 2019/2144 — primarily type-approved vehicles and their OEM components. Aftermarket connected accessories (dashcams, OBD-II dongles, connected car chargers) that are not covered by 2019/2144 type approval may fall under the CRA.

Are government or public sector products excluded?

Article 2(5) excludes products for national security, defence, or military purposes, and products designed to process classified information. Standard government procurement of commercial products (office hardware, networking equipment, software) does not trigger an exclusion — the CRA applies to those products.

Is this a subscription?

No. One-time payment. The licence includes a 30-day editing window and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, by activating the licence you give express consent for the immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are accepted only for reproducible technical defects.

What if the regulation changes?

If the regulation is amended during the validity of your licence, you can regenerate the document with the updated version of the generator at no additional cost.

You manufacture a connected device and you are checking whether Regulation (EU) 2024/2847 excludes it. Article 2 provides a short, closed list of exclusions: medical devices under Regulation (EU) 2017/745, in vitro diagnostics under 2017/746, motor vehicles under 2019/2144, aviation products under 2018/1139, and products for national security or military purposes. If your product is not on that list, the CRA applies — and Article 31 documentation is required.

The Cyber Resilience Act exclusions in Article 2 of Regulation (EU) 2024/2847 are narrower than most manufacturers expect. Medical devices, in vitro diagnostics, motor vehicles, certified aviation products, and national security/military items are explicitly excluded. Free and open-source software not placed on the market in the course of a commercial activity is also excluded under Article 2(6). Everything else — industrial IoT, consumer electronics, networking equipment, desktop and mobile software, firmware, embedded systems — is in scope. If your product has digital elements and a data connection, and it does not fall under one of the listed exclusions, you need the Art. 31 + Annex VII dossier. CRACheck generates it in 15–25 minutes. €149 per product.

Generate CRA Dossier — €149 Free: check your product classification

€149 one-time payment per product · 8 PDF documents in ZIP · 15–25 minutes · 100% in your browser

CRA exclusions at a glance

Regulations whose products are excluded — MDR, IVDR, Motor Vehicles, Aviation, National Security

Art. 2

The exclusion article — a closed, exhaustive list

€149

Cost per product to generate the Art. 31 dossier if you are NOT excluded

How to check if your product is excluded

Check Art. 2(2) — Medical devices

Products under Regulation (EU) 2017/745 (medical devices) and Regulation (EU) 2017/746 (in vitro diagnostics) are excluded. If your connected device has a medical purpose and is CE-marked under MDR or IVDR, the CRA does not apply.

Check Art. 2(2) — Motor vehicles

Products under Regulation (EU) 2019/2144 (motor vehicle general safety) are excluded. This covers type-approved vehicles and their components. Aftermarket connected accessories not covered by 2019/2144 may still be in CRA scope.

Check Art. 2(3) — Aviation

Products certified under Regulation (EU) 2018/1139 (common rules in civil aviation) are excluded.

Check Art. 2(5) — National security and military

Products developed or modified exclusively for national security or defence purposes are excluded, as are products designed to process classified information.

Check Art. 2(6) — Open-source software

Free and open-source software not placed on the market in the course of a commercial activity is excluded. If the open-source software is commercially distributed, the CRA applies.

If none of the above apply — you are in scope

Run CRACheck's Product Classifier to determine your category (Default, Important Class I/II, or Critical) and generate the 8-document dossier.

Common false exclusion claims

❌

FALSE EXCLUSION

Claiming exclusion because the product is "industrial, not consumer"

Regulation (EU) 2024/2847 does not distinguish between consumer and industrial products. Article 2(1) covers any product with digital elements placed on the EU market with a data connection. Industrial IoT gateways, SCADA controllers, and building automation systems are in scope.

❌

WRONG REGULATION

Assuming RED 2014/53/EU excludes the product from the CRA

The Radio Equipment Directive is not listed in Art. 2(2) as an exclusion. Products under RED are subject to BOTH RED and the CRA. Article 12 addresses overlap — and Article 31(3) allows a single combined technical documentation set. The CRA adds cybersecurity requirements that RED does not cover.

❌

OPEN SOURCE MISREAD

Assuming all open-source software is excluded

Article 2(6) excludes only free and open-source software that is NOT placed on the market in the course of a commercial activity. If you distribute open-source software commercially — whether by selling it, bundling it with paid hardware, or providing paid support — the CRA applies to it.

8 CRA documents for in-scope products

If your product is not excluded, CRACheck generates the complete Art. 31 + Annex VII dossier.

Product Classifier

Annex III / Annex IV classification. Conformity assessment module.

Technical Documentation

Art. 31 + Annex VII. Complete dossier.

Risk Assessment

Art. 13(2)–(3). Cybersecurity risk assessment against Annex I.

User Information

Annex II. 9 required information points.

Declaration of Conformity

Art. 28 + Annex V. Ready for signature.

CVD Policy

Annex I Part II point (5). Coordinated vulnerability disclosure.

Notification Template

Art. 14. ENISA 24h/72h/14d notification.

Obligations Calendar

Key dates and milestones.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated in your browser. No data leaves your device.

Legal scope opinion vs CRACheck

🧾 LEGAL SCOPE OPINION FROM A LAW FIRM

€3,000–€8,000

Per product for a written scope assessment. 2–4 weeks. Product details shared with external counsel. No documentation output — just an opinion letter.

✓ Last regulatory check: 2 May 2026 · No substantive changes detected · View history