My software is classified as a medical device under the MDR. Do I need CRA documentation?

No. Article 2(2)(a) of Regulation (EU) 2024/2847 explicitly excludes products covered by Regulation (EU) 2017/745 (MDR). If your product is a classified medical device with MDR conformity assessment, CRA does not apply to that product. Your MDR technical documentation and conformity assessment obligations stand independently.

My software is a wellness app — not a medical device. Does CRA apply?

If your wellness app is software with data connectivity placed on the EU market in the course of commercial activity, and it is not classified as a medical device under Regulation (EU) 2017/745, it falls within CRA scope as a product with digital elements under Article 3(1). Wellness apps, fitness trackers, health dashboards, and clinical administration tools outside MDR classification are all potentially within CRA scope.

How do I determine if my health software is a medical device under MDR?

The MDR (Regulation (EU) 2017/745) and the MDCG guidance documents define when software qualifies as a medical device based on its intended purpose. Software intended for diagnosis, prevention, monitoring, or treatment of a disease or injury is typically classified as a medical device. Software intended for general wellness, administration, or clinical workflow without direct diagnostic or therapeutic intent typically is not. CRACheck does not make MDR classification determinations — consult an MDR regulatory specialist.

Our software has a diagnostic module (MDR) and a reporting module (non-MDR). How does CRA apply?

If the modules are separate products placed on the market independently, the diagnostic module may be exempt under Article 2(2)(a) while the reporting module falls under CRA. If they are parts of a single integrated product classified as a medical device, the entire product is exempt. The product boundary determination is critical — CRACheck helps document the classification for the non-MDR components.

Does FDA SaMD (Software as a Medical Device) classification affect CRA scope?

No. FDA SaMD classification has no legal effect in the EU. CRA exemption depends on MDR classification (Regulation (EU) 2017/745), not FDA pathways. A product that is SaMD under FDA but not a medical device under MDR is within CRA scope in the EU.

Is CRACheck a subscription?

No. One-time payment. 30 days of editing, 10 regenerations. The PDF is yours to keep.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, activating the license constitutes express consent for immediate generation. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate at no additional cost during your license period.

Your US company makes health-related software sold in Europe. If it qualifies as a medical device under Regulation (EU) 2017/745, Article 2(2)(a) of the Cyber Resilience Act explicitly exempts it. But software adjacent to medical devices — wellness apps, clinical workflow tools, health analytics platforms — may fall outside the MDR exemption and squarely within CRA scope. The boundary between exempt and non-exempt determines which documentation you need. CRACheck helps you classify.

Article 2(2) of Regulation (EU) 2024/2847 excludes products covered by Regulation (EU) 2017/745 (medical devices) and Regulation (EU) 2017/746 (in vitro diagnostics). If your software is a medical device under the MDR, CRA does not apply. But the boundary is precise: wellness applications, clinical decision support tools not classified as medical devices, hospital management software, and health data analytics platforms do not fall under the MDR — and therefore remain within CRA scope. CRACheck's Product Classifier helps you determine which regime applies and generates the documentation for whichever path is relevant. €149 per product. 15-25 minutes. Browser-side processing only.

Classify and generate — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

Art. 2(2)(a)

CRA exemption for products already covered by Regulation (EU) 2017/745 (MDR)

Non-MDR

Health software not classified as a medical device is fully within CRA scope

€149

Cost to classify your product and generate CRA documentation if applicable

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Determine MDR classification

Is your software classified as a medical device under Regulation (EU) 2017/745? If yes, Article 2(2)(a) of the CRA exempts it. If no, proceed.

Identify CRA scope

For non-MDR health software: enter product name, functionality, data handling, and deployment model. CRACheck treats it as a product with digital elements under Article 3(1).

Classify under Annex III

Health-adjacent software typically classifies as Default category. Software performing functions that impact patient safety through indirect means may warrant careful classification analysis.

Describe architecture and health data flows

Health data handling, API integrations with clinical systems, encryption, access control, HIPAA-relevant controls that also satisfy CRA Annex I requirements.

Generate risk assessment

Health software-specific threat analysis: unauthorized access to health data, integrity of clinical decision outputs, availability of critical health workflows, and supply chain risks from medical integration APIs.

Produce 8 documents

Technical documentation, risk assessment, declaration of conformity, user information, CVD policy, ENISA template, obligations calendar.

Maintain dual compliance

For products near the MDR boundary, keep both your MDR assessment (confirming exemption) and CRA documentation (covering what MDR does not). One regime or the other applies — documentation for both scenarios protects you.

Common mistakes

❌

ENTITY vs PRODUCT

"All our health software is exempt from CRA because we are a medical device company"

The CRA exemption under Article 2(2)(a) applies per product, not per company. If your company manufactures both MDR-classified medical devices and non-MDR health software (wellness apps, clinical workflow tools, analytics dashboards), the medical devices are exempt but the non-MDR products are fully within CRA scope. The exemption follows the product, not the manufacturer.

❌

JURISDICTIONAL MISMATCH

"Our software is FDA-cleared, so EU regulation is covered"

FDA clearance (510(k), De Novo, PMA) is a US regulatory pathway. It has no bearing on CRA or MDR compliance in the EU. The MDR (Regulation (EU) 2017/745) has its own classification and conformity assessment process. If your product is FDA-cleared but not MDR-classified, the CRA exemption does not apply in the EU. CRA and FDA are independent regulatory systems.

❌

RECLASSIFICATION CONSEQUENCE

"Our product used to be a medical device but was reclassified as general wellness under MDR"

If your product was reclassified from medical device to general wellness under MDR guidance, it loses the Article 2(2)(a) CRA exemption. A product that is no longer a medical device is no longer exempt from CRA. It becomes a product with digital elements under Article 3(1) with full CRA documentation obligations. This reclassification creates a new compliance workstream.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Critical document for healthtech: determines whether your product falls under MDR (exempt from CRA) or outside MDR (within CRA scope). Documents the classification reasoning.

Technical Documentation

Art. 31 + Annex VII for non-MDR health software: architecture, health data handling, clinical system integrations, security controls, and conformity assessment path.

Risk Assessment

Health-specific cybersecurity risk analysis for non-MDR software: patient data confidentiality, clinical workflow integrity, system availability in healthcare environments, and health API security.

User Information

Annex II for health software users: data handling disclosure, security properties, update policy, known limitations in clinical contexts, and manufacturer contact.

Declaration of Conformity

Art. 28 + Annex V for non-MDR health software. Separate from any MDR declarations for other products.

CVD Policy

Vulnerability disclosure policy adapted for health software: escalation paths for vulnerabilities with potential patient safety impact.

Notification Template

ENISA template per Article 14 for health software incidents: compromised health data, clinical workflow disruption, authentication bypass in health platforms. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Timeline considering both CRA milestones and any MDR transition dates relevant to your product portfolio.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 DUAL MDR/CRA REGULATORY CONSULTANT

€20,000–€40,000

12-24 weeks. Requires detailed clinical context briefing.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history