Our software runs entirely in the cloud. Is it a 'product with digital elements'?

If the user accesses functionality exclusively through a web browser or API with no software component installed locally, the product is generally outside the scope of Article 2(1) of Regulation (EU) 2024/2847 because it is not 'placed on the market'. However, Directive (EU) 2022/2555 (NIS2) may apply to the service provider.

We provide both a cloud platform and a desktop agent. Which is covered?

The desktop agent is a product with digital elements under Article 3(1) of Regulation (EU) 2024/2847. The cloud platform, to the extent it constitutes a 'remote data processing solution' essential to the agent's function, is part of that product per Art. 3(1). CRA documentation covers the product as a whole — agent plus essential cloud components.

Does the CRA apply to APIs sold as a product?

If you distribute an API client library or SDK that is installed on the customer's systems, it is a software component placed on the market separately under Article 3(1). If the API is accessed purely remotely with no client-side code, the analysis is the same as for SaaS.

What about firmware updates delivered over-the-air (OTA)?

Firmware updates are part of the manufacturer's vulnerability handling obligations under Annex I Part II and Article 13(8) of Regulation (EU) 2024/2847. The OTA update mechanism must be described in the technical documentation per Annex VII point 2(b) as part of the 'technical solutions chosen for the secure distribution of updates'.

Is this a subscription?

No. One-time payment. The licence includes a 30-day editing window and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, by activating the licence you give express consent for the immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are accepted only for reproducible technical defects.

What if the regulation changes?

If the regulation is amended during the validity of your licence, you can regenerate the document with the updated version of the generator at no additional cost.

You publish a desktop application, a mobile SDK, or a firmware module — and it has cloud backend components. You need to know whether Regulation (EU) 2024/2847 treats it as a product with digital elements. The answer depends on whether the software is placed on the market — Article 3(1) and Article 3(24) draw the line. Pure remote-service SaaS with nothing running on the user's device is generally outside scope. Software delivered to the user's environment is inside.

Q: Is a mobile app covered by the CRA?

If the mobile app is placed on the EU market — downloaded by users from an app store — it is a product with digital elements under Article 3(1) of Regulation (EU) 2024/2847. The CRA applies, and Art. 31 technical documentation is required.

The Cyber Resilience Act defines "product with digital elements" in Article 3(1) of Regulation (EU) 2024/2847 as any software or hardware product and its remote data processing solutions, including software components placed on the market separately. "Placing on the market" under Article 3(24) means making the product available for the first time on the EU market. If your software is downloaded, installed, or runs on the user's device, it is placed on the market and the CRA applies. If your product is delivered exclusively as a remote service with no client-side component, it is generally outside scope — but Directive (EU) 2022/2555 (NIS2) may apply instead. CRACheck generates the Art. 31 dossier for in-scope software in 15–25 minutes. €149 per product.

Generate CRA Dossier — €149 Free: check your product classification

€149 one-time payment per product · 8 PDF documents in ZIP · 15–25 minutes · 100% in your browser

Key definitions for software

Art. 3(1)

Definition: software is explicitly a "product with digital elements"

Art. 3(24)

"Placing on the market" — the trigger for CRA obligations

15 min

Time to generate the 8-document dossier for in-scope software

How to determine if your software is in scope

Determine if your software is "placed on the market"

Article 3(24): is the software made available for the first time on the EU market? If it is downloaded, installed, deployed on-premise, or runs on the user's device — yes, it is placed on the market.

Check the SaaS boundary

If your product is delivered entirely as a remote service — the user accesses functionality via a browser or API with no software running locally — it is generally not 'placed on the market'. However, if the SaaS product includes a desktop client, mobile app, agent, or plugin that runs on the user's device, that client component is a product with digital elements.

Assess "remote data processing solutions"

Article 3(1) includes 'remote data processing solutions' as part of the product if they are designed by or under the responsibility of the manufacturer and the product cannot perform one of its functions without them. A cloud backend essential to the product's operation is part of the product.

Classify the software

Run CRACheck's Product Classifier. Software categories in Annex III Class I include browsers (point 2), password managers (point 3), VPNs (point 5), operating systems (point 11). Class II includes firewalls (point 2) and intrusion detection systems (point 2).

Generate the Art. 31 dossier

For in-scope software, CRACheck produces the 8-document technical dossier including system architecture description, vulnerability handling processes, SBOM reference, and all Annex VII elements.

Common software scope mistakes

❌

SAAS MISUNDERSTANDING

Assuming all SaaS is outside the CRA

If your SaaS product includes any client-side component — a desktop app, mobile app, browser plugin, or agent — that component is a product with digital elements under Article 3(1) of Regulation (EU) 2024/2847. Only products delivered entirely as a remote service with zero local execution are outside scope.

❌

VERSION OVERSIGHT

Treating software updates as separate products

Article 3(1) refers to the product and its versions. Security updates are part of the manufacturer's vulnerability handling obligations under Annex I Part II and Article 13(8). Each version does not require a new dossier, but the technical documentation must be 'continuously updated' per Article 31(2).

❌

COMPONENT BLIND SPOT

Ignoring SDKs and libraries placed on the market separately

Article 3(1) explicitly includes "software or hardware components being placed on the market separately". If you publish a library, SDK, or API client that third parties integrate into their products, that component is an independent product with digital elements under the CRA.

8 CRA documents for software products

CRACheck generates the complete Art. 31 + Annex VII dossier adapted for software products.

Product Classifier

Classification of your software product against Annex III and Annex IV categories.

Technical Documentation

Art. 31 + Annex VII dossier with software-specific fields: system architecture, software components, dependency map, update distribution mechanism.

Risk Assessment

Cybersecurity risk assessment per Art. 13(2)–(3) for software: vulnerability surface, data handling, authentication, update integrity.

User Information

Annex II: vulnerability reporting contact, support period, commissioning instructions, secure removal/decommissioning.

Declaration of Conformity

Art. 28 + Annex V.

CVD Policy

Coordinated vulnerability disclosure policy per Annex I Part II point (5).

Notification Template

Art. 14 three-stage notification for software vulnerabilities. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Key dates for your software product lifecycle.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated in your browser. No data leaves your device.

Law firm scope analysis vs CRACheck

🧾 LAW FIRM SCOPE ANALYSIS FOR SOFTWARE

€5,000–€12,000

Written opinion on CRA applicability to SaaS/software. 3–6 weeks. Multiple rounds of clarification. No documentation output.

✓ Last regulatory check: 2 May 2026 · No substantive changes detected · View history