Does the Cyber Resilience Act apply to my product?

The CRA applies to products with digital elements — hardware or software whose use includes a direct or indirect data connection — made available on the EU market in the course of a commercial activity. Most are 'default' products with self-assessment; 'important' (Annex III Class I/II) and 'critical' (Annex IV) products face stricter conformity. This checker walks the Article 2 and Annex III/IV logic for a structured starting point.

Is the CRA a directive my country still has to transpose?

No. The CRA is a Regulation, directly applicable across the EU without national transposition. It entered into force in December 2024; the Article 14 reporting duties apply from 11 September 2026 and the main obligations from 11 December 2027.

We ship open-source software — are we exempt?

Free and open-source software supplied outside a commercial activity is treated separately and is largely outside the CRA's manufacturer obligations. Once open-source software is monetised or integrated into a commercial product, CRA obligations attach. A lighter 'open-source steward' regime exists for some actors.

What's the difference between default, important and critical?

Default products with digital elements use supplier self-assessment. Important products (Annex III) — Class I (e.g. password managers, VPNs) and the higher-risk Class II (e.g. firewalls, IDS/IPS) — face stricter conformity routes. Critical products (Annex IV) may additionally require a mandatory European cybersecurity certification scheme.

Is this legal advice?

No. It is a free, structured starting point based on the Regulation's text and your inputs. Whether a product is in Annex III or IV is fixed by the CRA and Commission technical descriptions, and obligations depend on your role. Confirm with your competent authority or counsel.

Do you store my answers?

No. The classification runs entirely in your browser. There is no form gate and we do not capture or store your inputs.

Free tool

Cyber Resilience Act applicability checker

Find out whether the EU Cyber Resilience Act (CRA) applies to your product with digital elements — and whether it is default, important (Class I/II) or critical — in about a minute.

Classification follows Regulation (EU) 2024/2847 (CRA): Art. 2/3 scope & exclusions, Annex III (important, Class I/II) and Annex IV (critical). It is a Regulation (no national transposition); the notified-body provisions apply from 11 June 2026, the Article 14 reporting duties from 11 September 2026 and the main obligations from 11 December 2027. The Annex III/IV categories are fixed by the CRA and Commission technical descriptions, and other Union sector rules may further limit or exclude the CRA by delegated act (Art. 2(5)). This is a structured starting point, not legal advice.

FAQ

Does the Cyber Resilience Act apply to my product?: The CRA applies to products with digital elements — hardware or software whose use includes a direct or indirect data connection — made available on the EU market in the course of a commercial activity. Most are 'default' products with self-assessment; 'important' (Annex III Class I/II) and 'critical' (Annex IV) products face stricter conformity. This checker walks the Article 2 and Annex III/IV logic for a structured starting point.
Is the CRA a directive my country still has to transpose?: No. The CRA is a Regulation, directly applicable across the EU without national transposition. It entered into force in December 2024; the Article 14 reporting duties apply from 11 September 2026 and the main obligations from 11 December 2027.
We ship open-source software — are we exempt?: Free and open-source software supplied outside a commercial activity is treated separately and is largely outside the CRA's manufacturer obligations. Once open-source software is monetised or integrated into a commercial product, CRA obligations attach. A lighter 'open-source steward' regime exists for some actors.
What's the difference between default, important and critical?: Default products with digital elements use supplier self-assessment. Important products (Annex III) — Class I (e.g. password managers, VPNs) and the higher-risk Class II (e.g. firewalls, IDS/IPS) — face stricter conformity routes. Critical products (Annex IV) may additionally require a mandatory European cybersecurity certification scheme.
Is this legal advice?: No. It is a free, structured starting point based on the Regulation's text and your inputs. Whether a product is in Annex III or IV is fixed by the CRA and Commission technical descriptions, and obligations depend on your role. Confirm with your competent authority or counsel.
Do you store my answers?: No. The classification runs entirely in your browser. There is no form gate and we do not capture or store your inputs.

By ISMS Copilot. Classification follows Regulation (EU) 2024/2847 (CRA): Art. 2/3 scope & exclusions, Annex III (important, Class I/II) and Annex IV (critical). It is a Regulation (no national transposition); the notified-body provisions apply from 11 June 2026, the Article 14 reporting duties from 11 September 2026 and the main obligations from 11 December 2027. The Annex III/IV categories are fixed by the CRA and Commission technical descriptions, and other Union sector rules may further limit or exclude the CRA by delegated act (Art. 2(5)). This is a structured starting point, not legal advice.

Ready to do compliance work faster?

Built for speed, accuracy, and audit-ready output.

Try ISMS Copilot 2.0