FAQ: Do I need CRA compliance for my connected product?
Short answer
If your product has a network connection (or processes data) and you sell it in the EU, yes. Full compliance required by December 2027. Vulnerability reporting starts September 2026.
Long answer
The Cyber Resilience Act covers all "products with digital elements" placed on the EU market. In practice, if your product contains software and can connect to a network: Wi-Fi, Bluetooth, Ethernet, Cellular, or even USB data exchange you're in scope. This includes both hardware devices and standalone software. What matters is that the product is available to EU customers.
Below quick cheat sheet.
The CRA applies to
- IoT devices (sensors, ga
teways, smart home, wearables) - Embedded systems with connectivity
- Installable software (desktop, mobile)
- Hardware with digital elements
The CRA does NOT apply to
- SaaS / cloud-only services (covered by NIS2 instead)
- Medical devices (covered by Medical Devices Regulation)
- Vehicles (covered by type-approval regulations)
- National security / military equipment
- Open-source software developed non-commercially
Penalties for non-compliance
Up to EUR 15 million or 2.5% of global annual turnover, whichever is higher.
Next step
Check your product against CRA. This determines your conformity assessment path.
Related
As a Chief Information Officer with over a decade of experience as a C# developer, I approach my work with a passion for technology and a belief that the best solutions come from understanding diverse perspectives. This mindset shapes how I lead—whether in my career, family, or personal life—balancing innovation with practicality. My wife and two kids inspire everything I do, guiding me to create harmony and meaningful outcomes by blending different ideas with empathy and insight.
Rapidly adapt our competences into your IoT solution
Contact us and share your challenges
