Step 1 of 4 · Introduction
Find out whether your product falls under the EU Cyber Resilience Act and identify the key obligations you need to comply with if it does.
The Cyber Resilience Act (Regulation (EU) 2024/2847) sets mandatory cybersecurity requirements for "products with digital elements" (PDEs), which covers hardware and software that connect to networks or other devices and are placed on the European market. The Act applies to manufacturers, importers, distributors, and other supply chain actors. Obligations differ depending on your role and on whether your product is classified as a default, important (Class I or II), or critical PDE. Not all products fall under the CRA. Some categories, such as medical devices, motor vehicles, and civil aviation equipment, are governed by sector-specific legislation and are excluded.
Placing a PDE on the EU market without meeting CRA requirements is a compliance risk. This tool walks you through the key scoping questions so you can identify your obligations quickly. It is worth noting, however, that this assessment tool is not a substitute for legal advice.
Warning / Disclaimer. This tool is provided for informational purposes only. It does not constitute legal advice. Results may not be accurate or complete for every product configuration. Users should not rely solely on this tool to determine CRA compliance obligations. Always consult qualified legal counsel for definitive determinations.
4 quick steps · about 3 minutes
Question 1
Question 2
Question 3
Placing on the market includes making the product available for download or access by EU-based users.
Question 4
Select all that apply.
Question 5
Assessment result
Based on your answers, your product does not appear to qualify as a product with digital elements (PDE) under the CRA. The Act does not apply to products that neither process data nor connect to other products or networks. If your product's features change in the future (e.g., if connectivity or data-processing capabilities are added), you should re-run this assessment.
Assessment paused
Assessment cannot be finalised. Determining whether your product qualifies as a PDE requires confirming whether it processes, transmits, or stores data, or whether it connects to another product or network. Please gather this information and restart the assessment.
Assessment result
The CRA applies to products placed on or made available to the EU market. Based on your answer, this product does not appear to fall within the territorial scope of the Act. If your distribution strategy changes, please re-run this assessment.
Your supply chain role
As the manufacturer, you carry the primary obligations under the CRA. These include: conducting a cybersecurity risk assessment; ensuring the product meets the essential cybersecurity requirements in Annex I; drawing up technical documentation; affixing the CE marking; preparing the EU Declaration of Conformity; reporting actively exploited vulnerabilities and incidents to ENISA and relevant market surveillance authorities; and providing security support and updates for a period appropriate to the product's expected lifetime. You are responsible for ensuring conformity throughout the product lifecycle.
Your supply chain role
As an importer, you must verify that the manufacturer has completed the required conformity assessment procedures, that the product bears the CE marking, and that the required technical documentation and EU Declaration of Conformity are available. You must not place products on the market that you know or have reason to believe do not conform with the CRA.
Your supply chain role
As a distributor, you must verify that the PDE bears the CE marking and that the required documentation is in place before making it available on the market. If you have reason to believe the product does not comply, you must not make it available and must inform the manufacturer and market surveillance authorities. Distributors who modify a product or place it on the market under their own name or trademark take on the obligations of a manufacturer.
Your supply chain role
Open-source stewards (i.e., entities that provide sustained support to open-source software PDEs intended for commercial use) have lighter obligations under the CRA. You are not subject to the full manufacturer obligations, but must put in place a cybersecurity policy, cooperate with market surveillance authorities, and address reported vulnerabilities. The CRA distinguishes open-source stewards from manufacturers who integrate open-source components into commercial products.
Your supply chain role
If you are integrating a PDE (or components of a PDE) into a larger product or system that you then place on the market, you may take on manufacturer-like obligations for the integrated product as a whole. The extent of your obligations depends on whether the integration constitutes a substantial modification of the original PDE. If it does, you are treated as a manufacturer for CRA purposes.
Your supply chain role
Your specific obligations under the CRA depend on your precise role in the supply chain. The Act assigns distinct duties to manufacturers, importers, distributors, and open-source stewards. We recommend identifying your role clearly, which can be done in consultation with legal counsel if needed, before proceeding.
Question 6
Select the sub-group that best describes what your product primarily does. If your product's core functionality does not fit any category of the list, select "My product's core functionality does not fall under any of the categories listed above".
Important Class I
CRA Annex III, items 1–19
"Security-related functionalities" include cryptographic operations, secure boot, TEEs, and hardware-enforced access control.
Important Class II
CRA Annex III, items 20–23
Critical
CRA Annex IV
Default
Important Class I · Based on your answers, the core functionality of your product aligns with the Important Class I category under the CRA.
Important Class II · Based on your answers, the core functionality of your product aligns with the Important Class II category under the CRA.
Critical · Based on your answers, the core functionality of your product aligns with the Critical category under the CRA. The next screen will show you a summary of your obligations and the available compliance attestation routes.
Assessment complete
Core obligations
All PDE manufacturers, regardless of category, must:
Key references
CRA Arts. 13-14; Annex I.
Core obligations
All universal obligations above. Conformity assessment must follow a stricter, externally validated route.
Compliance attestation route
Option 1: EU-type examination (Module B, Annex VIII) followed by conformity to EU type based on internal production control (Module C, Annex VIII).
Option 2: Full quality assurance procedure (Module H, Annex VIII).
Key references
CRA Art. 32(2); Annex VIII (Modules B+C or H).
Core obligations
All universal obligations above. Same routes as Class I, plus an additional option to use a European cybersecurity certification scheme.
Compliance attestation route
Option 1: EU-type examination (Module B) + Module C (Annex VIII).
Option 2: Full quality assurance (Module H, Annex VIII).
Option 3 (where available): A European cybersecurity certification scheme under Art. 27(9) of the CRA at assurance level "substantial" or higher pursuant to Regulation (EU) 2019/881.
Key references
CRA Art. 32(3); Annex VIII (Modules B+C, H); Regulation (EU) 2019/881.
Core obligations
All universal obligations above. Most stringent conformity requirements. Must use a designated European cybersecurity certification scheme where one exists.
Compliance attestation route
Primary route: A European cybersecurity certification scheme designated by the Commission under Art. 8(1) of the CRA.
Fallback route where no designated scheme exists for the product: any of the procedures applicable to Important Class II PDEs (Art. 32(3) procedures).
Key references
CRA Art. 32(4)-(5); Art. 8(1); Regulation (EU) 2019/881.
Assessment result
Based on your selection, your product appears to fall within a category explicitly excluded from the CRA's scope. Products regulated under the Medical Device Regulation (MDR), IVDR, motor vehicle legislation, civil aviation frameworks, marine equipment directives, or equipment used exclusively for national security or defence purposes, as well as non-commercial open-source software, are not subject to CRA requirements. Sector-specific cybersecurity obligations may still apply under the relevant legislation. We recommend confirming this with qualified legal counsel.
Assessment paused
We cannot confirm whether the CRA applies without knowing whether the product is placed on the EU market. For software products, placing on the market includes making the product available for download or as a service to EU-based users. Please clarify your distribution scope and restart the assessment.