Product with Digital Elements

A product with digital elements is any software or hardware product that has a direct or indirect data connection to a device or network. The concept is the central delimitation in the Cyber Resilience Act (CRA) and determines which products must meet the EU's new cybersecurity requirements.

Back to Dictionary

Definition and scope

CRA defines a product with digital elements as "any software or hardware product and its remote data processing solutions, including software and hardware components placed on the market separately." The decisive criterion is that the product has a logical or physical data connection to a device or network.

The definition is intentionally broad. It covers not only the physical product but also the software running on it and any cloud services necessary for the product's function. If a smart thermostat requires a cloud platform to function, both the hardware and the cloud component are covered.

It is important to understand that CRA regulates products, not services. Pure SaaS solutions without an associated hardware or software component fall outside CRA's scope. They may instead be regulated under NIS2.

Examples of products with digital elements

The breadth of the definition means a large number of product types are covered:

IoT devices: Smart speakers, smart cameras, wearables, smart appliances and industrial sensors
Network equipment: Routers, switches, firewalls and access points
Standalone software: Operating systems, browsers, antivirus programmes, password managers and VPN clients
Embedded systems: Control systems in industrial equipment, PLCs and SCADA components
Software components: Libraries and frameworks placed on the market separately

The list is not exhaustive. If your product contains software and has a data connection, there is a strong presumption that it falls within CRA's scope.

Risk classes

CRA divides products into three risk classes that determine which conformity assessment is required:

The manufacturer of standard products (default) — the majority of all products with digital elements — may carry out the conformity assessment independently through internal control.

Class I (elevated risk) covers products with a higher risk profile, such as password managers, VPN solutions, network management systems and physical network interfaces. The manufacturer may use harmonised standards to demonstrate conformity or involve a notified body.

Class II (highest risk) covers products with a critical cybersecurity function, such as firewalls, intrusion detection systems, hardware security modules, smart cards and industrial control systems. These always require third-party assessment by a notified body.

The classification does not affect which security requirements the product must meet. All products must comply with the same essential requirements. The difference lies in how conformity is verified.

Exemptions

Not all products with digital elements are covered by CRA. The following are exempt:

Medical devices regulated under MDR and IVDR
Motor vehicles and their components regulated under the type-approval regulation
Aviation products regulated under EASA
Products developed exclusively for national security purposes
Open-source software developed and distributed without a commercial purpose

The open-source exemption is important to understand correctly. If you as a manufacturer integrate open-source components into your commercial product, you bear the responsibility for ensuring the entire product complies with CRA. It is the manufacturer, not the open-source community, who is accountable.

Requirements for the product

Regardless of risk class, all products with digital elements must meet the essential requirements in CRA Annex I. This entails security by design, vulnerability handling and technical documentation.

The manufacturer must prepare a Software Bill of Materials (SBOM), conduct a risk assessment and ensure the product is delivered with a secure default configuration. Encryption of data, access control and minimisation of the attack surface are among the concrete technical requirements.

The product must be CE marked before it is placed on the market. The CE mark confirms that the product meets all relevant EU requirements, including CRA's cybersecurity requirements.

Frequently Asked Questions about Product with Digital Elements

What is a product with digital elements?

A product with digital elements is any software or hardware product that has a direct or indirect logical or physical data connection to a device or network. The concept is defined in the Cyber Resilience Act and covers everything from routers and smart TVs to standalone software and IoT devices.

Is pure software a product with digital elements?

Yes. CRA covers both hardware with embedded software and standalone software. A mobile app, an operating system or a firmware update are all products with digital elements under CRA.

Which products are exempt from CRA?

Products already regulated under sector-specific EU legislation may be exempt. This includes medical devices (MDR/IVDR), motor vehicles, aviation and certain products for national security purposes. Open-source software without a commercial purpose is also exempt.

What are the three risk classes for products under CRA?

CRA divides products into three classes: standard products (the majority), class I (elevated risk, e.g. password managers and VPN solutions) and class II (highest risk, e.g. firewalls and hardware security modules). Class I and II require stricter conformity assessment.