CRA exemptions: legacy products, small business, and who is exempt
The Cyber Resilience Act has narrow, specific exemptions. Company size alone is not one of them, and most fielded products do not escape scope for long.
The 39 questions people ask about the Cyber Resilience Act online include a cluster looking for a way out: is my old product grandfathered in, does being a small company get me a pass, is there a loophole. The honest answer is that the CRA's actual exemptions are narrow and specific, and most of the "ways out" teams hope for do not exist.
TL;DR: The Cyber Resilience Act has no general small-business exemption, obligations scale by product risk class, not headcount. Legacy products already on the market are not required to be retroactively redesigned, but a substantial modification, including many software updates, can pull them back into full scope. The real exemptions are narrow: sector-regulated products, and open-source software distributed outside a commercial activity.
Is my legacy product affected by the Cyber Resilience Act?
Almost certainly, just not immediately. Regulation (EU) 2024/2847 does not require every product already sitting in the field to be redesigned and re-certified the day the essential requirements take effect on 11 December 2027. But that is a delay, not a permanent exemption. Any product still being manufactured or placed on the market after that date needs to meet the requirements, and a substantial modification to an existing product, one that affects its cybersecurity or its intended purpose, can trigger a fresh conformity assessment against the current rules even for something that has been shipping for years.
Do small businesses need to comply with the Cyber Resilience Act?
Yes, and this is the exemption most teams incorrectly assume exists. There is no company-size threshold below which the CRA simply does not apply. Obligations are scaled to the product's risk classification, default, important, or critical, not to the manufacturer's headcount or revenue. What small companies and microenterprises do get is some flexibility in how the technical documentation is prepared and simplified options for certain administrative steps, a lighter-weight version of the paperwork, not a different set of security requirements.
What products are actually exempt from the Cyber Resilience Act?
The genuine exemptions are sector-based, not size-based. Products already covered by an equivalent EU regulatory regime that addresses cybersecurity, medical devices under the Medical Device Regulation, vehicles and their components under automotive type-approval rules, and certain aviation, marine, and defence equipment, are excluded from the CRA because the sector-specific rules already impose comparable requirements. If your product falls in one of these categories, check the sector regulation directly rather than assuming the CRA applies on top.
Does open source software qualify for an exemption?
Partially, and it is a nuanced one, not a blanket pass. Open-source software made available outside the course of a commercial activity, a maintainer publishing code with no commercial arrangement attached, is largely outside the manufacturer obligations the CRA imposes. The moment open-source components are integrated into a product you sell commercially, the obligations attach to you as the manufacturer of that finished product, not to the upstream open-source project. We cover this distinction in more depth in how the CRA treats open source software.
What counts as a substantial modification that ends an exemption?
The CRA's own logic treats a "substantial modification" as a change affecting compliance with the essential requirements, adding new connectivity, changing the product's intended purpose, or a redesign that touches the security posture. Ordinary bug fixes and, importantly, routine security patches are not substantial modifications, the CRA in fact requires you to keep shipping those. The line to watch is functional or connectivity changes, not maintenance.
How do I find out which product class my legacy product falls into?
Classification depends on the product's function and the risk it poses if compromised, not its age. A ten-year-old industrial controller with network connectivity can sit in a higher risk class than a brand-new consumer gadget with no network access. Our conformity assessment guide walks through how self-assessment versus notified-body assessment is decided, and it applies the same way whether the product is new or already fielded.
What should a small team actually do instead of hoping for an exemption?
Assume in-scope and start the inventory now. The two things that consistently save the most time later are knowing exactly what you have shipped, hardware, firmware versions, and components, and having an SBOM for each. Neither of those requires a large team, and both are the foundation the CRA's other obligations sit on top of. Our readiness checklist is written for teams doing this with limited headcount, not enterprise compliance departments.
Where Scadable fits
Scadable is built for teams who do not have a dedicated compliance department, and it treats legacy and new products the same way: map what you have shipped, flag what is exploitable, patch fielded devices, and file the report inside the window. If you are trying to figure out whether your product, old or new, is actually in scope, book a walkthrough.
Last reviewed: July 1, 2026.
Frequently asked questions
Is my legacy product affected by the Cyber Resilience Act? Likely yes, on a delay rather than an exemption. Products already placed on the market before the essential requirements apply are not retroactively required to be redesigned, but any substantial modification, including certain software updates, can trigger a fresh conformity assessment against the current rules.
Do small businesses need to comply with the Cyber Resilience Act? Yes. There is no blanket small-business exemption. Obligations scale by product risk classification, not company headcount or revenue, though microenterprises and small companies do get some simplified documentation options for the technical file.
What products are exempt from the Cyber Resilience Act? Products already regulated by an equivalent sector-specific EU regime, such as medical devices, in-vehicle systems under automotive type-approval rules, and certain aviation and marine equipment, are excluded because those regimes already impose comparable cybersecurity requirements.
Does open source software get an exemption? Open-source software made available outside the course of a commercial activity is largely outside CRA manufacturer obligations. Once open-source components are bundled into a commercial product you place on the market, the manufacturer of that product carries the obligations, the underlying components are not exempt inside that context.
What counts as a substantial modification that ends an exemption? A change that affects the product's compliance with the essential requirements, for example adding new network connectivity, changing its intended purpose, or a security-relevant redesign, not routine bug fixes or like-for-like security patches, which the CRA in fact expects you to keep shipping.
