Does the Cyber Resilience Act apply if you are not based in the EU?

Yes. The Cyber Resilience Act applies based on where a product is sold, not where the manufacturer is located. Non-EU companies are squarely in scope.


"We are not an EU company, so the Cyber Resilience Act does not apply to us" is one of the most common and most expensive misreadings of the regulation. The CRA, like GDPR before it, is scoped to the market a product reaches, not the country the manufacturer is headquartered in.

TL;DR: The Cyber Resilience Act applies to any product with digital elements placed on the EU market, regardless of where the manufacturer is based. Non-EU manufacturers are in scope directly, and the regulation adds separate obligations for importers, distributors, and often an EU-based authorised representative.

Does the Cyber Resilience Act apply to companies outside the EU?

Yes. Regulation (EU) 2024/2847 defines its scope by where a product is placed on the market, not by the manufacturer's country of establishment. A manufacturer in California, Toronto, or Singapore is subject to the same essential requirements as one headquartered in Berlin, the moment its product reaches EU customers through normal commercial channels.

What does "placed on the EU market" actually mean?

It means the product is made available for distribution or use within the EU in the course of a commercial activity, whether that is a direct sale, a distributor relationship, an online marketplace listing that ships to EU addresses, or an EU subsidiary. It does not require the manufacturer to have any physical presence in the EU. If your go-to-market plan includes selling into EU countries, you are placing products on the EU market and the CRA follows.

Who is obligated if the manufacturer itself is outside the EU?

The manufacturer keeps the primary obligations: secure-by-design requirements, vulnerability handling, SBOM, and conformity assessment all sit with the manufacturer wherever it is located. On top of that, the CRA assigns specific duties to whoever brings the product into the EU: importers must verify the manufacturer has met its obligations before placing the product on the market, and distributors must verify required documentation and marking are present before making the product available. See our CRA framework overview for how these obligations stack for the full lifecycle of a product.

Do I need an authorised representative in the EU?

In many cases, yes. An authorised representative is an EU-established party a non-EU manufacturer can appoint to hold technical documentation and act as the point of contact for market surveillance authorities. It is an administrative bridge, not a transfer of liability, the manufacturer remains responsible for actual compliance. If you are selling into the EU without any EU presence today, this is usually one of the first practical gaps to close.

Does routing through a marketplace or reseller change anything?

No, and this is a common hope that does not hold up. Selling through Amazon EU, a regional distributor, or a value-added reseller does not remove the manufacturer from scope. It layers distributor obligations, checking the product is CE marked and accompanied by the required information, on top of the manufacturer's own duties. If anything, a marketplace or distributor relationship is more likely to surface a compliance gap, since these intermediaries increasingly ask for CRA documentation as a condition of listing.

What if EU sales are small or incidental?

The regulation's threshold is commercial market placement, not sales volume. A handful of individual customers importing a product for personal use is treated differently from a manufacturer actively marketing, distributing, or fulfilling orders into the EU. If EU sales are a genuine, ongoing channel, even a modest one, plan as though you are fully in scope rather than waiting to see how large it gets. Retrofitting compliance after a product line is already established in the market is far more expensive than building it in from the start, see our readiness checklist for what that looks like in practice.

Does this work the same way as GDPR's territorial scope?

Structurally, yes. Both regulations reach outside the EU's borders based on market impact rather than manufacturer location, which is a deliberate regulatory pattern the EU has used before. If your team has already dealt with GDPR's extraterritorial reach for a connected product, the CRA's scope logic will feel familiar even though the substance is different, see our comparison of GDPR and the CRA for exactly where the two diverge.

Where Scadable fits

Scadable does not care where your engineering team sits. It maps every device and component you have shipped into the EU, wherever your company is based, flags what is actively exploited, and handles the reporting clock the moment it starts. If you sell into the EU and want to know exactly where your gaps are, book a walkthrough.

Last reviewed: July 1, 2026.

Frequently asked questions

Does the CRA apply to companies outside the EU? Yes. The Cyber Resilience Act applies based on the market a product is placed on, not the manufacturer's location. A company based in the US, Canada, or anywhere else is in scope if it sells a product with digital elements into the EU.

Who exactly is obligated under the CRA if the manufacturer is outside the EU? The manufacturer carries the primary obligations regardless of location. If the manufacturer is outside the EU, the CRA also places specific duties on importers and distributors who bring the product to the EU market, and often requires an authorised representative established in the EU.

What is an authorised representative under the CRA? An EU-established person or company that a non-EU manufacturer can mandate to carry out specific tasks on its behalf, such as holding technical documentation and cooperating with market surveillance authorities. It does not replace the manufacturer's obligations, it is an EU point of contact for them.

Does selling through a marketplace or reseller change who is in scope? No. Selling through a marketplace, distributor, or reseller does not remove the manufacturer from CRA scope. It adds distributor obligations on top, such as verifying the product carries the required documentation and CE marking before making it available.

What if my product is only sold in the US but a few EU customers buy it anyway? Scope turns on whether you place the product on the EU market, generally meaning you make it available for distribution or use in the EU in the course of a commercial activity. Incidental personal imports by individual customers are treated differently from a manufacturer actively selling into the EU; if you are not marketing, distributing, or fulfilling orders into the EU, exposure is much lower, but if EU sales are a real channel, plan as if you are in scope.