Who does the CRA apply to? Manufacturers, importers, distributors, and open source

Who the Cyber Resilience Act covers and who it does not. Manufacturers including non-EU and white-label brands, importers, distributors, open source, SaaS, and the sector carve-outs, in one decision flow.


The Cyber Resilience Act applies to anyone who places a product with digital elements on the EU market commercially. Manufacturers carry the full obligations, including non-EU companies selling into the EU and brands that white-label someone else's hardware. Importers and distributors carry verification duties. Non-commercial open source, spare-time developers, pure SaaS, and sector-regulated products such as medical devices and vehicles sit outside.

That is the short answer to "does the CRA apply to me." This post is the long one: the roles, the special cases, and a decision flow you can run your own product through. The CRA, Regulation (EU) 2024/2847, entered into force on 10 December 2024, with reporting obligations from 11 September 2026 and full application on 11 December 2027; the full requirement set is on our Cyber Resilience Act framework page.

Does the CRA apply to me? The decision flow

Run these five questions in order.

  1. Is it a product with digital elements? Hardware or software with a direct or indirect data connection to a device or network. If no, you are out of scope. If yes, continue.
  2. Is it placed on the EU market in the course of a commercial activity? Sold, distributed, or made available in the EU, directly or through channels. If no, you are out of scope today, but revisit before opening an EU channel. If yes, continue.
  3. Is it covered by an equivalent sector regime? Medical devices under the MDR or IVDR, vehicles under automotive type-approval, certain aviation and marine equipment, or products developed exclusively for defence or national-security purposes follow those rules instead. If yes, check the sector regulation. If no, continue.
  4. Is your name or trademark on it? If you designed it, built it, had it built, or rebranded it, you are the manufacturer and carry the full obligations. If not, continue.
  5. Do you bring it to the EU market or make it available there? Then you are an importer or distributor, with verification duties rather than manufacturer duties.

Who counts as a manufacturer under the CRA?

The widest and heaviest role. A manufacturer is anyone who develops or manufactures a product with digital elements, or has it developed or manufactured, and markets it under their own name or trademark. Three cases surprise people. Non-EU companies are fully in scope for anything they sell into the EU, since scope follows the market, not the headquarters; a US or Canadian company selling into Berlin carries the same obligations as one based there, usually plus an EU authorised representative, as we cover in does the CRA apply outside the EU. White-label and rebranding arrangements make you the manufacturer of the product carrying your name, even though someone else built it; the trademark is what allocates the obligation. And substantial modification of a product already on the market makes the modifier the manufacturer of the result. Manufacturer obligations are the full set: secure by design, the SBOM and technical file, Article 14 reporting, security updates through the support period, and conformity assessment.

What do importers and distributors have to do?

Lighter duties, but real ones. Importers may only place a product on the EU market if the manufacturer has met its obligations, which means verifying the conformity assessment was carried out, the technical documentation exists, and the product carries the CE marking and required information. Distributors verify the marking and documentation are present before making the product available, and both must act, including informing authorities, if they have reason to believe a product presents a risk. One promotion rule matters more than the rest: an importer or distributor that sells the product under its own name, or substantially modifies it, becomes the manufacturer, with everything that carries.

Who is in scope, at a glance

Who you areIn scope?What you carry
EU manufacturer of a connected productYesFull manufacturer obligations
Non-EU manufacturer selling into the EUYesFull manufacturer obligations, usually plus an EU authorised representative
Brand white-labeling someone else's productYes, as manufacturerFull manufacturer obligations under your trademark
Importer bringing a product to the EU marketYesVerification duties; manufacturer duties if rebranding or substantially modifying
Distributor or reseller in the EUYesVerify CE marking and documentation before making available
Open-source steward supporting a project commerciallyYes, lighter regimeProportionate obligations centred on vulnerability handling
Spare-time or non-commercial open-source developerNoNo manufacturer obligations
Pure SaaS with no productGenerally noOut of CRA scope; NIS2 may apply instead
Medical device, vehicle, aviation, or defence productNoCovered by the equivalent sector regime

How does the CRA treat open source?

By commerciality, not by license. Open-source software made available outside the course of a commercial activity carries no manufacturer obligations, and a spare-time developer maintaining a project is not a manufacturer. Organisations that provide sustained commercial support for open-source projects without selling a product on top fall into a defined "open-source software steward" category with lighter, proportionate obligations. The moment open-source components go into a product you sell, though, you are the manufacturer of that product and the full obligations are yours; the license inside changes nothing. The distinctions are covered in depth in how the CRA treats open source software.

Does the CRA apply to SaaS and cloud services?

Generally no, with one exception that matters for connected products. The CRA regulates products with digital elements, not services; pure SaaS is the territory of NIS2, and the boundary between the two regimes is drawn in CRA vs NIS2. The exception is remote data processing that is integral to the product's functions: if your device depends on your cloud to do what it was sold to do, that processing is treated as part of the product and falls inside your CRA scope. A standalone analytics dashboard sold separately does not; the companion cloud your thermostat cannot function without does.

Which products are carved out entirely?

Sectors that already carry equivalent EU cybersecurity rules. Medical devices under the Medical Device Regulation and the IVDR, vehicles and their components under automotive type-approval rules, certain aviation and marine equipment, and products developed exclusively for defence or national-security purposes are excluded so the same requirements are not imposed twice. Note what is not on that list: there is no small-business exemption and no grandfather clause for legacy products, only a phase-in; the narrow real exemptions are covered in CRA exemptions for legacy products and small business.

What should I do once I know my role?

If the flow lands you on manufacturer, start with the inventory and SBOM and work through the CRA compliance checklist; the reporting clock arrives 11 September 2026 and the full requirements 11 December 2027. If you are an importer or distributor, start asking your manufacturers for their conformity evidence now, because their gap becomes your blocked shipment later.

Frequently asked questions

Who does the Cyber Resilience Act apply to? Anyone who makes a product with digital elements available on the EU market in the course of a commercial activity. Manufacturers carry the full obligations, wherever they are based, and importers and distributors carry lighter verification duties for products they bring to the market.

Does the CRA apply to companies outside the EU? Yes. Scope follows the market the product is placed on, not the manufacturer's location. A company in the US, Canada, or anywhere else is fully in scope for any product with digital elements it sells into the EU, and it usually needs an EU-based authorised representative.

Does the CRA apply if I rebrand or white-label someone else's product? Yes, as a manufacturer. If you place a product on the EU market under your own name or trademark, or substantially modify a product already on the market, you take on the full manufacturer obligations even though you did not design or build it.

Does the CRA apply to SaaS? Generally no. The CRA covers products with digital elements, not pure services. The exception is remote data processing that is integral to a product's functions, such as the companion cloud a device needs to work, which is treated as part of the product.

Is open source software covered by the CRA? Open-source software made available outside a commercial activity is not subject to manufacturer obligations, and spare-time developers are not manufacturers. Obligations attach to the commercial manufacturer who integrates open source into a product, and a lighter steward category covers organisations that support open-source projects commercially.

Which products are exempt from the CRA? Products already covered by an equivalent sector-specific EU regime, including medical devices under the MDR and IVDR, vehicles under automotive type-approval rules, certain aviation and marine equipment, and products developed exclusively for defence or national-security purposes.

Where Scadable fits

Scadable is the compliance engine for connected-product companies on the manufacturer side of this flow, wherever they are based. It identifies what is actively exploited across the fleet you have shipped, fixes it, files the report, and keeps you certified, so the obligations that come with your role run as infrastructure instead of a project. Run the free two minute CRA readiness check to see which obligations apply to your product, or book a walkthrough.