The CRA applies to almost everything with a chip or a bit of code that connects to something. It targets “products with digital elements” —that includes both hardware and software (including SaaS) that can connect, even indirectly, to a device or network.
Covered by the CRA:
- A smart home hub that connects via Wi-Fi.
- A mobile app that syncs with a cloud backend.
- SaaS dashboards used to control IoT devices.
- On-device software in connected consumer electronics.
- A cloud-based analytics platform that’s required for a smart sensor to operate.
These are all “products with digital elements”, especially when they depend on remote data processing—basically, cloud services your product needs to function.
Not covered:
- Medical devices (Regulation (EU) 2017/745).
- Automotive systems (Regulation (EU) 2019/2144).
- Aviation/maritime equipment certified under other EU laws.
- Identical spare parts used for repairs.
- Tools developed purely for defence or national security.
- Some general-purpose cloud hosting (like AWS/GCP) unless integrated into your product.
If your app, device or service connects to a network and has digital logic (even if it’s just an API call to the cloud), and it’s not already under another EU law—it probably falls under the CRA.