What is the EU Cyber Resilience Act?

The CRA (Regulation 2024/2847) is an EU regulation requiring manufacturers of products with digital elements to meet cybersecurity requirements throughout the product lifecycle. It covers vulnerability handling, SBOM provision, and incident reporting to ENISA.

When does the CRA take effect?

Reporting obligations start 11 September 2026. All other requirements (vulnerability handling, SBOM, documentation, conformity assessment) apply from 11 December 2027.

Who does the CRA apply to?

Any manufacturer placing a product with digital elements on the EU market, including commercial software, IoT devices, and open-source projects with a commercial activity. SaaS is generally out of scope unless it involves embedded or downloadable components.

What is an SBOM and why does the CRA require it?

A Software Bill of Materials is a machine-readable inventory of all components in your software. The CRA requires it under Article 13(5) and Annex I Part II(1) so that downstream users and market surveillance authorities can identify vulnerable components.

How does Complaro help with CRA compliance?

Complaro helps automate the three hardest parts: classifying your products under CRA Annex III/IV, continuously scanning for known vulnerabilities, and generating pre-filled ENISA-format incident reports when actively exploited vulnerabilities are discovered.

Does the CRA Apply to SaaS?

One of the most common questions about the EU Cyber Resilience Act is whether it applies to Software as a Service. The short answer: generally no, but it depends on how your product is delivered.

The CRA targets products with digital elements — and how the regulation defines that term is what determines whether your SaaS product is in scope.

The General Rule: SaaS Is Out of Scope

The CRA applies to products with digital elements, defined in Article 3 of Regulation 2024/2847 as software or hardware products and their remote data processing solutions. The regulation specifically notes in Recital 12 that SaaS falls under the scope of NIS2 rather than the CRA, provided it is delivered purely as a cloud service with no on-device component.

If your product runs entirely in the cloud, is accessed through a standard web browser, and does not require any software to be installed on the user's device or network, it is most likely out of CRA scope.

When SaaS IS in Scope

Here is where it gets complicated. Many modern SaaS products are not purely cloud-based. The CRA applies to any component that qualifies as a product with digital elements, even if the broader service is cloud-delivered.

On-Premise Agents or Connectors

If your SaaS product requires users to install an agent, connector, or gateway on their infrastructure — for monitoring, data collection, or integration — that installed component is a product with digital elements. The cloud service itself may be out of scope, but the agent is in scope.

Examples: observability agents (Datadog agent, New Relic agent), VPN clients, Kubernetes operators, database connectors installed on-premise.

Desktop and Mobile Applications

If your SaaS product includes a desktop app, mobile app, or browser extension that users install on their devices, those applications are products with digital elements. An Electron app, a native iOS/Android app, or a Chrome extension shipped alongside your SaaS product falls under the CRA.

Embedded Software and Firmware

If your service involves physical devices — IoT sensors, smart home hubs, industrial gateways — the firmware and software on those devices is fully in scope, even if the device is managed through a cloud platform. See our product classification guide for how to categorize such products.

SDKs and Client Libraries

If you distribute SDKs that developers embed into their own applications — API client libraries, payment processing SDKs, authentication libraries — those distributed components may be in scope as standalone products with digital elements.

Downloadable Software

If your SaaS offering includes downloadable tools — CLI utilities, development environments, data import/export tools — each downloadable component is potentially in scope.

How to Determine Your Scope

Ask these questions about your product:

Does anything get installed on the customer's device, server, or network? If yes, that component is likely in scope.
Do you distribute any downloadable software? If yes, those downloads are likely in scope.
Do you ship physical devices? If yes, the device firmware and software are in scope.
Is everything accessed purely through a standard web browser with nothing installed? If yes, the CRA likely does not apply.

Document your scope determination. If your product has both SaaS and on-device components, you may need to treat them differently — the on-device parts fall under the CRA while the cloud service falls under NIS2.

Practical Examples

Pure SaaS (out of CRA scope): Google Docs, Figma (web version), Notion (web-only), HubSpot CRM accessed via browser.

Hybrid — partially in scope: Slack (desktop/mobile apps are in scope, web version is not), GitHub (CLI tool and desktop app in scope, web interface not), Datadog (agent installed on servers is in scope, dashboard is not).

Fully in scope: Any IoT platform where you ship physical devices, any product where a desktop application is the primary interface, any developer tool distributed as downloadable software.

What If You Are In Scope?

If any component of your product falls under the CRA, you must:

Meet the essential cybersecurity requirements for that component
Generate and maintain an SBOM for the in-scope components
Handle and disclose vulnerabilities according to CRA Annex I, Section 2
Report actively exploited vulnerabilities to ENISA (see our ENISA reporting guide)
Classify the in-scope components and follow the appropriate conformity assessment path

The good news: you only need to comply for the components that are in scope. Your cloud infrastructure and backend services remain under NIS2, not the CRA.

For a complete preparation plan, see our CRA compliance checklist.

Complaro helps teams determine which components are in scope and manage CRA compliance across their product portfolio. Get started free.

Does the CRA Apply to SaaS? Scope, Exemptions, and Edge Cases

The General Rule: SaaS Is Out of Scope

When SaaS IS in Scope

On-Premise Agents or Connectors

Desktop and Mobile Applications

Embedded Software and Firmware

SDKs and Client Libraries

Downloadable Software

How to Determine Your Scope

Practical Examples

What If You Are In Scope?

Ready to automate CRA compliance?

Related articles

What Is the EU Cyber Resilience Act? A Complete Guide for 2026

CRA Compliance Checklist: What You Need Before September 2026

How to Generate an SBOM for CRA Compliance