CRA Exemptions: Who Is Exempt from the Cyber Resilience Act?
The CRA has a broad scope, but several categories of products and organisations are fully or partially exempt. This guide explains each exemption, its legal basis, and — critically — the caveats that mean the exemption may not apply to you.
Don't assume you're exempt without checking
Most exemptions are narrow and contain important caveats. If you believe your product is exempt, document your legal basis carefully — market surveillance authorities will expect you to justify any claim of exemption.
Full Exemptions — Outside CRA Scope Entirely
These products are fully excluded from the CRA because they are already regulated by equivalent sector-specific legislation with cybersecurity requirements.
Medical devices
Article 2(2)(a) — MDR and IVDR
Products already regulated under the Medical Devices Regulation (2017/745) or In Vitro Diagnostic Medical Devices Regulation (2017/746). These products have equivalent cybersecurity requirements under MDR/IVDR.
Examples: Pacemakers, insulin pumps, diagnostic imaging systems, blood glucose monitors.
Civil aviation
Article 2(2)(b) — EASA Regulation
Products covered by Regulation (EU) 2018/1139 on common rules in the field of civil aviation and the EASA framework. Aviation cybersecurity is regulated separately.
Examples: Aircraft avionics, flight management systems, air traffic control software.
Motor vehicles
Article 2(2)(c) — UNECE WP.29
Vehicles covered by Regulation (EU) 2019/2144 (vehicle type-approval) and the UNECE WP.29 cybersecurity regulation (UN R155/R156). Vehicle cybersecurity is covered by the type-approval framework.
Examples: Passenger cars, trucks, motorcycles, and their embedded software systems.
Marine equipment
Article 2(2)(d) — Marine Equipment Directive
Equipment covered by the Marine Equipment Directive (2014/90/EU). Marine safety equipment has its own regulatory framework.
Examples: Navigation systems, AIS transceivers, GMDSS equipment on vessels.
National security and defence
Article 2(3) — Member State exclusion
Products designed or modified for national security or defence purposes may be excluded by Member States. The exclusion is narrowly construed — commercial-off-the-shelf products used by the military are not automatically excluded.
Examples: Military-grade hardware security modules, classified communications equipment.
Products for classified information
Article 2(4)
Products that have been specifically designed to process classified information and where the classification requirements preclude compliance with CRA obligations.
Examples: Systems handling EU Classified Information (EUCI) at SECRET and above.
Partial or Conditional Exemptions
These categories are frequently cited as exempt, but with important caveats. Read the caveat carefully — many organisations mistakenly believe they are out of scope.
Open source software — non-commercial
Article 3(1) — 'free and open-source software'
Open source software developed or supplied outside the course of a commercial activity is not considered 'placed on the market' under the CRA. Pure community projects with no commercial intent are outside scope.
Caveat: The moment a commercial entity integrates OSS into a product and sells it, that entity becomes the manufacturer and the CRA applies to the integrated product. The OSS component itself may be out of scope, but the product is not.
Open source software — commercial (Open Source Steward role)
Recital 18 — Open Source Steward
Organisations that provide support, integration, or maintenance of open source components in a commercial context become 'Open Source Stewards' and have lighter obligations — primarily limited to cooperating in vulnerability disclosure and maintaining a CVD policy.
Caveat: Full Annex I product security requirements do not apply to Open Source Stewards, but they must contribute to the vulnerability handling ecosystem.
Software as a Service (SaaS)
Article 2 — remote processing
Pure SaaS platforms where there is no downloadable client component are in a grey area. The CRA focuses on 'placing a product on the market'. If your SaaS has a client SDK, mobile app, or downloadable component, that component is in scope.
Caveat: The European Commission is expected to issue guidance on SaaS scope. Treat client-side components as in scope and monitor Commission guidance for the server-side position.
B2B custom-developed products
Article 3(2) — custom-developed
Products developed under a bespoke contract for a single customer and not made available to third parties are outside the definition of 'placed on the market'. However, standard products sold to businesses are in scope.
Caveat: If the same product is later made available to other customers, or if a framework agreement covers multiple customers, it is likely in scope.
Pre-commercial prototypes
Recital 33 — pre-market testing
Products that have not yet been placed on the market — including prototypes, alpha/beta versions distributed only for evaluation under NDA — are not in scope. However, products distributed as 'beta' to real end users for revenue or competitive purposes may be considered placed on the market.
Caveat: Developer previews, open betas, and early access programmes for paying customers are likely in scope.
Commonly Misunderstood — These Are NOT Exempt
B2B software
Software sold to businesses rather than consumers is not exempt. The CRA applies to all products placed on the EU market, regardless of whether the customer is a business or a consumer.
Internal tools
Software used only internally (not placed on the market) may be out of scope, but any product sold or licensed to third parties — even enterprise customers under a private contract — is in scope.
Free software (with commercial backing)
Software that is free of charge but developed and distributed by a commercial entity in the course of commercial activity is in scope. 'Free' ≠ 'non-commercial'.
Legacy products
Products already on the market before December 2027 must comply if they continue to be made available (i.e. sold) after that date. Products that are discontinued before December 2027 and not supported after that date may be exempt.
Cloud infrastructure
IaaS, PaaS, and SaaS operators are not automatically exempt. Products with digital elements that interface with cloud services (e.g., IoT devices, client apps) are in scope.
Not sure whether your product is in scope? The free CRAReady assessment takes 5 minutes and gives you a clear applicability determination.
Check your product's CRA applicability