What is a remote data-processing solution (RDPS) under the CRA?
Direct answer
A remote data-processing solution is software the manufacturer designs to run at a distance, whose absence would prevent the connected product performing a core function. Under Article 3(2) the CRA treats such a solution as part of the product, so its security falls within scope even though it runs in the cloud.
Key Facts
- Defined in Article 3(2).
- Three elements: distance processing · product depends on it for a core function · designed by or under the manufacturer's responsibility.
- Treated as part of the product, so it inherits the product's CRA obligations.
- Distinguishes integral backends from ordinary third-party cloud dependencies.
A remote data-processing solution (RDPS) is distance processing that the manufacturer designs, and that the connected product needs in order to perform a core function (Art. 3(2)). When those conditions are met, the CRA treats the remote software as part of the product itself, so it carries the same essential requirements, vulnerability handling and reporting duties. The distinction matters for architecture. A manufacturer's own backend that a device cannot function without is in scope; general third-party infrastructure the product merely runs on is an external dependency, not part of the CRA product boundary. Teams building products that straddle local hardware and cloud should map which remote components are functionally essential, because those are the ones the CRA follows.
Regulatory References