Does the Cyber Resilience Act apply to SaaS?
Direct answer
Standalone software-as-a-service and general cloud infrastructure are not in scope of the Cyber Resilience Act on their own. Cloud is captured only when it is a remote data-processing solution that a connected product needs to perform a core function, in which case that component is treated as part of the product.
Key Facts
- Standalone SaaS and pure cloud (IaaS/PaaS) are out of scope on their own.
- Cloud is in scope only as a remote data-processing solution (RDPS) integral to a product (Art. 3(2)).
- The March 2026 Commission draft guidance settled this boundary. (//CONFIRM)
- Three-part RDPS test: distance processing · product depends on it for a core function · developed by or for the manufacturer.
- Third-party cloud you merely run on is an external dependency, not your CRA product scope.
On its own, standalone SaaS is not a "product with digital elements" for CRA purposes, and general third-party cloud infrastructure that you build on is treated as an external dependency rather than part of your product (Art. 2, 3). Cloud is drawn into scope only when it is a remote data-processing solution: software the manufacturer designs, at a distance, whose absence would stop the connected product performing a core function (Art. 3(2)). The test is functional dependence, not merely "uses the cloud." A smart-home hub that cannot work without the manufacturer's backend brings that backend into scope; a web app you host on someone else's platform does not become CRA-regulated just by running there. The European Commission's March 2026 draft guidance confirmed this boundary.
Regulatory References