Who does the Cyber Resilience Act apply to?

Alexis Hirschhorn· CEO, Acuna16 July 2026

Direct answer

The Cyber Resilience Act applies to manufacturers, importers and distributors of products with digital elements that have a direct or indirect connection capability. Manufacturers carry the primary obligations. The regulation is extraterritorial: a company outside the EU that places products on the EU market is in scope. Products covered by sector-specific rules and non-commercial open source are largely excluded.

Key Facts

  • Manufacturers, importers and distributors of products with digital elements (Art. 2).
  • Manufacturers carry the primary obligations: design, conformity, vulnerability handling, reporting.
  • Extraterritorial: non-EU manufacturers selling into the EU are in scope.
  • Non-EU manufacturers must appoint an authorised representative in the EU or ensure an EU-established economic operator performs the Article 4 tasks under Regulation (EU) 2019/1020 (CRA Art. 18).
  • OEM liability follows the brand: the entity placing the product on the EU market under its own name is the "manufacturer" for CRA purposes. An upstream OEM developer is not the manufacturer unless it also markets the finished product directly.
  • Exclusions: medical devices (MDR/IVDR), motor vehicles, civil aviation, and non-commercial open source (Art. 2).
  • Remote data-processing solutions integral to the product are in scope even if hosted in the cloud (Art. 3(2)).

The CRA applies to economic operators in the supply chain of products with digital elements that include a direct or indirect data connection (Art. 2, 3). **Manufacturers** carry the primary obligations: secure design, technical documentation, conformity assessment, vulnerability handling, SBOM and incident reporting. A manufacturer established outside the EU must appoint an authorised representative in the EU, or otherwise ensure an EU-established economic operator performs the relevant tasks under Article 4 of Regulation (EU) 2019/1020 (CRA Art. 18). This is commonly fulfilled through the importer, an appointed authorised representative, or a fulfilment service provider. **Importers** may place only compliant products on the EU market and must verify that the manufacturer completed its obligations. If the importer has reason to believe the product does not conform, it may not place it on the market. **Distributors** must act with due care and satisfy themselves that the CE marking and required documentation are in place before making a product available. **OEM supply chain.** The CRA places obligations on the entity that places the product on the EU market under its own name or trademark. An upstream OEM developer that supplies components or white-label hardware to a third party is not the "manufacturer" for CRA compliance purposes unless it also markets the finished product directly. If a software house supplies a module that another company integrates and brands, the branding entity is the manufacturer and carries the CRA burden. Compliance follows the brand on the box, not the origin of the technology. **Extraterritorial reach.** A company established in the United States, Canada, or anywhere outside the EU that sells products with digital elements into the Union is in scope. **Exclusions.** Products already subject to sector-specific EU rules with equivalent requirements are excluded -- medical devices (MDR/IVDR), motor vehicles (type-approval) and civil aviation (EASA). Non-commercial open-source software developed outside a commercial activity is largely outside scope.

What's next

See how Acuna handles this

Who does the Cyber Resilience Act apply to? | Acuna GRC Answers | Acuna