The Cyber Resilience Act, Regulation (EU) 2024/2847, introduces for the first time a horizontal framework of cybersecurity obligations for products with digital elements. It extends the familiar architecture of Union product law, with CE marking, conformity assessment and market surveillance, into the digital domain. What makes it different is the direct application to software, the imposition of vulnerability handling duties, and the recognition that certain categories of products are more consequential for the Union's resilience than others.
The Regulation draws distinctions between important and critical products. Important products are subdivided into two classes. Class I includes operating systems, browsers, routers, password managers and similar items. These may be conformity assessed by the manufacturer itself where harmonised standards or recognised certification schemes exist. Class II covers firewalls, intrusion prevention systems, hypervisors and other items whose failure could have far greater systemic effects.
These always require third-party assessment. Critical products are a still narrower category, set out in Annex IV, which includes hardware security modules, smart meter gateways and secure elements. For these the Commission may by delegated act impose mandatory European cybersecurity certification at assurance level substantial or higher, a power grounded in Article 8 and explained in Recital 46.
The obligations are not immediate.
The Regulation entered into force in December 2024, but its obligations apply only after a transitional period. The framework for conformity assessment and reporting mechanisms will become operational in stages, with the full set of obligations applying from December 2027.
Products lawfully placed on the market before that date are not retroactively pulled into scope. They become subject to the Act only if they undergo a “substantial modification” thereafter. Substantial modification is defined in Article 3(30) and elaborated in Recitals 38 to 41. A change that affects compliance or alters the intended purpose is substantial; in such cases, the person making the change assumes the role of manufacturer either for the altered part or, if the change affects the product as a whole, for the entire item. Articles 21 and 22 make this position explicit.
There is a narrow exemption for spare parts. Article 2(6), read with Recital 29, excludes parts that are identical replacements manufactured to the same specifications. Any replacement that differs in function or design loses that protection and reopens the regulatory net.
Against this background the exclusions in Article 2 can be read with clarity. They are not broad licences to escape but carefully drawn boundaries.
Medical devices and in vitro diagnostic devices are excluded by Article 2(2)(a) and (b). Recital 25 confirms that Regulations 2017/745 and 2017/746 already impose IT security requirements throughout the lifecycle of those products. The result is that a wellness tracker is within the CRA, but a certified medical device is not.
Motor vehicles are excluded by Article 2(2)(c). Recital 27 points to the type-approval regime under Regulation 2019/2144, which incorporates the UNECE rules on vehicle cybersecurity and software updates. The carve-out applies to systems delivered within approved vehicles. The same systems sold separately outside that regime remain in scope.
Civil aviation products certified under Regulation 2018/1139 are excluded by Article 2(3). Recital 27 notes that certification under EASA already provides the necessary assurance. Marine equipment is excluded by Article 2(4) where it falls within the scope of Directive 2014/90. Both exclusions follow the same logic of avoiding duplication.
Article 2(5) introduces a flexible mechanism. Where another Union act covers the same risks to an equal or higher level, the Commission may by delegated act limit or exclude the application of the CRA. Recital 28 provides the justification. Until such an act is adopted the CRA applies.
Spare parts are expressly removed by Article 2(6) but only where they replace identical components made to the same specifications. Recital 29 explains that this ensures repair and durability without forcing repeated conformity assessments. The moment a part is not identical the exemption is lost.
National security and defence are addressed in Article 2(7). Products developed exclusively for those purposes, or specifically designed to process classified information, fall outside the Act. Article 2(8) adds that obligations shall not entail disclosure of information contrary to essential security interests. Recitals 26, 30 and 31 situate this within the Treaties' division of competences. The word exclusively is critical. Dual use products remain subject to the CRA.
Free and open source software has its own treatment. Recitals 17 to 21, together with Articles 24 and 25, make clear that software developed outside commercial activity is not covered. Open source stewards who provide sustained support for products intended for commercial activities are subject to a light regime. The dividing line is commerciality. Non-commercial projects remain outside. Manufacturers integrating open source into commercial products bear full responsibility.
European Digital Identity Wallets are not excluded. Recital 33 requires that providers comply both with the CRA and with the security duties under Article 5a of eIDAS. Certification under an EU scheme may be used to demonstrate conformity under both regimes, but the obligations remain cumulative.
The treatment of critical products deserves particular attention. Article 8 allows the Commission to require mandatory certification for Annex IV categories at substantial assurance or higher.
Recital 46 underlines the systemic role these products play and their existing reliance on certification. For manufacturers this means Annex IV products must be designed with certification in mind. Where a certificate under an identified EU scheme has been formally recognised as covering the relevant CRA requirements, it can be relied upon in place of a separate third-party assessment.
The transitional rules come back into focus here. Article 69(2) provides that products placed before December 2027 are not covered unless substantially modified afterwards. Recitals 38 to 41 elaborate the boundaries. Security patches or minor adjustments are not substantial. Feature updates or changes that alter the intended purpose are. Articles 21 and 22 make clear that the person making such changes becomes the manufacturer for CRA purposes.
The exclusions, then, are not loopholes but deliberate boundaries. They protect coherence with existing Union law, respect Member State competence in security, and avoid burdening open source communities unnecessarily. For manufacturers the practical consequence is that reliance on any exclusion must be carefully documented. Market surveillance authorities will expect to see evidence where identical spare parts are claimed, justification when sectoral law is invoked, and a clear test of whether a product is truly exclusive to defence purposes.
The Act is not retroactive but it is not static. Legacy products may continue on the market, but once they are modified substantially they fall within scope. For any reliance on exclusions or transitional rules, the safer course is to treat them as matters of evidence rather than assumption. The burden rests on the manufacturer to show why an exclusion applies.
Article by Dr Ian Gauci