EU Cyber Resilience Act
Does the CRA apply to SaaS?
The Cyber Resilience Act targets products with digital elements, including the remote data-processing solutions necessary for a product to function. Pure standalone cloud services may sit outside, but software products and product-linked back ends are often in scope.
What to focus on
- Distinguish a standalone service from a product (and its required back end).
- Where in scope, maintain an SBOM and vulnerability handling.
- Document the essential requirements and update policy.
- Confirm scope for your specific offering.
Frequently asked questions
- Does the CRA apply to SaaS?
- The CRA covers products with digital elements and the remote data-processing solutions necessary for them to function. Whether a given SaaS is in scope depends on how it relates to a product — classify yours to be sure.
General information about the EU Cyber Resilience Act — not legal advice. Normproof provides tooling and audit-ready evidence; the manufacturer self-declares conformity. For your specific product, run the free readiness check or consult a qualified advisor.