Is my product in scope? / Firmware / embedded software
CRA compliance for firmware and embedded software
Firmware supplied commercially — whether embedded in your own device or licensed to OEMs — is software with digital elements. When sold to OEMs you are a component manufacturer: your customers' CRA compliance depends on yours, and their procurement teams now know it.
What this means for you specifically
- ▸OEM customers will contractually require: CycloneDX/SPDX SBOMs per release, CVE monitoring on your components, VEX statements, and guaranteed fix SLAs — the CRA flows down supply chains through contracts.
- ▸Yocto/Buildroot images: use build-system SBOM generation (both have native support now); hand-maintained component lists don't survive audits.
- ▸Tamper-resistant microcontrollers/microprocessors and security chips are Annex III Class II / Annex IV — check before assuming default class.
- ▸Coordinate disclosure with OEMs: your CVD policy must handle 'we found it in your chip, it affects 40 products' scenarios.
The pitfall that catches most teams
Binary blobs from silicon vendors that you redistribute but cannot patch. Map them, get support commitments upstream, and document the residual risk.
The deadlines
2026-09-11
Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.
2027-12-11
Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.
Where does your product actually stand?
The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.
Or get CRAdar to handle it continuously:
Other product types
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.