Is my product in scope? / Medical / health app
Health apps: CRA or Medical Device Regulation?
It depends on qualification. Software that is a medical device under MDR/IVDR is excluded from the CRA — the (stricter) sectoral regime applies. Wellness apps that avoid medical-device qualification are ordinary apps under the CRA. Health-monitoring wearables not covered by MDR are Annex III Class I.
What this means for you specifically
- ▸Diagnosis, treatment decisions, dosage calculation → likely MDR software (Rule 11), CRA excluded, MDR cybersecurity guidance (MDCG 2019-16) applies instead.
- ▸Step counters, sleep tracking, general wellness → not medical devices → CRA default class.
- ▸Consumer health wearables (heart-rate bands, sleep rings) that stay out of MDR are explicitly Annex III Class I under the CRA.
- ▸Borderline products: the qualification decision (with reasoning) belongs in your technical file — it determines your entire regulatory stack.
The pitfall that catches most teams
Drifting into MDR scope through feature updates ('detect arrhythmia' shipped by a PM who didn't ask legal) while your compliance file still says 'wellness app, CRA default class'.
The deadlines
2026-09-11
Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.
2027-12-11
Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.
Where does your product actually stand?
The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.
Or get CRAdar to handle it continuously:
Other product types
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.