Is my product in scope? / SaaS / web application
Does the EU Cyber Resilience Act apply to SaaS?
Mostly no — with two important traps. Pure cloud services with nothing to install are governed by NIS2, not the CRA. But the moment you ship any installable component, that component is a product with digital elements. And 'remote data processing solutions' integral to a product fall under the CRA together with it.
What this means for you specifically
- ▸In scope the moment you offer: a desktop client, mobile app, CLI tool, on-prem/self-hosted version, browser extension, or local agent/daemon. Each is a product; each needs the full treatment.
- ▸If you sell a device or app whose functionality depends on your cloud backend, that backend is a 'remote data processing solution' and is assessed with the product.
- ▸Self-hosted enterprise deployments of your 'SaaS' are straightforwardly software supplied to a customer — in scope.
- ▸Even for pure SaaS, your enterprise customers under CRA/NIS2 pressure will push SBOM and disclosure-policy requirements down to you contractually.
The pitfall that catches most teams
Shipping a 'small helper agent' or CLI and not noticing you just placed a regulated product on the EU market while your compliance story says 'we're SaaS, exempt'.
The deadlines
2026-09-11
Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.
2027-12-11
Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.
Where does your product actually stand?
The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.
Or get CRAdar to handle it continuously:
Other product types
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.