Page 1 of 2
CRA Product Scope & Applicability Form
This form helps identify whether your product is likely in scope of the EU Cyber Resilience Act (CRA), and which obligations may apply.
This is not a legal determination and does not replace legal or conformity assessment advice.
SECTION-1
Where is your company legally established?
*
Where is your company legally established?
A
EU
B
NON-EU
Do you make your product available in the EU market?
*
Do you make your product available in the EU market?
A
YES
B
NO
C
NOT YET,BUT PLANNED
Your role for this product
*
Your role for this product
A
Manufacture
B
Importer
C
Distributor
D
Open-source software steward
E
Unsure
SECTION-2
Product Name
Product type
*
Product type
A
Software Only
B
Hardware Only
C
Hardware + Embedded Software/Firmware
D
Cloud-Managed Device
E
AI/ML-Based System or Component
Is this product intended to be used by:
*
Is this product intended to be used by:
A
Consumers
B
Businesses
C
Both
Section-3
Does your product have any of the following?
*
Does your product have any of the following?
A
Network connectivity
B
Wireless interfaces
C
APIs or remote management interfaces
D
Data exchange with other systems
E
None of the above
Does your product include third-party or open-source software components?
*
Does your product include third-party or open-source software components?
A
Yes, extensively
B
Yes, limited
C
No
D
Not Sure
Do you maintain a software bill of materials (SBOM)?
*
Do you maintain a software bill of materials (SBOM)?
A
Yes
B
No
C
Planned
D
Unsure what SBOM means
Can you update the product after release?
*
Can you update the product after release?
A
Yes, remotely
B
Yes, manually
C
No updates possible
D
Updates only via new versions
Section-5
Vulnerability Reporting
*
Vulnerability Reporting
A
Yes (public policy/contact)
B
Informal (email/support)
C
No
Security patches
*
Security patches
A
Yes
B
No
C
Not applicable yet
Third-party monitoring
*
Third-party monitoring
A
Yes
B
Partially
C
No
Section-6
Does your product perform any of the following functions?
*
Does your product perform any of the following functions?
A
Identity or access management
B
Authentication / authorization
C
Password management
D
Network traffic control (VPN/firewall/IDS)
E
System or network monitoring
F
Virtualization / container runtime
G
Operating system or low-level software
H
Cryptographic key or certificate management
I
Secure boot or firmware integrity
J
Smart home / IoT functionality
K
Wearable or child-related device
L
None of the above
Section-7
Uses AI?
*
Uses AI?
A
Yes
B
No
C
Not Sure
AI Security Relevant?
*
AI Security Relevant?
A
Yes
B
No
C
Not Applicable
Section-8
Support period
*
Support period
A
< 2 years
B
2–5 years
C
5 years
D
Not defined yet
Lifecycle Status
*
Lifecycle Status
A
Actively developed
B
Maintenance only
C
End-of-life planned
D
Already end-of-life
Section-9
Email
*
Submit
