CRA and SaaS: Where’s the Boundary?
The CRA applies to products with digital elements placed on the EU market. Pure services are excluded. But the line between “product” and “service” is blurry.
What’s Covered
✅ Software sold or distributed (even freely) to users ✅ Firmware embedded in hardware products ✅ Desktop/mobile applications available for download ✅ On-premises software deployed in customer environments ✅ Open source used commercially
What’s NOT Covered
❌ Pure SaaS where the software runs entirely in the provider’s infrastructure ❌ Custom development (bespoke software built for one customer) ❌ Services regulated under NIS2 instead
The Grey Areas
SaaS with Client Components
If your SaaS requires a desktop agent, browser extension, or mobile app, those client components are products under the CRA:
Your SaaS Platform
├── Cloud backend (NOT CRA — it's a service → NIS2 applies)
├── Desktop agent (CRA product)
├── Mobile app (CRA product)
├── Browser extension (CRA product)
└── API SDK/library (CRA product if distributed)PaaS/IaaS with Downloadable Tools
CLI tools, SDKs, and agents distributed to customers are CRA products even if the main platform is SaaS.
Open Source Libraries Published by SaaS Companies
If you publish open source libraries that others use in their products, the downstream manufacturer (not you) bears CRA obligations. But if you commercialize the library, you may be an Open Source Steward.
Practical Advice
- Audit your distribution — anything you give to users to install is likely a CRA product
- Client components need SBOMs — even if they’re thin clients
- Security updates for client software — 5-year obligation applies
- NIS2 for the service — your cloud infrastructure falls under NIS2, not CRA
- Document the boundary — clearly define what’s product vs. service
Navigating the CRA/NIS2 boundary for your cloud services? I help organizations clarify their compliance obligations. Get in touch.
