A medical technology company's compliance team was confident they had three products requiring CRA attention. After completing the inventory exercise, we identified twenty-three. Twenty had no documented compliance owner. Twelve had never undergone security assessment. Four required third-party conformity assessment from notified bodies already signaling capacity constraints. Their eighteen-month timeline became a resource crisis in a single meeting.

Most organizations underestimate CRA product scope by sixty to seventy percent on initial assessment.

In This Episode:

• What "Products with Digital Elements" Actually Means
  • Software products: applications, SaaS platforms, mobile apps, SDKs
  • Hardware with embedded software or firmware
  • Remote data processing solutions—the cloud backends your products depend on are part of the product

• The Three Gap Patterns That Destroy Compliance Timelines
  • Legacy product gap: systems in "maintenance mode" still generating revenue still have CRA obligations
  • Component product gap: APIs, SDKs, and libraries distributed through package managers require independent classification
  • Cloud infrastructure gap: you cannot outsource compliance responsibility to your cloud provider

• Why Exemptions Are Narrower Than You Think
  • MDR-certified medical devices may be exempt—but patient data platforms receiving their data are not
  • Non-commercial open-source exemption doesn't cover commercial products using open-source dependencies
  • Exemption assumptions require documented regulatory basis, not organizational convenience

• The Four-Tier Classification System
  • Default category (~90% of products): internal self-assessment with proper documentation
  • Important Class I: identity management, VPNs, SIEM systems—harmonized standards or third-party assessment
  • Important Class II: operating systems, firewalls, HSMs—mandatory notified body involvement
  • Critical: hardware security boxes, smart meter gateways—highest scrutiny with cybersecurity certification

• Why Classification Determines Everything
  • Conformity assessment pathway drives timeline and budget
  • Notified body capacity is finite—organizations engaging early secure assessment slots
  • EU 2025/2392 Implementing Regulation clarifies component vs. integrated product classification

Your Fourteen-Day Action Plan:

Days 1-3: Revenue-based product identification with Finance Days 4-6: Technical architecture expansion with Engineering Days 7-9: Customer relationship validation with Customer Success Days 10-12: Exemption analysis with documented regulatory basis Days 13-14: Preliminary classification against Annex III and IV criteria

Deliverables:

1. Comprehensive product inventory
2. Exemption register with documented rationale
3. Preliminary classification matrix

Ready to discover your actual CRA scope?

The First Witness Stress Test includes comprehensive scope determination and classification analysis—revealing the products hiding in plain sight and the conformity assessment pathway each requires. Stop assuming. Start inventorying.