No, there is not. Any software provided as a service that does not support the functionality of a product with digital elements is outside the scope of the CRA. Recital 9a of the current proposal mentions that “Cloud solutions constitute remote data processing solutions within the meaning of this Regulation only if they meet its definition. For example, cloud-enabled functionalities provided by the manufacturer of smart home devices that enable users to control the device at a distance should fall within the scope of this Regulation. On the other hand, websites that do not support the functionality of a product with digital elements or cloud services designed and developed outside the responsibility of a manufacturer of a product with digital elements are not in the scope of this Regulation. Directive (EU) 2022/2555 [NIS2] applies to cloud computing services and cloud service models, such as Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) or Infrastructure-as-a-Service (IaaS).” The
Q&A issued by the European Commission in December 2023 also clarifies: “Will software, when provided as a service and not as a product, be covered under the CRA? Software provided as part of a service is not covered by the proposed Cyber Resilience Act, as it covers only products with digital elements sold within the European single market and sets out concrete cybersecurity requirements and obligations for the manufacturers of these products.” However, as mentioned in Recital 9a of the CRA, the NIS2 directive applies to software provided as a service, under which SaaS solutions might have specific obligations.