EU Cyber Resilience Act (CRA) — Scope Determination

Document owner: Predrag Tasevski (CEO/Founder)
Status: Internal determination — living document, reviewed on regulatory or product changes
Last reviewed: 2026-07-10
Disclaimer: This is an internal compliance determination prepared by Unicis Tech OÜ for its own product portfolio. It is not legal advice. It should be reviewed by qualified external counsel before being relied upon in a contractual, regulatory, or dispute context.

1. Purpose

Regulation (EU) 2024/2847 (the Cyber Resilience Act, “CRA”) imposes cybersecurity obligations on manufacturers, importers, and distributors of products with digital elements (“PDE”) placed on the EU market. It does not apply to services as such — those are addressed separately, notably by the NIS2 Directive.

This document records Unicis Tech OÜ's assessment of whether, and to what extent, its product portfolio falls within CRA scope, which conformity route applies, and what obligations follow — including the reporting obligations under Article 14, which apply from 11 September 2026, ahead of full applicability on 11 December 2027.

2. Regulatory Basis

3. Product-by-Product Assessment

Unicis Tech OÜ makes three distinct offerings available. Each is assessed separately, since CRA scope attaches to the product, not the vendor.

Offering Distribution model CRA scope view Rationale
Unicis Platform — Hosted SaaS (platform.unicis.tech) Browser-accessed only; no client-side download or install Out of scope (services excluded) Pure cloud-native SaaS consumed via browser, with no software placed on the market for the customer to run. Falls under NIS2 rather than CRA. Confirmed against the Commission's 3-part RDPS test (Section 3.2): the hosted platform is not “remote data processing” that is essential to the function of a separately placed-on-market product — it *is* the service itself.
Unicis Platform — Community Edition (CE) (github.com/UnicisTech/unicis-platform-ce, Apache 2.0) Distributed as downloadable, installable software; deployed and operated by the recipient on their own infrastructure In scope Meets the definition of a software product placed on the market: made available to third parties, installed and run outside Unicis's own infrastructure, distributed in the course of a commercial activity (open-core lead generation for the paid SaaS). The non-commercial open-source exemption does not cleanly apply, since distribution sits inside a commercial strategy.
unicis-mcp-server (TypeScript MCP server, 9 tools) Distributed as downloadable/installable component; run by the recipient (or by AI clients on the recipient's behalf) In scope Functions as an installable agent/client component per Commission guidance — the kind of downloadable software that pulls an otherwise-service offering back into product scope, independent of the hosted SaaS determination.

3.1 Classification (Annex III / IV check)

Neither CE nor the MCP server appear in Annex III (“important products with digital elements,” e.g. identity/access management software, password managers, standalone/embedded browsers, VPNs, SIEM, network management/configuration/monitoring tools, boot managers, PKI/certificate issuance software, operating systems) or Annex IV (“critical products,” e.g. hardware security modules, smart meter gateways, smartcards). A GRC/compliance task-and-controls platform does not fall within either list.

Conclusion: default (unclassified) category.

3.2 RDPS test applied to the hosted SaaS

Per the Commission's March 2026 draft guidance, a cloud/SaaS component is pulled into a product's conformity scope only if all three conditions of the “remote data processing solution” test are met: (1) the processing is designed and developed by, or under the responsibility of, the manufacturer; (2) it is necessary for the product to perform one of its functions; and (3) its absence would prevent that function. The hosted SaaS platform is not a remote dependency of a separately placed-on-market product — it is the entire offering, delivered as a service with no local install. It therefore does not meet the RDPS test in a way that would pull it into scope, and remains outside the CRA on the “pure SaaS” basis instead.

4. Conformity Route

For Community Edition and unicis-mcp-server (both default category, no harmonized standards yet cited for GRC-category software):

Hosted SaaS carries no CRA conformity obligation under the current determination; it is tracked instead under Unicis's NIS2 compliance workstream (see Compliance Framework Roadmap).

5. Article 14 — Reporting Obligations (from 11 September 2026)

Independent of full conformity-assessment readiness, Article 14 reporting applies from 11 September 2026 to any in-scope product already on the market. This means Community Edition and unicis-mcp-server incident/vulnerability handling must be explicitly covered, with statutory deadlines:

This workflow should be integrated with the existing IRIS incident-handling process and Grype/SBOM vulnerability scanning workstream, with CE and MCP-server releases explicitly in scope alongside the hosted platform's own NIS2-driven incident process.

6. Review Triggers

This determination should be re-assessed when any of the following occur:

7. References