{"type":"rich","version":"1.0","provider_name":"Transistor","provider_url":"https://transistor.fm","author_name":"The AI Governance Brief","title":"CRA COUNTDOWN: What Exactly Is In Scope? (And Why You Probably Don't Know)","html":"<iframe width=\"100%\" height=\"180\" frameborder=\"no\" scrolling=\"no\" seamless src=\"https://share.transistor.fm/e/12592685\"></iframe>","width":"100%","height":180,"duration":1603,"description":"A medical technology company's compliance team was confident they had three products requiring CRA attention. After completing the inventory exercise, we identified twenty-three. Twenty had no documented compliance owner. Twelve had never undergone security assessment. Four required third-party conformity assessment from notified bodies already signaling capacity constraints. Their eighteen-month timeline became a resource crisis in a single meeting.Most organizations underestimate CRA product scope by sixty to seventy percent on initial assessment.In This Episode:What \"Products with Digital Elements\" Actually MeansSoftware products: applications, SaaS platforms, mobile apps, SDKsHardware with embedded software or firmwareRemote data processing solutions—the cloud backends your products depend on are part of the productThe Three Gap Patterns That Destroy Compliance TimelinesLegacy product gap: systems in \"maintenance mode\" still generating revenue still have CRA obligationsComponent product gap: APIs, SDKs, and libraries distributed through package managers require independent classificationCloud infrastructure gap: you cannot outsource compliance responsibility to your cloud providerWhy Exemptions Are Narrower Than You ThinkMDR-certified medical devices may be exempt—but patient data platforms receiving their data are notNon-commercial open-source exemption doesn't cover commercial products using open-source dependenciesExemption assumptions require documented regulatory basis, not organizational convenienceThe Four-Tier Classification SystemDefault category (~90% of products): internal self-assessment with proper documentationImportant Class I: identity management, VPNs, SIEM systems—harmonized standards or third-party assessmentImportant Class II: operating systems, firewalls, HSMs—mandatory notified body involvementCritical: hardware security boxes, smart meter gateways—highest scrutiny with cybersecurity certificationWhy Classification Determines...","thumbnail_url":"https://img.transistorcdn.com/rDqBMJXwlhb2bvZjH0V1qAuqxHAFqIADttstgmIyldM/rs:fill:0:0:1/w:400/h:400/q:60/mb:500000/aHR0cHM6Ly9pbWct/dXBsb2FkLXByb2R1/Y3Rpb24udHJhbnNp/c3Rvci5mbS8wNzgz/MjhlNjg0NjRjYThi/MGI3YWEzMzkyNzVm/ZTdiYy5wbmc.webp","thumbnail_width":300,"thumbnail_height":300}