Is my product in scope? / AI-powered application
AI apps under the CRA (and how it meets the AI Act)
An AI-powered app is, for the CRA, simply software: if it is installable and commercially available to EU users, it is in scope like any other app. The AI Act governs the AI-specific risks separately; the CRA governs the product's cybersecurity. High-risk AI systems that meet CRA essential requirements can leverage that for AI Act conformity — the regulations are designed to interlock.
What this means for you specifically
- ▸Model weights shipped with the app, inference runtimes (llama.cpp, ONNX Runtime, CoreML models) and Python/native dependencies all belong in the SBOM.
- ▸Prompt-injection and model-supply-chain risks (poisoned weights, malicious model files) belong in your documented risk assessment — auditors increasingly ask.
- ▸If inference runs in your cloud, that backend is a remote data processing solution assessed with the app.
- ▸Local-first AI apps: signed model downloads and integrity checks are the update-security requirement applied to weights.
The pitfall that catches most teams
Compliance teams treating 'AI Act' as the only EU law that applies. The CRA deadline (Dec 2027) lands before most AI Act high-risk obligations — and covers every AI app, not just high-risk ones.
The deadlines
2026-09-11
Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.
2027-12-11
Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.
Where does your product actually stand?
The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.
Or get CRAdar to handle it continuously:
Other product types
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.