Is my product in scope? / Android app
Does the EU Cyber Resilience Act apply to Android apps?
Yes. An Android app distributed to EU users via Google Play, F-Droid, sideloading or your own APK downloads is a product with digital elements. Commercial activity is interpreted broadly: ads, in-app purchases, data monetisation or bundling with a paid service all count.
What this means for you specifically
- ▸Gradle dependencies, bundled native libraries (.so) and embedded SDKs (analytics, ads, crash reporting) belong in your SBOM — ad SDKs are precisely where auditors expect vulnerabilities to hide.
- ▸If you ship outside Google Play (APK on your site), you also carry the distribution security duties: signed updates, integrity of the download channel.
- ▸Google Play's own policies (target API level, data safety form) are unrelated to and do not satisfy CRA essential requirements.
- ▸Default class: you can self-assess and self-issue the CE marking + Declaration of Conformity.
The pitfall that catches most teams
Forgetting embedded third-party SDKs in the SBOM. An outdated ad SDK with a known CVE is exactly what Annex I Part II obliges you to detect and fix 'without delay'.
The deadlines
2026-09-11
Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.
2027-12-11
Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.
Where does your product actually stand?
The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.
Or get CRAdar to handle it continuously:
Other product types
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.