Is my product in scope? / API-only service
Do API-only products fall under the CRA?
A pure hosted API (REST/GraphQL endpoints, usage-billed) is a service — NIS2, not CRA. The CRA enters through your client artifacts: official SDKs, CLI tools, agents and connectors you publish are installable products, and commercial SDKs are in scope on their own.
What this means for you specifically
- ▸Official SDKs distributed as part of your commercial offering: in scope, with SBOM, advisories and CVD policy — even if the SDK itself is free and open source, it is supplied in the course of your commercial activity (the strongest reading; some argue genuine OSS SDKs stay exempt — take a position and document it).
- ▸Webhooks/receivers customers self-host (your 'connector' containers) are products.
- ▸If your API is the remote data processing solution for a customer's device (IoT backends), you're pulled into their CRA assessment contractually.
- ▸Even out-of-scope APIs face NIS2 duties if you serve essential/important-entity customers.
The pitfall that catches most teams
The 'thin official SDK' that pulls 200 transitive dependencies. Customers' compliance scanners will flag them against your name, in-scope or not.
The deadlines
2026-09-11
Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.
2027-12-11
Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.
Where does your product actually stand?
The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.
Or get CRAdar to handle it continuously:
Other product types
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.