Is my product in scope? / Browser extension
Does the CRA apply to browser extensions?
A commercially distributed browser extension (paid, freemium, or free-as-funnel for a paid product) is downloadable software and in scope. Extensions sit in an especially sensitive position — inside the user's browser with access to page content — so expect scrutiny disproportionate to their size.
What this means for you specifically
- ▸Extension-store review (Chrome Web Store, AMO) is not a conformity assessment; obligations remain yours.
- ▸Broad host permissions and remote-code patterns (loading scripts from your server) clash with both store policies and the CRA's secure-by-default requirement — design them out.
- ▸Your npm build chain is the SBOM surface; supply-chain attacks on extension developers are a documented, recurring incident class.
- ▸If the extension is a client for your SaaS, the extension itself is the in-scope 'product' even though the SaaS is NIS2 territory.
The pitfall that catches most teams
Silent auto-updates make fixes easy but also mean a compromised release propagates instantly — your incident-response plan (and Art. 14 readiness) must assume hours, not weeks.
The deadlines
2026-09-11
Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.
2027-12-11
Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.
Where does your product actually stand?
The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.
Or get CRAdar to handle it continuously:
Other product types
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.