Is my product in scope? / CLI / developer tool
CRA compliance for CLI and developer tools
Commercial CLI tools — paid binaries, freemium developer tools that gate features behind a license, or free CLIs that are the on-ramp to a paid cloud — are installable software products in scope when EU users can get them.
What this means for you specifically
- ▸curl-pipe-bash install scripts are a compliance liability: unauthenticated delivery fails integrity-protection expectations. Serve signed artifacts (or distribute via package managers with checksums).
- ▸A CLI that talks to your cloud makes the CLI the in-scope product; keep its privileges minimal and its update path secure (self-update with signature verification, or brew/apt with signed releases).
- ▸Static binaries embed their whole dependency tree — Go modules and Rust crates go in the SBOM even though users never see them.
- ▸Telemetry defaults matter: secure-by-default includes not exfiltrating more than needed; document the choice.
The pitfall that catches most teams
The install script nobody has looked at since 2024. It runs as the user, downloads over the network, and is part of the product's attack surface.
The deadlines
2026-09-11
Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.
2027-12-11
Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.
Where does your product actually stand?
The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.
Or get CRAdar to handle it continuously:
Other product types
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.