Is my product in scope? / Desktop application
CRA compliance for desktop applications (Windows, macOS, Linux)
Downloadable desktop software sold or commercially distributed to EU users is squarely in scope — it is the textbook 'software product with digital elements'. This covers traditional installers, Microsoft Store / Mac App Store distribution, and license-key software alike.
What this means for you specifically
- ▸You need a secure update mechanism: Annex I requires security updates to be distributed without delay and free of charge, separately from feature updates where feasible.
- ▸Code-signing your installers and updates becomes effectively mandatory — unsigned update channels fail the 'integrity protection' essential requirement.
- ▸Perpetual-license software still carries a support period: you must handle vulnerabilities for the declared period (5 years is the default expectation) even if the customer never pays again.
- ▸Bundled runtimes (Electron, JRE, .NET) are components: their CVEs are your CVEs. Put them in the SBOM and track them.
The pitfall that catches most teams
Treating v1-forever license models as exempt. The CRA attaches obligations to placing the product on the market, not to your revenue model.
The deadlines
2026-09-11
Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.
2027-12-11
Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.
Where does your product actually stand?
The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.
Or get CRAdar to handle it continuously:
Other product types
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.