Is my product in scope? / Docker image (distributed)
CRA compliance for distributed Docker images
If customers pull and run your image (self-hosted products, on-prem agents, appliances on Docker Hub/GHCR), you are supplying software — the image is the product artifact. A container image is also the most SBOM-hostile artifact there is: your 50k lines of Go sit on top of hundreds of OS packages you never chose consciously.
What this means for you specifically
- ▸Every layer counts: base-image OS packages (Debian/Alpine), language runtime, and your application tree are all components. syft scans images natively — SBOM the tag you publish, per release.
- ▸Base-image CVE noise is the real workload: distroless or minimal bases (alpine, chainguard-style) cut the triage surface by an order of magnitude and are a defensible attack-surface-minimisation argument in the tech file.
- ▸Signing and provenance (cosign, SLSA attestations) map to the integrity requirements — an unsigned :latest tag as your delivery channel is the container equivalent of an unsigned installer.
- ▸Declare the support policy per tag: customers pin digests and stay there for years; say which tags receive security rebuilds and for how long, and rebuild on base-image CVEs, not just on your own releases.
The pitfall that catches most teams
"We just package upstream" — the moment you push the image under your name for customers to pull, the whole stack inside it is your Annex I responsibility, glibc included.
The deadlines
2026-09-11
Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.
2027-12-11
Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.
Where does your product actually stand?
The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.
Or get CRAdar to handle it continuously:
Other product types
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.