CRAdarCheck

Is my product in scope? / Docker image (distributed)

CRA compliance for distributed Docker images

In scopeDefault class

If customers pull and run your image (self-hosted products, on-prem agents, appliances on Docker Hub/GHCR), you are supplying software — the image is the product artifact. A container image is also the most SBOM-hostile artifact there is: your 50k lines of Go sit on top of hundreds of OS packages you never chose consciously.

What this means for you specifically

The pitfall that catches most teams

"We just package upstream" — the moment you push the image under your name for customers to pull, the whole stack inside it is your Annex I responsibility, glibc included.

The deadlines

2026-09-11

Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.

2027-12-11

Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.

Where does your product actually stand?

The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.

Run the free Risk Check →No signup · instant result

Or get CRAdar to handle it continuously:

Other product types

Educational guidance on Regulation (EU) 2024/2847 — not legal advice.