Is my product in scope? / Electron app
CRA compliance for Electron apps
Electron apps are desktop software and fully in scope when commercially distributed to EU users. They deserve their own page because the Electron model concentrates CRA risk: you ship an entire Chromium + Node.js runtime, and every Chromium CVE becomes your CVE.
What this means for you specifically
- ▸Chromium ships security fixes roughly every two weeks. Staying on an EOL Electron major version is close to indefensible under Annex I Part II ('address vulnerabilities without delay') once a known exploited CVE lands.
- ▸Your SBOM has three layers: npm dependencies, the Electron runtime itself, and native modules. Auditors will look for all three.
- ▸electron-updater / Squirrel with signed releases satisfies the secure-update requirement; hand-rolled unsigned updaters do not.
- ▸Renderer-process hardening (contextIsolation, sandbox, disabled nodeIntegration) maps directly to the 'attack surface minimisation' essential requirement — document these choices in your tech file.
The pitfall that catches most teams
Pinning an old Electron version for stability and letting it age out of Chromium security support. Under the CRA that is a documented, dated decision to ship known vulnerabilities.
The deadlines
2026-09-11
Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.
2027-12-11
Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.
Where does your product actually stand?
The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.
Or get CRAdar to handle it continuously:
Other product types
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.