Is my product in scope? / Figma plugin
Do Figma plugins fall under the CRA?
It depends on where the code runs — and Figma plugins are the textbook edge case. The plugin UI and logic run sandboxed inside Figma's environment (leaning 'part of Figma's service'), but paid plugins distributed for users to install, with their own backend and update lifecycle, look like supplied software. The safe posture for a commercial plugin business: treat it as in scope.
What this means for you specifically
- ▸The plugin sandbox limits your attack surface dramatically — no filesystem, no arbitrary network without declared domains. Document the sandbox as your attack-surface argument if you self-assess.
- ▸Your real risk usually lives in the backend your plugin calls (that's NIS2 territory) and in your build-time npm tree (that's yours either way).
- ▸Paid distribution through Figma Community with Figma handling payments strengthens the 'commercial product' reading.
- ▸The cheap move: SBOM + security.txt + CVD policy cost you an afternoon and close the question regardless of which legal reading prevails.
The pitfall that catches most teams
Building the same plugin for Figma AND as a desktop companion app or browser extension. The companion is unambiguously in scope — one codebase, two regulatory postures.
The deadlines
2026-09-11
Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.
2027-12-11
Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.
Where does your product actually stand?
The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.
Or get CRAdar to handle it continuously:
Other product types
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.