Is my product in scope? / Flutter app
CRA compliance for Flutter apps
A Flutter app commercially distributed to EU users is in scope on every platform it ships to — iOS, Android, desktop and web builds each count as making the product available. The Flutter twist: your supply chain spans two worlds, pub.dev packages and the platform-native dependencies they wrap.
What this means for you specifically
- ▸Your SBOM needs both layers: Dart packages from pubspec.lock AND the native libraries plugins embed (Gradle/CocoaPods dependencies pulled in by federated plugins).
- ▸The Flutter engine itself (Skia, Dart runtime) is a component you redistribute — track engine versions per release; engine CVEs propagate to every app on that version.
- ▸Abandoned pub.dev plugins are the ecosystem's known weak spot: a plugin wrapping an outdated native SDK imports its CVEs into your product.
- ▸Web builds are the edge case: pure Flutter Web served from your domain leans toward 'service' (NIS2), but the same codebase shipped through app stores is a product.
The pitfall that catches most teams
Scanning only pubspec.lock. The exploitable surface usually lives in the wrapped native SDKs — the part pub.dev metadata doesn't show you.
The deadlines
2026-09-11
Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.
2027-12-11
Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.
Where does your product actually stand?
The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.
Or get CRAdar to handle it continuously:
Other product types
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.