CRAdarCheck

Is my product in scope? / iOS app

Does the EU Cyber Resilience Act apply to iOS apps?

In scopeDefault class

Yes. Mobile apps are explicitly named by the European Commission as products with digital elements. If your iOS app is available to EU users on the App Store in the course of a commercial activity — paid, freemium, ad-funded or as a companion to a paid service — you are a 'manufacturer' under the CRA.

What this means for you specifically

The pitfall that catches most teams

Assuming 'Apple handles security' — the CE marking, technical file, Declaration of Conformity and ENISA reporting duties are yours alone.

The deadlines

2026-09-11

Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.

2027-12-11

Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.

Where does your product actually stand?

The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.

Run the free Risk Check →No signup · instant result

Or get CRAdar to handle it continuously:

Other product types

Educational guidance on Regulation (EU) 2024/2847 — not legal advice.