Is my product in scope? / iOS app
Does the EU Cyber Resilience Act apply to iOS apps?
Yes. Mobile apps are explicitly named by the European Commission as products with digital elements. If your iOS app is available to EU users on the App Store in the course of a commercial activity — paid, freemium, ad-funded or as a companion to a paid service — you are a 'manufacturer' under the CRA.
What this means for you specifically
- ▸Apple's App Store review does NOT cover you: CRA obligations sit with the app developer (manufacturer), not the distributor. Apple, as distributor, will increasingly demand compliance evidence from you instead.
- ▸Your SBOM must cover your SwiftPM/CocoaPods dependencies and bundled frameworks — at least top-level dependencies, in CycloneDX or SPDX format.
- ▸TestFlight betas for EU testers can already count as making the product available; treat compliance as starting at first EU distribution, not at 1.0.
- ▸The 5-year support-period expectation applies per product, not per version. Define an EOL policy for old app versions and old iOS targets.
The pitfall that catches most teams
Assuming 'Apple handles security' — the CE marking, technical file, Declaration of Conformity and ENISA reporting duties are yours alone.
The deadlines
2026-09-11
Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.
2027-12-11
Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.
Where does your product actually stand?
The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.
Or get CRAdar to handle it continuously:
Other product types
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.