Is my product in scope? / JetBrains plugin
CRA compliance for JetBrains IDE plugins
Paid JetBrains Marketplace plugins are unambiguous commercial products with digital elements — JetBrains even handles your EU sales, which makes the 'commercial activity' question trivially answered. The obligations, however, remain yours, not JetBrains'.
What this means for you specifically
- ▸Marketplace review is a distribution gate, not a conformity assessment; CE marking, tech file and reporting duties sit with the plugin vendor.
- ▸Your SBOM covers Gradle dependencies plus any bundled native binaries; the IntelliJ Platform SDK itself is a documented dependency whose version matters for vulnerability tracking.
- ▸Plugins run inside the IDE process with broad access to source code and credentials — expect sophisticated buyers (corporate dev teams) to demand your CVD policy and SBOM in procurement, CRA aside.
- ▸The Marketplace update channel satisfies secure-update distribution; your job is shipping fixes fast, and versioning advisories so users know why they're updating.
The pitfall that catches most teams
Freemium plugins assuming the free tier is 'non-commercial'. The free tier markets the paid one — that's commercial activity for the whole product.
The deadlines
2026-09-11
Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.
2027-12-11
Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.
Where does your product actually stand?
The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.
Or get CRAdar to handle it continuously:
Other product types
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.