Is my product in scope? / macOS app (notarized / App Store)
CRA compliance for macOS apps
Commercial macOS apps are in scope whether sold through the Mac App Store or distributed directly with Developer ID signing and notarization. Apple's notarization is an automated malware scan — useful, but nowhere near a CRA conformity assessment, and direct distribution puts the full update-channel responsibility on you.
What this means for you specifically
- ▸Direct distribution (DMG + Sparkle updater) means YOU are the update channel: Sparkle with EdDSA signatures satisfies integrity requirements — an unsigned appcast does not, and is the classic macOS supply-chain hole.
- ▸Hardened Runtime + sandbox entitlements map cleanly to attack-surface minimisation; ship the minimal entitlement set and document it in the tech file.
- ▸SBOM: SwiftPM/CocoaPods dependencies plus any bundled helper tools and frameworks; helper tools with elevated privileges (privileged helpers, launch daemons) deserve their own line in the risk assessment.
- ▸Same app on iOS + macOS (Catalyst/universal)? One product family, one tech file with per-platform annexes beats two divergent documents.
The pitfall that catches most teams
The Sparkle appcast served over plain HTTP or without signature verification. It's the first thing an auditor — or an attacker — checks in direct-distributed Mac software.
The deadlines
2026-09-11
Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.
2027-12-11
Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.
Where does your product actually stand?
The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.
Or get CRAdar to handle it continuously:
Other product types
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.