Is my product in scope? / No-code / low-code built app
Apps built with no-code tools: who carries CRA obligations?
If you commercially distribute an app you built with no-code/low-code tools (Bubble-exported apps, FlutterFlow builds, Glide PWAs packaged for stores), you are the manufacturer. Using a platform to write the code does not transfer the legal obligations to the platform.
What this means for you specifically
- ▸You are responsible for components you did not choose consciously: the platform's generated dependencies are your SBOM. Prefer platforms that can export one.
- ▸Update control matters: if only the platform can patch the runtime, get their security-response SLA in writing — it is your evidence for Annex I Part II compliance.
- ▸PWAs are a nuance: pure web apps are services (NIS2), but a PWA packaged and distributed via app stores is an installable product.
- ▸Ask your platform for CRA support artifacts now; their answer tells you whether the platform survives 2027 as a business.
The pitfall that catches most teams
'The platform handles security' — it handles its infrastructure; the product placed on the market under your name is yours.
The deadlines
2026-09-11
Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.
2027-12-11
Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.
Where does your product actually stand?
The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.
Or get CRAdar to handle it continuously:
Other product types
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.