Is my product in scope? / npm / PyPI package (commercial)
CRA compliance for commercial developer packages (npm, PyPI, crates)
Paid SDKs, commercial API client libraries, license-keyed packages and open-core packages with paid tiers are commercial software products. Distribution through a public registry doesn't change that — npm is a distribution channel like any store.
What this means for you specifically
- ▸Your customers are manufacturers themselves: they will demand your SBOM, VEX statements and CVD policy to satisfy their own Annex I duties. Compliance becomes a sales asset here faster than anywhere else.
- ▸Transitive dependencies are your biggest exposure: a commercial SDK pulling 300 transitive npm packages owns that tree under Annex I Part II.
- ▸Yanking/deprecating vulnerable versions and publishing advisories (GitHub Security Advisories, npm audit metadata) maps directly to the update-and-advisory obligations.
- ▸Typosquatting and registry account takeover are your incident scenarios — 2FA on publish and provenance attestations are cheap wins to document in the tech file.
The pitfall that catches most teams
Believing 'we ship source, integrators are responsible'. The commercial supplier of the component is a manufacturer with full obligations for that component.
The deadlines
2026-09-11
Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.
2027-12-11
Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.
Where does your product actually stand?
The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.
Or get CRAdar to handle it continuously:
Other product types
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.