CRAdarCheck

Is my product in scope? / Python package (commercial)

CRA compliance for commercial Python packages (PyPI)

In scopeDefault class

Paid Python SDKs, license-keyed libraries, open-core packages with commercial tiers and client libraries shipped as part of a paid service are commercial software products — PyPI is a distribution channel like any store. The Python-specific wrinkle: your users are often data/ML teams inside regulated enterprises, which makes compliance evidence a sales gate before it's a legal one.

What this means for you specifically

The pitfall that catches most teams

The compiled-extension blind spot: pure-Python scanning says you're clean while your manylinux wheel bundles an outdated OpenSSL. Scan the wheel you actually ship.

The deadlines

2026-09-11

Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.

2027-12-11

Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.

Where does your product actually stand?

The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.

Run the free Risk Check →No signup · instant result

Or get CRAdar to handle it continuously:

Other product types

Educational guidance on Regulation (EU) 2024/2847 — not legal advice.