Is my product in scope? / Python package (commercial)
CRA compliance for commercial Python packages (PyPI)
Paid Python SDKs, license-keyed libraries, open-core packages with commercial tiers and client libraries shipped as part of a paid service are commercial software products — PyPI is a distribution channel like any store. The Python-specific wrinkle: your users are often data/ML teams inside regulated enterprises, which makes compliance evidence a sales gate before it's a legal one.
What this means for you specifically
- ▸SBOM from the built artifact, not just pyproject.toml: wheels with compiled extensions (manylinux .so files) embed native libraries your metadata doesn't declare — auditors and scanners diff the two.
- ▸ML-adjacent packages: pickled models and torch.load-style deserialization are documented RCE vectors — if your package loads serialized artifacts, that belongs in the risk assessment and secure-by-default story.
- ▸PyPI account security is your supply chain: 2FA, trusted publishing (OIDC from CI instead of long-lived tokens) and yanking policies map directly to Annex I Part II expectations.
- ▸Advisories flow through the Python ecosystem via PyPA advisory DB / OSV — publish there, not just in a changelog, so downstream scanners (including your customers') pick your fixes up automatically.
The pitfall that catches most teams
The compiled-extension blind spot: pure-Python scanning says you're clean while your manylinux wheel bundles an outdated OpenSSL. Scan the wheel you actually ship.
The deadlines
2026-09-11
Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.
2027-12-11
Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.
Where does your product actually stand?
The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.
Or get CRAdar to handle it continuously:
Other product types
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.