Is my product in scope? / React Native app
CRA compliance for React Native apps
React Native apps sold or commercially distributed to EU users are in scope like any mobile app. Their compliance surface is the widest of any mobile stack: an npm dependency tree (often 1,000+ transitive packages) plus native iOS/Android dependencies plus, in many apps, an over-the-air update channel.
What this means for you specifically
- ▸Your SBOM spans three trees: package-lock.json (JS), Podfile.lock (iOS native), and Gradle dependencies (Android native). Auditors will expect all three, per release.
- ▸OTA update services (CodePush successors, Expo Updates) are a double-edged sword: they satisfy 'security updates without delay' beautifully — and make your update channel itself a high-value attack target that belongs in your risk assessment.
- ▸The npm supply chain is the most-attacked registry (typosquatting, maintainer account takeovers). Our State of CRA data shows 5B weekly downloads still landing on known-vulnerable versions — pin and scan continuously.
- ▸Hermes/JSC engine versions are components; note them in the tech file.
The pitfall that catches most teams
Treating the JS bundle as 'just scripts'. Legally it's part of a product with digital elements — and its 1,000 transitive npm packages are your Annex I Part II obligation.
The deadlines
2026-09-11
Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.
2027-12-11
Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.
Where does your product actually stand?
The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.
Or get CRAdar to handle it continuously:
Other product types
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.