Is my product in scope? / Self-hosted / on-prem software
CRA compliance for self-hosted and on-premises software
Software your customers download and run on their own infrastructure — self-hosted licenses, on-prem enterprise deployments, Docker images they pull — is supplied software, plainly in scope. The 'we also have a cloud version' does not change the status of the artifact you hand over.
What this means for you specifically
- ▸Container images are distribution artifacts: base-image layers (Debian packages, Alpine apks) are components — SBOM them; base-image CVE noise is exactly what you must triage and document.
- ▸Helm charts pulling sidecar images extend your product boundary; declare what is yours vs. customer-supplied.
- ▸Your security-update channel must reach air-gapped/on-prem customers: versioned advisories + patched releases, not just 'we fixed it in cloud'.
- ▸Enterprise buyers will hand you CRA flow-down clauses in procurement; a ready SBOM + CVD policy shortens sales cycles measurably.
The pitfall that catches most teams
Shipping fat Docker images with hundreds of OS packages you never audit. Every one is a component with your name on the compliance line.
The deadlines
2026-09-11
Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.
2027-12-11
Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.
Where does your product actually stand?
The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.
Or get CRAdar to handle it continuously:
Other product types
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.