CRAdarCheck

Is my product in scope? / Self-hosted / on-prem software

CRA compliance for self-hosted and on-premises software

In scopeDefault class

Software your customers download and run on their own infrastructure — self-hosted licenses, on-prem enterprise deployments, Docker images they pull — is supplied software, plainly in scope. The 'we also have a cloud version' does not change the status of the artifact you hand over.

What this means for you specifically

The pitfall that catches most teams

Shipping fat Docker images with hundreds of OS packages you never audit. Every one is a component with your name on the compliance line.

The deadlines

2026-09-11

Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.

2027-12-11

Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.

Where does your product actually stand?

The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.

Run the free Risk Check →No signup · instant result

Or get CRAdar to handle it continuously:

Other product types

Educational guidance on Regulation (EU) 2024/2847 — not legal advice.