Is my product in scope? / Shopify / marketplace app
CRA compliance for Shopify, Atlassian and marketplace apps
It depends on the form factor. A pure server-side marketplace app (Shopify app running entirely on your servers, embedded via iframe) is SaaS — NIS2 territory, not CRA. But Atlassian Data Center plugins, downloadable Jira apps, or any variant the customer installs on their side is a product in scope.
What this means for you specifically
- ▸Shopify apps: usually pure SaaS (in-scope only if you ship a theme-embedded script bundle counts is debated — the safe reading is that hosted script delivery is part of the service).
- ▸Atlassian: Cloud apps (Forge/Connect) are SaaS; Data Center/Server plugins are installable products — in scope, SBOM and all.
- ▸Figma/VS Code/JetBrains plugins run on the user's machine: installable software, in scope when commercial.
- ▸The platform's app-review process is never a conformity assessment.
The pitfall that catches most teams
One codebase, two form factors: the moment you port your cloud marketplace app to an installable variant for enterprise customers, the CRA applies to that variant — plan it, don't discover it.
The deadlines
2026-09-11
Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.
2027-12-11
Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.
Where does your product actually stand?
The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.
Or get CRAdar to handle it continuously:
Other product types
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.