Is my product in scope? / Tauri app
CRA compliance for Tauri apps
Tauri apps are desktop products with digital elements, in scope when commercially available to EU users. Tauri's architecture is genuinely favorable under the CRA — smaller attack surface than Electron, memory-safe Rust core, system webview instead of a bundled Chromium — but favorable is not exempt.
What this means for you specifically
- ▸Your SBOM has two trees: Cargo.lock (Rust core + plugins) and your frontend's npm tree. cargo cyclonedx + a JS SBOM tool cover both.
- ▸Relying on the system webview means webview CVEs are the OS vendor's to patch — a real compliance advantage over Electron. Document this boundary in your risk assessment; it's a legitimate attack-surface-minimisation argument.
- ▸Tauri's allowlist/capabilities system maps directly to 'secure by default' (Annex I Part I) — ship the minimal capability set and say so in the tech file.
- ▸The updater plugin with signature verification satisfies the secure-update requirement; enable it rather than rolling your own.
The pitfall that catches most teams
Assuming Rust memory safety covers you. Most Tauri app logic lives in the JS frontend and its npm dependencies — the same supply chain risk as any web app, shipped as a desktop product.
The deadlines
2026-09-11
Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.
2027-12-11
Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.
Where does your product actually stand?
The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.
Or get CRAdar to handle it continuously:
Other product types
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.