Is my product in scope? / WordPress plugin
CRA compliance for WordPress plugins and themes
Commercial WordPress plugins and themes (premium, freemium with paid tiers, or free plugins that upsell a service) are products with digital elements. WordPress powers ~40% of the web, plugin vulnerabilities are a top exploitation vector, and regulators know it.
What this means for you specifically
- ▸The wordpress.org free-only, no-monetisation route may stay outside 'commercial activity' — but a free plugin that markets your paid SaaS is commercial.
- ▸Your SBOM covers bundled PHP libraries (composer), bundled JS (often the weak spot: old jQuery plugins, chart libraries) and any vendored code.
- ▸You must be able to push security releases quickly: the wordpress.org update channel or a licensed-update mechanism for off-repo sales satisfies the update requirement; abandoned premium plugins on marketplaces do not.
- ▸A public CVD policy matters disproportionately in this ecosystem — most WordPress CVEs are found by third-party researchers who need a way to reach you.
The pitfall that catches most teams
Bundled, vendored JS libraries frozen years ago. Auditors and scanners find these in minutes, and they are the exact pattern Annex I Part II targets.
The deadlines
2026-09-11
Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.
2027-12-11
Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.
Where does your product actually stand?
The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.
Or get CRAdar to handle it continuously:
Other product types
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.