Does CRA apply to free browser extensions with no revenue?

If the extension is published by a commercial entity — even if the extension itself generates no direct revenue — it is distributed in the course of commercial activity per Recital 18 of Regulation (EU) 2024/2847. A company publishing a free extension to support brand awareness, drive traffic to a paid product, or collect analytics data is engaged in commercial activity. Only extensions developed by private individuals entirely outside any commercial context are excluded.

My extension only works offline with no backend. Is it still in CRA scope?

If the extension is software installed on a user's device and has any logical data connection (Article 2(1)), it is a product with digital elements. An offline extension that accesses browser APIs, storage, or page content has logical data connections. CRA scope is broad — the absence of a cloud backend reduces the product boundary but does not eliminate CRA applicability.

Will browser stores (Chrome, Firefox, Edge) enforce CRA compliance?

While the CRA does not directly regulate browser store operators, the Digital Markets Act and Digital Services Act create expectations for gatekeepers to support EU regulatory compliance. Google, Mozilla, and Microsoft are expected to integrate CRA-related requirements into their developer programs. Having documentation ready positions you ahead of policy changes.

My extension handles passwords. Does it classify differently?

Password managers and identity management tools are listed in Annex III, Part I of Regulation (EU) 2024/2847 as Important Class I products because they perform functions critical to cybersecurity. This classification requires either harmonised standards with Module A self-assessment or Module B+C/H with notified body involvement per Article 32(2). CRACheck's Product Classifier identifies this classification.

I publish the same extension on Chrome, Firefox, and Edge. Do I need separate documentation for each?

If the core extension is functionally identical across browsers with only manifest differences, a single Article 31 dossier covering the product is sufficient, noting the supported platforms. If the Chrome and Firefox versions have materially different architectures or features, they may be separate products requiring separate documentation.

Is CRACheck a subscription?

No. One-time payment. 30 days of editing, 10 regenerations. The PDF is yours to keep.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, activating the license constitutes express consent for immediate generation. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate at no additional cost during your license period.

You publish a browser extension on the Chrome Web Store, Firefox Add-ons, or Edge Add-ons. European users install it. Under Article 3(1) of Regulation (EU) 2024/2847, that extension is software placed on the EU market — a product with digital elements. If it communicates with your backend API, Article 3(2) brings the backend into scope. CRACheck generates the 8 documents Article 31 requires before a store policy change catches you off guard.

A browser extension is software that users install on their device. When distributed through a store available to EU users in the course of commercial activity, it is "made available on the market" under Article 3(22) of the Cyber Resilience Act. The developer is the manufacturer under Article 3(13). Browser extensions often handle sensitive data — passwords, browsing history, authentication tokens — making the cybersecurity risk assessment under Article 13(2)-(3) particularly important. CRACheck generates the 8-document dossier under Article 31 + Annex VII in 15-25 minutes for €149. Your extension's CRA documentation exists before Google, Mozilla, or Microsoft make it a store requirement.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

450M+

EU citizens who can install your extension from browser stores today

Art. 3(1)

A browser extension is software = a product with digital elements under CRA

€149

One-time cost for the complete CRA dossier for your extension

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Identify your extension

Enter extension name, browser(s), manifest version, developer entity. CRACheck frames it as a product with digital elements per Article 3(1).

Map data flows

What data does your extension access? Browsing history, page content, cookies, form data, authentication tokens? What does it send to your backend? This defines the risk assessment scope.

Classify under Annex III

Most browser extensions classify as Default category. Extensions performing password management, identity protection, or network security functions may classify as Important Class I per Annex III.

Document permissions

Chrome's permissions model (activeTab, storage, cookies, webRequest) maps directly to the Annex I essential requirements for data minimization and access control.

Generate risk assessment

Extension-specific threat analysis: permission abuse, data exfiltration through content scripts, man-in-the-middle injection, third-party library vulnerabilities, and update mechanism hijacking.

Produce 8 documents

Technical documentation, risk assessment, declaration of conformity, user information (compatible with extension store privacy disclosures), CVD policy, ENISA template, obligations calendar.

Archive alongside store metadata

Keep the dossier with your extension's store listing data. Ready for any compliance inquiry.

Common mistakes

❌

SIZE IRRELEVANT

"Browser extensions are too small to be regulated products"

The CRA does not set a minimum size, complexity, or user base for products with digital elements. Article 3(1) defines a product with digital elements as software placed on the market. A 50KB extension with 500 users is as much a regulated product as a 500MB application with 5 million users. The scope trigger is market placement, not product size.

❌

STORE vs MANUFACTURER

"Google's Chrome Web Store review process handles security for me"

Chrome Web Store review checks for malware and basic policy compliance. It does not produce technical documentation under Article 31, conduct a risk assessment per Article 13, or issue a declaration of conformity per Article 28. The store is a distribution channel. The manufacturer obligations under CRA rest with you.

❌

COMMERCIAL CONTEXT

"My extension is free and open-source under MIT/Apache license"

If your extension is part of a commercial activity — ad-supported, monetized through a premium version, bundled with a paid service, or developed by a business entity — it falls within CRA scope per Recital 18. The open-source license type (MIT, Apache, GPL) does not create an exemption. The test is commercial activity context, not license terms.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Classification under Annex III. Password managers and identity-related extensions may classify as Important Class I.

Technical Documentation

Art. 31 + Annex VII for browser extensions: manifest permissions, content scripts, background service workers, storage usage, API communications, and third-party dependencies.

Risk Assessment

Extension-specific analysis: content script injection attacks, cross-site data leakage, permission escalation, third-party analytics SDK risks, and update supply chain integrity.

User Information

Annex II adapted for extension users: what permissions the extension requires and why, what data is collected, how updates are delivered, how to report security issues, and developer contact.

Declaration of Conformity

Art. 28 + Annex V for your extension.

CVD Policy

Vulnerability disclosure policy for extension developers: how security researchers report issues, response timeline, and coordinated disclosure process.

Notification Template

ENISA template per Article 14 for extension incidents: compromised update push, data exfiltration discovery, permission abuse exploitation. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Developer timeline: Art. 14 reporting from September 2026, full enforcement December 2027, support period.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 REGULATORY ATTORNEY

$11,000–$20,000

4-10 weeks. $3,000-$5,000 for scope analysis + $8,000-$15,000 for documentation. That is more than most indie extensions earn in a year.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history