Does CRA apply to all mobile apps available in the EU?

The Cyber Resilience Act applies to all products with digital elements placed on the EU market in the course of commercial activity (Article 2(1) and Article 3(22)). If your app is published on an app store accessible in EU countries by a commercial entity, it is within scope. Apps developed by private individuals outside any commercial activity are excluded per Recital 15.

Our app is a simple utility with no cloud backend. Does CRA still apply?

Yes, if the app itself processes, stores, or transmits digital data and has a direct or indirect data connection (Article 2(1)). A standalone app with no cloud backend is still a product with digital elements under Article 3(1) — it is software placed on the market. The scope is narrower (no remote data processing), but the documentation obligations under Article 31 still apply.

Will app stores enforce CRA compliance?

While Regulation (EU) 2024/2847 does not directly regulate app store platforms, Recital 40 references the Digital Services Act and the potential role of gatekeepers. Apple and Google are expected to integrate CRA compliance requirements into their developer programs for the EU market. Having documentation ready positions you ahead of platform policy changes.

What happens if I remove my app from EU stores before December 2027?

If your app is not available on the EU market from the enforcement date onward, CRA obligations do not apply. However, if the app was available before removal and you provided a support period, vulnerability handling obligations under Annex I, Part II continue for the stated support period.

Our app uses Firebase and Google Analytics. Are we responsible for their CRA compliance?

Article 13(5) requires due diligence when integrating third-party components. You remain the manufacturer of the final product. If Firebase or Google Analytics SDKs introduce vulnerabilities in your app, you bear responsibility. Document the third-party components in your technical documentation and monitor their security advisories.

Is CRACheck a subscription?

No. One-time payment. 30 days of editing, 10 regenerations. The PDF is yours to keep.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, activating the license constitutes express consent for immediate digital content generation. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate with the updated version at no additional cost during your license period.

You publish a mobile app on the App Store or Google Play. European users can download it. Under Article 3(1) of Regulation (EU) 2024/2847, that app is a product with digital elements placed on the EU market. If it connects to your cloud backend, Article 3(2) brings the backend into scope too. CRACheck generates the technical documentation Article 31 requires — before an app store policy change forces you to scramble.

A mobile app distributed through an app store available in EU countries is "made available on the market" per Article 3(22) of the Cyber Resilience Act. The developer is the manufacturer under Article 3(13). If the app relies on a cloud API, the backend is remote data processing under Article 3(2), and the entire system — app plus cloud — constitutes the regulated product. CRACheck generates the 8-document dossier required under Article 31 + Annex VII in 15-25 minutes for €149. No data leaves your browser. No legal team required.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

27 countries

EU Member States where your app store listing makes your product available on the market

€15M

Maximum fine for non-compliance with CRA essential cybersecurity requirements (Art. 64(2))

€149

One-time cost for the full 8-document CRA dossier with CRACheck

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Identify your app as a product

Enter app name, platform (iOS, Android, cross-platform), developer entity name and address. CRACheck frames your app as a product with digital elements per Article 3(1).

Map the remote data processing

Does your app communicate with a backend API? If yes, describe the data flows. The backend becomes remote data processing under Article 3(2), extending CRA scope to your cloud infrastructure.

Classify under Annex III

Most consumer mobile apps classify as Default category, eligible for self-assessment via Module A (Annex VIII). Apps managing personal health data or payment functions may fall into Important Class I.

Describe your security posture

Authentication methods, data encryption at rest and in transit, update mechanism, third-party SDKs, analytics libraries, and permissions requested.

Generate risk assessment

Mobile-specific threat analysis per Article 13(2)-(3): API key exposure, insecure local storage, man-in-the-middle attacks, third-party SDK vulnerabilities, and excessive permission risks.

Produce all 8 documents

Technical documentation, risk assessment, declaration of conformity, user information (including your app store privacy label), CVD policy, ENISA template, obligations calendar.

Download and archive

8 PDFs in ZIP. Keep them alongside your app store metadata. Ready for any compliance inquiry.

Common mistakes

❌

PLATFORM vs MANUFACTURER

"Apple and Google handle compliance for apps on their stores"

App stores are distribution platforms, not manufacturers. Article 3(13) defines the manufacturer as the entity that develops the product. If you wrote the code, you are the manufacturer regardless of the distribution channel. Apple and Google may enforce CRA requirements through their developer policies, but the legal obligation rests with you.

❌

COMMERCIAL ACTIVITY

"My app is free, so commercial activity rules do not apply"

Article 3(22) includes supply in the course of commercial activity "whether or not for payment." If your app is monetized through ads, in-app purchases, data collection, or serves as a gateway to a paid service, it is distributed in the course of commercial activity. Even a completely free utility app distributed by a company (not a private individual) is placed on the market in a commercial context.

❌

MARKET EXIT COST

"I will just geo-block EU users if compliance is too complex"

Geo-blocking the EU means losing access to 450 million potential users. The CRA documentation obligation for a Default category product — which covers most consumer apps — requires self-assessment via Module A. CRACheck generates this documentation for €149 in 15 minutes. The compliance cost is almost certainly lower than the revenue loss from geo-blocking the EU.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Determines your app's Annex III category. Consumer apps typically classify as Default. Apps with security functions (password managers, VPNs, parental controls) may classify as Important Class I.

Technical Documentation

Art. 31 + Annex VII dossier structured for mobile applications: client architecture, API integration, platform-specific security features, third-party SDK inventory, and update delivery mechanism.

Risk Assessment

Mobile-specific cybersecurity analysis: insecure data storage, certificate pinning, jailbreak/root detection, third-party analytics privacy, biometric data handling, and push notification security.

User Information

Annex II document for app users: security properties, data handling, update policy, known limitations, and manufacturer contact. Compatible with app store privacy labels.

Declaration of Conformity

Article 28 + Annex V declaration for your mobile app. Covers the app and any remote data processing backend as a unified product.

CVD Policy

Vulnerability disclosure policy: how security researchers can report issues in your app, response timeline, coordinated disclosure process.

Notification Template

ENISA notification structure per Article 14 for mobile app incidents: compromised APIs, data breaches through app vulnerabilities, third-party SDK exploits. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Key dates: Art. 14 reporting from September 2026, full enforcement December 2027, support period obligations per Article 13(8).

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 REGULATORY ATTORNEY

$13,000–$28,000

4-12 weeks. $3,000-$8,000 for scope memo + $10,000-$20,000 for documentation. Budget a solo developer does not have.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history