Is your software caught by the CRA — and can you report in 24 hours?
From 11 September 2026, makers of products with digital elements must report actively exploited vulnerabilities within 24 hours — for products already on the market, including software you shipped years ago. Find out if you're in scope, your class and conformity route, and get the reporting runbook.
Are you in scope of the CRA?
Four questions. This is a screening against the regulation and the Commission's March 2026 draft guidance — not legal advice.
A 24-hour clock — for products you already shipped.
Full CRA compliance is due 11 December 2027, but the incident-reporting obligation bites first, on 11 September 2026 — and it reaches back to products already on the market.
24h / 72h / 14 days
Early warning within 24 hours of awareness, full notification within 72 hours, final report within 14 days of a fix — to your CSIRT and ENISA via the new Single Reporting Platform.
It applies to legacy products
The reporting duty covers products already on the market — including software you shipped years ago that's still in use. "It doesn't matter that you launched in 2019."
SaaS is (mostly) out
The March 2026 guidance confirmed standalone SaaS is out of scope — unless it's a remote data processing solution a product needs to function. Non-commercial open source is out until commercialised.
Up to €15m or 2.5%
Fines reach €15 million or 2.5% of worldwide turnover. Product classes (default / important / critical) set whether you self-assess or need a notified body.
Your position, plus the runbook.
Describe your products
Product type, delivery model, connectivity, open-source status. No account.
We map the regulation
Scope (with the SaaS/RDPS reasoning), product class, conformity route, and the reporting duty — cited to the article and the March 2026 guidance.
Get the report + runbook
A dated position report plus the 24/72/14 incident procedure as a ready-to-adopt internal document, and the customer-questionnaire answer.
Tell us about your products
The report reflects exactly what you enter.
One per line. e.g. "on-prem inventory app", "Wi-Fi thermostat", "commercial SDK".
A screening of your answers against Regulation (EU) 2024/2847 and the Commission's non-binding draft guidance — not legal advice or a conformity assessment. Out-of-scope means out of scope of the CRA (other rules, e.g. NIS2, may still apply). Secure checkout via Stripe.
What you're buying
Does the CRA apply to SaaS?
The Commission's March 2026 draft guidance confirmed standalone SaaS is out of scope — ending a live debate — unless the cloud component is a "remote data processing solution" without which the product can't perform its function. The report shows the reasoning for your specific case, with the citation.
Does it really apply to old software?
Yes. Article 69(3) applies the reporting obligation to products already on the market — including software shipped years ago that's still in use. This turns a 2027 compliance project into a September 2026 reporting readiness one.
What exactly must I do from 11 September?
Report actively exploited vulnerabilities and severe incidents on a clock: early warning within 24 hours of awareness, full notification within 72 hours, and a final report within 14 days of a fix — via the new Single Reporting Platform to your CSIRT and ENISA. The report includes a ready-to-adopt runbook for exactly this.
Is my open-source project caught?
Non-commercial open source is out of scope. But commercialise it, or integrate it into a commercial product, and it's in — with a new "steward" category for foundations. The checker asks the commercial-activity question that decides it.
Is this legal advice?
No. It's a screening of your answers against the regulation and the (non-binding, draft) Commission guidance, cited so you can verify. The SaaS/RDPS boundary and class edges are genuinely contested — confirm with counsel or a notified body before relying on it for market-access decisions.