Questions about CRA regulation(Cyber Resillience Act)

Cfan

There are some points which I haven't understood clearly about CRA regulation.

I don't work for a company.I am into programming as a hobby but I sometimes want to create a usable Android or Windows app and sell it online.I am a 1 person developer.If I create an LGPL licensed app and sell it in EU(online sell), does CRA regulation apply to my situation too?If my app does not use networking or internet, does it change something?

danish777

Hey @Cfan,

Great question — the CRA (Cyber Resilience Act) is still a bit complex, especially for solo developers and hobbyists.

From what’s been shared so far, the CRA mainly applies to digital products with internet connectivity or those that handle user data in ways that could pose security risks. If your app doesn’t use any networking features and isn’t connected to the internet, it might not fall under the most stringent CRA requirements.

However, if you're selling the app in the EU, even as a solo developer, some basic compliance could still apply — especially regarding secure development practices and documentation. Licensing like LGPL is more about the code sharing terms and doesn’t exempt you from CRA if the product falls under it.

You may not be a major target, but it’s a good idea to keep an eye on updates and consult simplified guides or experts when your app starts gaining users or revenue.

Hope that helps!

SimonSchroeder

I have skimmed the CRA (in my native language, so I might wrongly translate some of the words). Every software distributed in the EU has to follow this. However, small enterprises can have simplified technical documentation and can apply for financial support. Every country still has to specify what "simplified" means. You certainly need a SBOM (a list of libraries you are using). There is something about encryption and integrity of data, as well as integrity of the software itself. I am not sure in how far this applies to general file formats (is every file "data"?). It becomes mandatory to report CVEs starting from next year. You are exempt from everything else if you publish your software before 11.12.2027 and it stays that way until you have "significant changes" (I read this as major updates, or maybe even a bump in the minor version because of some new functionality). Not using internet certainly exempts you from "important devices". It is hard to tell from a quick read, but I believe that "important devices" in addition need to provide a quality assurance process.

In the end this is all based on self-reporting and I hope this is made sufficiently easy for smaller enterprises.

Pl45m4

@SimonSchroeder

I've read it out of curiosity now.
But this doesn't influence how you can publish your Open-Source projects (with and without internet access) on something like GitHub, right?
This only effects commercial software or really everything that is being published by "someone" within the EU?!

SimonSchroeder

@Pl45m4 My understand is that this applies to anyone distributing software in the EU. It doesn't matter if you/your company is from the EU, but only if some of your clients/users are from the EU. The source code itself is not a product, yet. This means you can publish source code on GitHub without following the CRA. I assume that if you also provide compiled binaries on GitHub you'll fall under the open-source rules of the CRA. Honestly, I have skipped the articles about open source, but I have seen that there are certain rules to be followed for maintainers of open source projects. I guess we could start a discussion if GitHub itself is the distributor of the compiled binaries inside the EU and has to conform to the rules of the CRA. On the other hand, they might just claim that they provide a service and each individual publisher of binaries is responsible for the CRA. I would expect GitHub to either change their terms accordingly or maybe provide an option not to publish the binaries inside the EU.