Skip to main content

FAQ: Common CRA Questions from Software Developers

Here are some frequently asked questions about the Cyber Resilience Act (CRA) from the perspective of an app, game, or software developer.

Does the CRA apply to my free app or game?

The CRA applies to products made available on the market "in the course of a commercial activity" (Article 3,) point 22). Recital 15 clarifies that a commercial activity can be characterized not just by charging a price, but also by an intention to monetize, for instance by monetizing other services through a software platform, or processing personal data for reasons other than just improving security or compatibility. If your free app has in-app purchases, shows ads, or collects data for commercial purposes, it is very likely considered a commercial activity and falls under the CRA. Truly non-commercial, non-monetized free and open-source software is generally excluded.

What is the minimum support period I must provide?

The support period for security updates must be at least five years (Article 13, Paragraph 8). However, if the product's expected use time is less than five years, the support period can correspond to that shorter expected use time. You must document the rationale for your chosen period.

Do I need a third-party audit for my simple app?

Probably not. If your software does not fall into the "important" (Annex III) or "critical" (Annex IV) product categories, you can generally perform a self-assessment of conformity (Module A), as explained in Article 32. This involves creating the necessary documentation and issuing an EU Declaration of Conformity on your own responsibility.

What is a "substantial modification"?

A substantial modification is a change made to your software after its release that affects its compliance with the CRA's essential security requirements or changes its intended purpose (Article 3,) point 30). For example, adding a major new online feature to a previously offline app could be a substantial modification, likely requiring an update to your risk assessment and potentially a new conformity assessment. Fixing a minor bug is not.

Key Takeway

The CRA applies to most commercial software, including monetized free apps. The default minimum support period is five years, and most standard software will be eligible for self-assessment without needing a third-party audit.