Free interactive workflow
Is your mobile app Default, Class I or Class II?
Answer three short questions. We walk you through CRA classification — Annex III (Class I) and Annex IV (Class II) triggers as they apply to mobile apps — and tell you which conformity-assessment path you're on. Results are advisory; verify against the regulation.
Step 1 · In-scope check
Is your app in scope of the CRA?
Tick every statement that is true for your app. The CRA only applies if all three are true.
For reference
What each result actually means
Default
Self-assessment
The vast majority of mobile apps. You assess yourself against the 21 essential requirements in Annex I, draft a Declaration of Conformity, generate an SBOM, publish a vulnerability-disclosure policy, and apply the CE marking.
Class I — Important
Self-assessment if standards apply
Annex III categories. You can self-assess only if you fully apply the relevant harmonised standards. Otherwise a notified body must run the conformity assessment.
Class II — Critical
Notified body required
Annex IV categories. A notified body must run the conformity assessment. Plan the cost and timeline early — this is not a self-service path.
Final classification depends on the specific text of the regulation and any delegated acts in force at the time of placement on the market. This workflow is a triage aid, not legal advice.