Skip to main content

App Stores, Distribution Platforms, and CRA for App Developers

You have built your app, and now it is time to get it to users, likely through app stores (Apple App Store, Google Play Store) or other distribution platforms. What is your responsibility under the EU Cyber Resilience Act (CRA) versus the platform's?

You Are the Manufacturer

First and foremost, as the app developer, you are considered the "manufacturer" of your app under the CRA (Article 3,) Point 13). This means the primary obligations for ensuring your app meets the CRA's essential cybersecurity requirements (Annex I) and vulnerability handling processes rest with you.

App Store's Role vs. Your CRA Obligations

App stores and distribution platforms have their own review processes and policies. These might include security checks. However:

  • Platform Review is Not CRA Certification: An app store's approval does not automatically mean your app is CRA compliant. Their review processes might not cover all CRA requirements, or not to the same depth.
  • Your Obligations Remain: You are still responsible for conducting your own cybersecurity risk assessment (Article 13, Paragraph 2), creating technical documentation (Article 31, Annex VII), and ensuring ongoing vulnerability management (Article 13, Paragraph 8; Annex I, Part II), regardless of the platform's checks.
  • CE Marking and Declaration of Conformity: You are responsible for the CE marking (if applicable to your type of product and conformity route) and the EU Declaration of Conformity (Article 28), which attests to your app's compliance.

Information Provided Through Platforms

App stores are a key channel for communicating with users. Information required by Annex II of the CRA, such as:

  • Your contact details for vulnerability reporting (Annex II, Item 2).
  • Information on the app's intended purpose and security properties (Annex II, Item 4).
  • The support period end date (Annex II, Item 7; Article 13, Paragraph 19).
  • Instructions for secure use and updates (Annex II, Item 8). Can often be provided via your app's store page description or linked support websites.

Platform as Distributor

If an app store simply lists your app and facilitates the transaction, they might be considered a "distributor" under certain conditions. Distributors also have obligations, like acting with due care and cooperating with market surveillance authorities (Article 20). However, this does not shift the primary manufacturing responsibilities from you.

Key Takeway

Even when distributing through app stores, you, the app developer, are the CRA manufacturer and retain full responsibility for your app's compliance. Platform reviews are helpful but do not substitute your own CRA due diligence, documentation, and ongoing security commitments.