Cyber Resilience Act and Mobile Apps: What Italian Software Companies Must Do by 2027

Regulation (EU) 2024/2847 — the Cyber Resilience Act — applies from 11 December 2027 to any software placed on the Union market. An Android or iOS app distributed through the App Store or Google Play falls within this definition. Most Italian software companies are not yet aware of this.

If your company develops a mobile ERP, a field service app, a booking or loyalty application that European customers download on their smartphones, by 2027 you will face new obligations: producing a Software Bill of Materials (SBOM), actively managing vulnerabilities, providing patches for five years, and — in the event of an incident — notifying ENISA within 24 hours. These are not GDPR obligations, which you already know. They come from the Cyber Resilience Act, and most Italian software companies with revenues between €1M and €15M have never heard of it.

Is My App a "Product with Digital Elements"?

The Definition in Art. 3 of Regulation (EU) 2024/2847

Art. 3(1) defines a product with digital elements as "a software or hardware product and its remote data processing solutions, including software or hardware components placed on the market separately." There is no list of permitted or excluded technology categories: the criterion is functional.

Art. 3(21) defines "placing on the market" as "the first making available of a product on the Union market." Distributing an app through the App Store or Google Play to European users is exactly this, regardless of the distribution channel. Recital 15 of the regulation confirms it: distribution via digital marketplaces does not alter the applicability of the rule.

Cases That Normally Fall Within Scope

The following types of mobile apps are typically subject to the CRA:

• Public B2C apps distributed via stores to EU users
• Enterprise apps installed on customers' devices (field service, booking, mobile ERP)
• Apps controlling IoT devices or interacting with connected hardware
• SDKs and software components commercialised separately

The Ambiguous Case: Pure SaaS

If the mobile client is essentially a remote terminal — all logic runs on cloud and the app has no autonomous functions on-device — the scope is less clear. According to the draft Commission guidelines (Ares(2026)2319816, March 2026, pending formal adoption as of June 2026), a three-criteria test must be applied to assess whether "remote data processing" forms an integral part of the product. Pending a definitive text, it is prudent to assume the CRA applies and verify scope by analysing Art. 3 and Recitals 15-18.

What Changes Compared to the GDPR You Already Know

The GDPR introduced data protection by design. The CRA introduces something different: product security by design, with technical obligations the GDPR does not require.

• SBOM (Software Bill of Materials): a structured inventory of all software dependencies — npm libraries, Gradle packages, CocoaPods. For many mobile apps, third-party dependencies represent the primary attack surface.
• Active vulnerability management: you must monitor CVEs in the components you use and release updates. The CRA prohibits abandoning a product without security patches for five years from market placement.
• Coordinated vulnerability disclosure policy: a declared channel through which security researchers can report vulnerabilities to you. ENISA provides an official template.
• 24h/72h/14-day notifications: in the event of an actively exploited security incident, you enter a notification regime with ENISA under strict deadlines — an obligation taking effect as early as 11 September 2026 (see our article on Art. 14 notifications for details).
• Technical documentation and EU Declaration of Conformity: you must produce and retain documentation demonstrating compliance with the essential requirements in Annex I.

Self-Assessment or Notified Body?

Most standard mobile apps fall into the CRA's "default" category: self-assessment of conformity is possible, with no external notified body required, provided applicable harmonised standards are followed.

Some app categories fall under Annex III Class I and may require third-party assessment in the absence of an applicable harmonised standard: password managers, VPN applications, and identity management / privileged access management (PAM) systems. Class II (Annex IV) — which includes operating systems, hypervisors, and browsers — always requires a notified body. For the typical mobile apps produced by an Italian software company, Class II is a rare scenario.

What to Do Now — 18-Month Roadmap

11 December 2027 may seem far away. It is not: building a CVE process and producing a verifiable SBOM takes months, not weeks. A company that starts in 2026 reaches 2027 with a tested process; one that waits until 2027 arrives in a state of emergency.

1. Verify whether you are in scope: analyse Art. 3 and Recitals 15-18 of Regulation (EU) 2024/2847. If your app runs on European customers' devices, the answer is almost certainly yes.
2. Produce a dependency inventory: this is the prerequisite for any SBOM. Open-source tools such as Syft, CycloneDX, or SPDX are a concrete starting point.
3. Start an internal CVE process: monitor CVEs in the components you use. A commercial tool is not necessary at first — a documented procedure is enough.
4. Draft a coordinated vulnerability disclosure policy: use the ENISA template and publish the reporting channel on your website or store listing.
5. Plan for 5 years of patches: review your end-of-life policy. The CRA requires the availability of security updates throughout the supported lifetime of the product.
6. Contact us for an assessment of your digital products: Tomato Blue supports Italian software companies in mapping CRA scope and building the required processes.

The Sanctions That Put Things in Perspective

Art. 64(2) of Regulation (EU) 2024/2847 sets out a penalty for non-compliance with the essential requirements (Annex I) and the obligations in Art. 13-14 of up to €15,000,000 or 2.5% of worldwide annual turnover — whichever is higher. For an Italian software company with €5M in revenue: €125,000. With €10M: €250,000. With €15M: €375,000.

Micro-enterprises are not exempt from the requirements; some enforcement modalities related to Art. 14 notifications have simplified procedures, not exemptions. Company size is not a safe harbour.

Sources

• Regulation (EU) 2024/2847 — IT text: EUR-Lex
• CRA Art. 3: european-cyber-resilience-act.com
• CRA Art. 64: european-cyber-resilience-act.com
• CRA Annex III: european-cyber-resilience-act.com
• Draft Commission Guidelines CRA (March 2026): CRA Evidence Blog
• CRA and SaaS — DLA Piper (Feb 2026): dlapiper.com
• ENISA — Coordinated Vulnerability Disclosure Policies: enisa.europa.eu
• European Commission — Cyber Resilience Act: digital-strategy.ec.europa.eu