Is my WordPress plugin subject to the CRA?

The test: “product with digital elements” on the EU market

The CRA applies to manufacturers of products with digital elements that are placed on the EU market. Both conditions must be met.

A “product with digital elements” is defined broadly. It covers any software or hardware product, plus any remote data processing solution whose function depends on such a product. A WordPress plugin is software. It qualifies.

“Placed on the EU market” means making the product available for distribution or use within the EU during a commercial activity. This is where it gets interesting for WordPress developers, because that commercial activity qualifier draws a line between products that are in scope and those that are not.

Commercial vs free/open-source: where the line falls

The CRA carves out an exemption for open-source software developed and supplied outside the course of a commercial activity. Recital 18 explains that merely making source code available, accepting voluntary donations, or charging fees that only cover costs does not by itself constitute a commercial activity.

But the exemption has limits. The CRA treats the following as indicators of commercial activity:

• Charging a price for the software (licence fees, subscriptions, one-time purchases).
• Providing paid support services in a systematic, regular manner connected to the software.
• Using the software as a platform for monetisation, such as advertising or data collection.
• Integrating the open-source software into a commercial product.

For us WordPress developers, that means a plugin sold through CodeCanyon, Freemius, or your own shop is clearly in scope. A free plugin on WordPress.org maintained by a volunteer with no commercial motive is generally outside scope.

The problem is that many of us operate somewhere in between.

Decision tree: are you in scope?

Walk through these questions in order. A “yes” at any point means the CRA likely applies to your product.

Question 1: Do you charge money for the plugin or theme?

If you sell your plugin or theme for any price, whether as a one-time purchase, annual subscription, or lifetime licence, you are engaged in a commercial activity. The CRA applies.

Question 2: Do you offer a free version alongside a paid premium tier?

If the free version exists to funnel users toward paid upgrades, the commercial intent is there. The paid tier is clearly in scope, and the free tier probably is too since it is part of the same commercial offering. The CRA likely applies to the entire product.

Question 3: Do you offer paid support, customisation, or integration services connected to the plugin?

If you systematically provide commercial services around a free plugin, the regulation may consider the whole activity commercial. The word to watch is “systematic.” Occasional, informal help is different from a structured support offering. The CRA may apply. Assess carefully.

Question 4: Is the plugin used exclusively by your own organisation (not distributed)?

The CRA covers products placed on the market. Internal tools that stay within your own organisation are not placed on the market, so they fall outside scope. But if you distribute the plugin to clients or partners, it is on the market. Internal-only tools are generally exempt.

Question 5: Do any of your users reside in the EU?

Even if you are based outside the EU, the CRA applies when your products are available on the EU market. If you actively sell to or target EU customers, you are placing products on the EU market. Your location does not matter. Market access does.

Grey areas: freemium, donations, and services

Freemium plugins

This is the most common grey area in our ecosystem, and honestly it is where most commercial WordPress developers sit. If your free plugin exists primarily to convert users into paid customers, the commercial activity test is almost certainly met. The CRA would apply to both versions since they are part of the same offering.

Donation-funded plugins

The regulation acknowledges that accepting voluntary financial contributions does not automatically make an open-source project commercial. But this applies to genuinely voluntary, unsolicited donations. If your plugin prominently solicits donations and those donations are a material revenue stream, authorities may see it differently. The distinction depends on the facts.

Plugins connected to paid services

If your plugin is free but connects to a paid SaaS product, the analysis depends on whether the plugin itself is the product or just a connector. A free plugin that primarily bridges to a commercial API or service may be considered part of the commercial activity around that service. We think this is one of the areas where enforcement will eventually provide clarity.

WordPress.org-only distribution

Distributing through WordPress.org does not automatically exempt you. The repository is a distribution channel, not a licence model. If the plugin you list on WordPress.org is commercial (even if the free version lives there and the premium is sold elsewhere), the CRA applies.

What “placing on the market” means for WordPress plugins

Under EU product regulation, “placing on the market” refers to the first time a product is made available on the EU market. For physical products, that has a clear meaning: the moment something reaches a warehouse or retail shelf in the EU.

For software distributed digitally, it translates to the moment the product becomes available for download or use by EU-based users. In practice:

• Listing a plugin on a marketplace accessible from the EU counts as placing on the market.
• Selling through your own website to EU customers counts.
• Each new version of a plugin is a fresh placing on the market. The updated version must itself comply.
• Making a beta or early-access version available to EU testers may also count, depending on the terms.

The practical upshot: if EU-based users can download and use your commercial plugin, you have placed it on the EU market. Geo-blocking EU users is technically possible but commercially painful for most of us.

How CRA Guard’s wizard helps you figure this out

We built a free “Am I in scope?” setup wizard into CRA Guard because we kept seeing the same confusion in WordPress developer communities. The wizard uses branching logic to walk you through the decision tree above and gives you a clear answer at the end.

It covers five to seven questions depending on your answers, including your distribution model, pricing structure, geographic market, and open-source licensing. You get one of three outcomes:

• Clearly in scope— The CRA applies to your products, and you should start compliance work now.
• Likely in scope— Your situation has characteristics that suggest CRA applicability, but some ambiguity remains. Proceed with compliance as a precaution and consider getting legal advice for a definitive answer.
• Likely out of scope— Based on your answers, the CRA probably does not apply. If your business model changes (say you introduce a premium tier), reassess.

The wizard is part of the free tier. No upgrade needed. Install the plugin, run the wizard, and get clarity in under two minutes.

Start here

Figuring out whether the CRA applies to you is where everything begins. Vulnerability handling, SBOMs, incident reporting, documentation, all of it follows from that determination.

If you are in scope, the sooner you start preparing, the less painful the process will be. The September 2026 deadline is months away, not years. Read our complete CRA compliance guide for the full roadmap, or install CRA Guard and run the wizard now.

Download CRA Guard Free on WordPress.org

Disclaimer:This article provides general information about the CRA’s scope and is not legal advice. The CRA’s applicability depends on the specific facts of your situation. For a definitive legal assessment, consult a qualified professional.