Does Annex I apply to all products with digital elements, regardless of classification?

Yes. Article 6 of Regulation (EU) 2024/2847 states that products with digital elements may only be placed on the EU market if they meet the essential cybersecurity requirements set out in Part I of Annex I and if the manufacturer's processes comply with Part II of Annex I. This applies to Default, Important, and Critical products alike. The classification only determines which conformity assessment procedure under Article 32 must be followed — it does not change the substantive requirements.

What is the difference between Part I and Part II of Annex I?

Part I of Annex I sets out 13 requirements that relate to the properties of the product itself — secure-by-default configuration, encryption, access control, data minimisation, attack surface reduction, and similar design and production requirements. Part II sets out 8 requirements that relate to the manufacturer's vulnerability handling processes — maintaining an SBOM, operating a CVD policy, distributing security updates, and notifying vulnerabilities. Both parts must be addressed in the technical documentation under Article 31.

Can I declare certain Annex I requirements as not applicable to my product?

Yes. Article 13(4) of Regulation (EU) 2024/2847 states that where certain essential cybersecurity requirements are not applicable to the product with digital elements, the manufacturer shall include a clear justification to that effect in the technical documentation. CRACheck provides a structured field for this justification for each requirement.

Is the SBOM required by Annex I Part II point (1) made public?

Not automatically. Annex VII point (8) states that the software bill of materials is provided to market surveillance authorities upon a reasoned request, to the extent necessary to check compliance with Annex I. Annex II point (9) gives the manufacturer the option to make the SBOM available to users. The SBOM is documented but not published by default.

How does CRACheck handle the 13 Part I requirements in the risk assessment?

CRACheck maps each of the 13 requirements in Part I point (2) of Annex I to the product's risk profile as defined by Article 13(2)–(3). For each requirement, you indicate whether it applies, how it is implemented, and what residual risk remains. The output is the cybersecurity risk assessment that Article 13(4) requires to be included in the technical documentation under Article 31 and Annex VII.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, by activating the licence you give express consent for the immediate generation of the digital content, waiving the 14-day withdrawal right. Refunds are only accepted for a reproducible technical failure.

What if the regulation changes?

If the regulation changes during the validity of your licence, you can regenerate the document with the updated version of the generator at no additional cost.

Annex I of Regulation (EU) 2024/2847 lists 13 cybersecurity requirements for the product and 8 vulnerability handling obligations for the manufacturer. Your technical documentation under Article 31 must demonstrate compliance with every applicable one. This is the complete list and what each requirement means for your engineering and documentation workflow.

Annex I is divided into two parts. Part I sets out 13 properties that the product with digital elements must have — from secure-by-default configuration to data minimisation to attack surface reduction. Part II sets out 8 vulnerability handling obligations that the manufacturer must follow throughout the support period — from maintaining a software bill of materials to providing free security updates without delay. Article 6 of Regulation (EU) 2024/2847 states that products may only be placed on the EU market if they meet every applicable requirement in both parts. CRACheck structures the technical documentation required under Article 31 and Annex VII around these 21 requirements. 8 PDFs. 15–25 minutes. €149 per product.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key figures

Essential cybersecurity requirements in Annex I (13 product + 8 vulnerability handling)

€15M

Maximum administrative fine for non-compliance with Annex I under Article 64(2)

Documents in the CRACheck dossier covering every applicable Annex I requirement

How CRACheck maps Annex I requirements to your documentation

The 21 requirements of Annex I are not standalone checkboxes. They feed into the cybersecurity risk assessment under Article 13(2), the technical documentation under Article 31, and the user information under Annex II. CRACheck structures this chain in 7 steps.

Product identification

You enter your product type, intended purpose, connectivity, and software components. CRACheck uses this to scope which Annex I Part I requirements are applicable.

Classification

CRACheck determines whether your product falls under Default, Important Class I, Important Class II, or Critical category by cross-referencing Annex III and Annex IV.

Risk assessment

CRACheck structures your cybersecurity risk assessment per Article 13(2)–(3), mapping each applicable Annex I Part I requirement against identified risks.

Vulnerability handling

You declare your processes for the 8 Part II obligations: SBOM, patching cadence, CVD policy, update distribution mechanism.

Technical documentation

CRACheck assembles the Annex VII file: product description, design and development information, risk assessment, support period rationale, standards applied, test reports, and EU Declaration of Conformity.

User information

CRACheck generates the Annex II information sheet with the 9 data points the user must receive.

Download

8 PDFs in a ZIP file. Product Classifier, Technical Documentation, Risk Assessment, User Information, Declaration of Conformity, CVD Policy, Notification Template, Obligations Calendar.

Common mistakes

❌

ANNEX I · PART I

Treating Annex I as a yes/no checklist

Annex I Part I point (2) states that requirements apply "on the basis of the cybersecurity risk assessment referred to in Article 13(2) and where applicable." Each requirement must be assessed against the product's specific risk profile. A blanket "compliant" without a documented risk assessment is insufficient under Article 31.

❌

ANNEX I · PART II

Ignoring vulnerability handling obligations

Part II of Annex I is not optional. It requires the manufacturer to maintain an SBOM, operate a CVD policy, distribute security updates free of charge, and provide a contact point for vulnerability reporting. These obligations persist throughout the support period defined under Article 13(8).

❌

ART. 64

Assuming Annex I non-compliance is a minor infringement

Article 64(2) of Regulation (EU) 2024/2847 sets administrative fines of up to €15,000,000 or 2.5% of total worldwide annual turnover for non-compliance with Annex I requirements. This is the highest penalty tier in the CRA.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Determines your product category (Default / Important Class I / Class II / Critical) by cross-referencing Annex III and Annex IV. The classification determines which conformity assessment procedure under Article 32 applies.

Technical Documentation

The Annex VII file. Contains the 8 elements required under Article 31: product description, design and development information with system architecture, vulnerability handling processes including SBOM and CVD policy, cybersecurity risk assessment, support period rationale, standards applied, test reports, and EU Declaration of Conformity.

Risk Assessment

Cybersecurity risk assessment per Article 13(2)–(3), structured against every applicable Annex I Part I requirement. Documents which requirements apply, how they are implemented, and the residual risk for each.

User Information

The 9 data points required by Annex II: manufacturer identification, vulnerability contact, product identification, intended purpose with security environment, foreseeable cybersecurity risks, DoC link, support period and type, detailed security instructions, and SBOM availability.

Declaration of Conformity

EU Declaration of Conformity per Article 28 and Annex V. Contains: product identification, manufacturer data, conformity statement, harmonised standards or specifications applied, notified body information if applicable, and signature block.

CVD Policy

Coordinated vulnerability disclosure policy as required by Annex I Part II point (5). Includes contact point for reporting, expected response timeline, and disclosure coordination process.

Notification Template

Pre-structured template for ENISA and CSIRT notifications under Article 14. Covers the three-stage notification: 24-hour early warning, 72-hour vulnerability notification, and 14-day final report. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Timeline of CRA obligations with key dates: 11 September 2026 (Article 14 reporting), 11 December 2027 (full enforcement), and product-specific support period milestones.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 THE ALTERNATIVE

Cybersecurity compliance consultancy

€5,000–15,000 per product for Annex I gap analysis

4–12 weeks lead time

Deliverable varies by firm — often a slide deck, not the actual Annex VII file

Repeat engagement for each product variant

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history