Annex I is divided into two parts. Part I sets out 13 properties that the product with digital elements must have — from secure-by-default configuration to data minimisation to attack surface reduction. Part II sets out 8 vulnerability handling obligations that the manufacturer must follow throughout the support period — from maintaining a software bill of materials to providing free security updates without delay. Article 6 of Regulation (EU) 2024/2847 states that products may only be placed on the EU market if they meet every applicable requirement in both parts. CRACheck structures the technical documentation required under Article 31 and Annex VII around these 21 requirements. 8 PDFs. 15–25 minutes. €149 per product.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
The 21 requirements of Annex I are not standalone checkboxes. They feed into the cybersecurity risk assessment under Article 13(2), the technical documentation under Article 31, and the user information under Annex II. CRACheck structures this chain in 7 steps.
Annex I Part I point (2) states that requirements apply "on the basis of the cybersecurity risk assessment referred to in Article 13(2) and where applicable." Each requirement must be assessed against the product's specific risk profile. A blanket "compliant" without a documented risk assessment is insufficient under Article 31.
Part II of Annex I is not optional. It requires the manufacturer to maintain an SBOM, operate a CVD policy, distribute security updates free of charge, and provide a contact point for vulnerability reporting. These obligations persist throughout the support period defined under Article 13(8).
Article 64(2) of Regulation (EU) 2024/2847 sets administrative fines of up to €15,000,000 or 2.5% of total worldwide annual turnover for non-compliance with Annex I requirements. This is the highest penalty tier in the CRA.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Determines your product category (Default / Important Class I / Class II / Critical) by cross-referencing Annex III and Annex IV. The classification determines which conformity assessment procedure under Article 32 applies.
The Annex VII file. Contains the 8 elements required under Article 31: product description, design and development information with system architecture, vulnerability handling processes including SBOM and CVD policy, cybersecurity risk assessment, support period rationale, standards applied, test reports, and EU Declaration of Conformity.
Cybersecurity risk assessment per Article 13(2)–(3), structured against every applicable Annex I Part I requirement. Documents which requirements apply, how they are implemented, and the residual risk for each.
The 9 data points required by Annex II: manufacturer identification, vulnerability contact, product identification, intended purpose with security environment, foreseeable cybersecurity risks, DoC link, support period and type, detailed security instructions, and SBOM availability.
EU Declaration of Conformity per Article 28 and Annex V. Contains: product identification, manufacturer data, conformity statement, harmonised standards or specifications applied, notified body information if applicable, and signature block.
Coordinated vulnerability disclosure policy as required by Annex I Part II point (5). Includes contact point for reporting, expected response timeline, and disclosure coordination process.
Pre-structured template for ENISA and CSIRT notifications under Article 14. Covers the three-stage notification: 24-hour early warning, 72-hour vulnerability notification, and 14-day final report. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.
Timeline of CRA obligations with key dates: 11 September 2026 (Article 14 reporting), 11 December 2027 (full enforcement), and product-specific support period milestones.
See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.
Generated from your data, in your browser. No data leaves your device.
CRACheck generates the structured technical documentation required under Article 31 and Annex VII of Regulation (EU) 2024/2847. It maps every applicable Annex I requirement to your product's risk profile, assembles the cybersecurity risk assessment, produces the EU Declaration of Conformity, and generates the vulnerability handling documentation including CVD policy and ENISA notification templates.
CRACheck does not perform penetration testing, code review, or any technical audit of your product. It does not certify conformity. It does not act as a notified body under Article 32. It does not provide the conformity assessment procedure itself — it produces the documentation that feeds into it. For Important Class II and Critical products requiring third-party assessment, the notified body or certification body is a separate engagement.
The documentation is the foundation. The assessment builds on it. CRACheck produces the documentation layer.
Article 64(2) — Non-compliance with the essential cybersecurity requirements set out in Annex I and the obligations set out in Articles 13 and 14. This is the highest penalty tier. Applies to missing or inadequate Annex I implementation.
Article 64(3) — Non-compliance with obligations under Articles 18–23, Article 28, Article 31(1)–(4), Article 32(1)–(3), and others. Applies to missing technical documentation, missing Declaration of Conformity, or failure to follow conformity assessment procedures.
Article 64(4) — Supply of incorrect, incomplete, or misleading information to notified bodies and market surveillance authorities. Applies to inaccurate data in the technical documentation or conformity declarations.
| Criterio | Consultancy | In-house legal team | CRACheck |
|---|---|---|---|
| Price | €5,000–15,000/product | Internal headcount cost | €149/product |
| Delivery time | 4–12 weeks | 2–6 months (first product) | 15–25 minutes |
| Output format | Slide deck or report | Varies | 8 PDFs structured per Annex VII |
| Annex I mapping | Manual interpretation | Manual interpretation | Automated against all 21 requirements |
| Data handling | Sent to consultancy | Internal | 100% browser-side — data never leaves your device |
| CRACheck | €149/product | 15–25 min | 8 PDFs · Annex VII |
If you manufacture a product family with shared components and need Annex I documentation for each variant, contact us for volume pricing. Pack of 10: €99 per product. Pack of 30: €79 per product.
Request volume pricingCRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847, based on the information you enter. The accuracy, completeness, and truthfulness of that information is your responsibility as manufacturer.
We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct. We do not guarantee that a specific document will be accepted by a market surveillance authority in a specific case.
CRACheck is not legal advice. For situations specific to your product or market, consult a qualified lawyer or specialised regulatory consultancy.
Map every applicable Annex I requirement to your product's risk profile and generate the Article 31 + Annex VII technical documentation. €149 per product. 100% in your browser.