The Cyber Resilience Act creates three tiers of scrutiny for security silicon. A standard microcontroller with a crypto engine is Important Class I (Annex III, item 14) — Module A self-assessment is available if harmonised standards apply. A tamper-resistant microcontroller is Important Class II (Annex III, item 4) — Module A is not available; third-party assessment is mandatory. A secure element or smartcard is Critical (Annex IV, item 3) — European cybersecurity certification may be required under Article 32(5). CRACheck walks you through classification and generates the documentation for whichever tier applies. €149 per product. 15–25 minutes.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.
Regulation (EU) 2024/2847 distinguishes sharply. A microcontroller with security-related functionalities is Important Class I (Annex III, item 14) — self-assessment may suffice with harmonised standards. A tamper-resistant microcontroller is Important Class II (Annex III, item 4) — third-party conformity assessment is mandatory under Art. 32(3). Conflating the two means preparing for the wrong assessment path.
Annex IV separately lists "smartcards or similar devices, including secure elements" (item 3) as Critical products. Article 32(5) may require European cybersecurity certification for Critical products. This is a fundamentally different regime from Annex III Important products.
Common Criteria certification is not automatically equivalent to CRA conformity. Article 32(2) allows Module A for Important Class I products only if harmonised standards covering all essential requirements are applied, or if an EU cybersecurity certification at assurance level "substantial" exists. A CC evaluation may support but does not replace CRA documentation and conformity assessment.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Maps your product against Annex III (items 13–14 Class I, items 3–4 Class II) and Annex IV (item 3 Critical). Documents classification rationale and applicable conformity assessment procedure under Art. 32.
Annex VII dossier structured for your tier. Silicon architecture, security function specs, design and development processes, production controls.
Annex I Part I analysis. Evaluates physical attacks, side channels, fault injection, supply chain compromise specific to security silicon.
Annex II information for downstream integrators. Secure deployment guidelines, configuration requirements, end-of-life procedures.
Art. 28 + Annex V, pre-structured with your Annex III/IV classification and applicable conformity module.
Vulnerability disclosure framework: PSIRT, coordination with chip integrators, reporting protocols.
Art. 14 ENISA notification: 24h, 72h, 14-day timeline.
Classification-specific milestones and enforcement dates.
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated from your data, in your browser. No data leaves your device.
CRACheck determines your tier (Class I, Class II, or Critical) and generates Art. 31 + Annex VII documentation for that tier. This dossier precedes any third-party assessment. Without it, a notified body cannot begin evaluation.
For Class II, a notified body must perform conformity assessment (Module B+C or H). For Critical products, European cybersecurity certification may be required. CRACheck does not perform these — it produces the structured documentation these processes require as input.
Layer 1 is where every microcontroller and secure element manufacturer must start. Classification and documentation are prerequisites for everything else.
Article 64 of Regulation (EU) 2024/2847.
Annex I + Art. 13/14.
Art. 28, 31, 32.
Misleading information to notified bodies or authorities.
| Criterion | General Consultant | Notified Body Direct | In-House from Scratch | CRACheck |
|---|---|---|---|---|
| Classification accuracy | Depends on CRA expertise | Not their role pre-engagement | Risk of misclassification | Built-in Annex III + IV logic |
| Time to documentation | 6–16 weeks | Not applicable | 4–12 weeks | 15–25 minutes |
| Cost | €15,000–€30,000 | Assessment fees separate | Internal staff cost | €149 |
| Data exposure | Shared under NDA | Shared during assessment | Internal | 100% browser-side |
If you manufacture microcontrollers in several security categories, each distinct product needs its own classification and dossier. Volume pricing: €99/product (pack 10), €79/product (pack 30).
Request Volume PricingCRACheck generates a structured document aligned with Article 31 and Annex VII of Regulation (EU) 2024/2847 based on your input. The accuracy of the data — including security functionalities and intended use — is your responsibility as manufacturer.
We guarantee the document structure follows Art. 31 + Annex VII and that the Annex III/IV classification logic reflects the current regulation text. We do not guarantee acceptance by a notified body or market surveillance authority in a specific case.
CRACheck is not legal advice. For classification disputes, conformity assessment strategy, or interaction with notified bodies, consult a specialised regulatory attorney.
Eight documents. Article 31 + Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.