The Cyber Resilience Act creates a specific framework for authorised representatives under Art. 18, distinct from the importer under Art. 19. An authorised representative is a natural or legal person established in the EU who has received a written mandate from the manufacturer (Art. 3(15)). Art. 18(3) defines the minimum mandate scope: retain the EU Declaration of Conformity and technical documentation for at least 10 years, provide documentation to authorities upon request, and cooperate with authorities on risk elimination. But Art. 18(2) sets a hard exclusion: the core manufacturer obligations under Art. 13(1)-(11) and Art. 13(14) — design, development, production, risk assessment, vulnerability handling, ENISA reporting — cannot be delegated. CRACheck generates the 8-document technical file your representative will hold. €149 per product. 15-25 minutes. Browser-side.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
Art. 18(2) of Regulation (EU) 2024/2847 explicitly excludes Art. 13(14) from the mandate scope. Art. 14 reporting — the 24h early warning, 72h notification, 14-day final report to ENISA — remains with the manufacturer. You cannot delegate vulnerability reporting to your EU representative.
Art. 3(15) defines the authorised representative as a mandated agent of the manufacturer. Art. 3(16) defines the importer as an EU person placing a product bearing a non-EU name. These are distinct roles. An importer has independent verification obligations under Art. 19. A representative acts within the manufacturer's mandate under Art. 18. One entity can serve as both, but the obligations stack — they do not merge.
The representative's core function under Art. 18(3)(a) is holding the declaration of conformity and technical documentation. If you appoint a representative before completing Art. 31 documentation, the representative has nothing to hold — and your product lacks the documentation Art. 31 requires at market placement.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Identifies the CRA category. Your representative needs to know the classification to understand which conformity assessment route was followed.
The core Art. 31 and Annex VII document. This is what your representative holds under Art. 18(3)(a).
Cybersecurity risk assessment per Art. 13(2)-(3). Completed by you — the representative holds the result but does not produce it.
Annex II information and instructions. Your representative must produce this upon authority request.
EU Declaration per Art. 28 and Annex V. Art. 18(3)(a) specifically names this as a retention document.
Coordinated vulnerability disclosure policy per Annex I Part II. Completed by you. Held by the representative.
ENISA notification template per Art. 14. You use this directly — the representative holds a copy for reference.
Key CRA dates with representative retention obligations: 10-year minimum, support period milestones, ENISA reporting from September 2026.
See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.
Generated from your data, in your browser. No data leaves your device.
CRACheck produces the structured technical documentation under Art. 31 and Annex VII that your authorised representative holds on your behalf. Eight PDF documents. One licence per product. The output is portable: transfer it to any representative in any EU member state. The documentation belongs to you, not to a service provider.
CRACheck does not appoint an authorised representative. It does not draft the written mandate under Art. 18(1). It does not perform conformity assessment under Art. 32. It does not submit ENISA notifications under Art. 14. It does not act as your representative. CRACheck generates the documentation — the representative relationship is a separate commercial arrangement.
You produce the documentation. You appoint the representative. The representative holds what you produced. CRACheck handles the first step.
ENISA reporting is your obligation as manufacturer. Your representative does not submit notifications. The 24h/72h/14-day process must be operational by this date regardless of your representative arrangement.
Your product must carry CE marking, be accompanied by Annex VII documentation, and your representative must hold all documentation per Art. 18(3)(a).
For non-compliance with Art. 18. Note: the manufacturer's own non-compliance with Art. 13 and Art. 14 falls under Art. 64(2) — €15M or 2.5%.
| Criterio | Bundled representative service | In-house EU subsidiary | No representative | CRACheck + separate representative |
|---|---|---|---|---|
| Documentation cost | Included (opaque pricing) | Staff time | N/A | €149 per product |
| Documentation ownership | Provider holds it | You hold it | N/A | You hold it |
| Provider lock-in | High — documentation tied to contract | None | N/A | None — portable PDF |
| Switching cost | Re-document everything | N/A | N/A | Zero — transfer the PDF |
| CRACheck | €149 | You own it | None | Portable PDF |
Pack 10: €99 per product. Pack 30: €79 per product. For non-EU manufacturers with large EU-bound catalogues, contact us for enterprise pricing.
Request volume pricingCRACheck generates a structured document set according to Art. 31 and Annex VII of Regulation (EU) 2024/2847 based on the information you provide. The accuracy of that information is your responsibility as manufacturer under Art. 13(1).
We guarantee that the document structure follows Art. 31 and Annex VII and that the legal references cited are correct. We do not guarantee acceptance by a specific market surveillance authority or that the documentation will satisfy a specific representative provider's internal requirements.
CRACheck is not legal advice. For questions about representative mandate scope, contractual structuring, or the interaction between Art. 18 and Art. 19, consult a qualified EU regulatory lawyer.
Generate the 8-document technical file under Art. 31 and Annex VII. Transfer it to any authorised representative in the EU. €149 per product. Browser-side. No provider lock-in.