Reg (EU) 2024/2847Generate dossier — €149
LIVE — Enforcement tracker · Deadline dashboard · Transposition status — Updated weekly from EUR-Lex, Safety Gate, OEIL & 12 official sourcesView regulatory intelligence →

The European RFP on your desk includes a new section: Cyber Resilience Act compliance. The evaluation criteria reference Regulation (EU) 2024/2847 and require evidence of Annex VII documentation capability. Your bid team has three weeks to respond. CRACheck produces the documentation artefact that demonstrates compliance readiness. 15 minutes. €149.

European enterprise and public sector RFPs are being updated. The new pattern: a mandatory section on Regulation (EU) 2024/2847 compliance, weighted in the evaluation scoring. The RFP asks whether the vendor can deliver technical documentation under Annex VII, demonstrate a vulnerability handling process per Annex I Part II, and provide an SBOM. Indian IT services firms responding to these RFPs need a concrete artefact — not a paragraph claiming compliance, but a structured document that the evaluation committee can review. CRACheck generates that artefact: 8 PDF documents under Art. 31 + Annex VII. €149 per product. 15–25 minutes. Attach it to the bid.

Generate Annex VII dossier — €149Free: check if your product is in scope

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Regulation (EU) 2024/2847 · Art. 31 + Annex VII · 8 documents · 100% browser-side — your data never leaves your device

Key numbers

RFP section
CRA compliance is now a weighted evaluation criterion in European procurement.
15–25 min
Generate the documentation artefact before the bid deadline.
€149
Per product. Add to bid cost. Negligible against the contract value.

How it works

1
Extract the CRA requirements from the RFP
Look for references to Regulation (EU) 2024/2847, Annex VII, SBOM, vulnerability handling, conformity assessment. Note the evaluation weight.
2
Classify the product described in the RFP scope
Use the free CRACheck classifier. Determine if it is Default, Important Class I, or Class II under Annex III.
3
Run CRACheck for a representative product
If the RFP covers a product you already develop, use that product's data. If it is a new build, use your proposed architecture. 15–25 minutes.
4
Download the 8-PDF dossier
Structured under Annex VII. Professional formatting that RFP evaluators recognise.
5
Attach to the bid proposal
Include the ZIP as an annex to the compliance section of your RFP response. Reference specific Annex VII sections in your narrative answer.
6
Win the deal
The evaluation committee sees structured evidence, not generic claims. Your proposal scores higher on the CRA compliance criterion.

Three mistakes to avoid

COMMON MISTAKE

"We will address CRA compliance after we win the contract"

The RFP evaluation scores compliance capability before contract award. If your response says "we will comply post-award," the evaluator gives you zero points on that criterion. The bid team that attaches a structured Annex VII dossier scores higher. The documentation needs to exist at bid time.

COMMON MISTAKE

"A paragraph stating 'we are committed to CRA compliance' is sufficient"

European procurement evaluators are trained to distinguish between statements of intent and evidence of capability. A statement of commitment is not evidence. An Annex VII dossier — with structured sections matching the regulation — is evidence. CRACheck produces the evidence.

COMMON MISTAKE

"We will cite our ISO 27001 certificate in the CRA section"

ISO 27001 certifies your organisational security management. The CRA (Regulation (EU) 2024/2847) requires product-level documentation under Annex VII. The RFP asks for both. ISO 27001 answers the organisational question. Annex VII answers the product question. Citing only ISO 27001 leaves the product question unanswered — and the evaluator notices.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

1

Product Classifier

Annex III/IV classification for the RFP product.

2

Technical Documentation

Full Annex VII dossier. The artefact the evaluator expects.

3

Risk Assessment

Art. 13(2) cybersecurity risk assessment for the proposed product.

4

User Information

Annex II. Demonstrates your awareness of end-user documentation obligations.

5

Declaration of Conformity

Art. 28 + Annex V template. Shows the evaluator you understand the conformity process.

6

CVD Policy

Annex I Part II §5. Evidence of a vulnerability disclosure process.

7

Notification Template

Art. 14 ENISA notification. Shows readiness for the September 2026 deadline. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

8

Obligations Calendar

Timeline awareness. Evaluators value vendors who know the dates.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 COMPLIANCE CONSULTANT FOR BID SUPPORT
€5,000–€10,000
2–4 weeks. Exceeds the bid preparation budget.
✓ CRACHECK
€149
8 documents. 15–25 minutes. Ready before the bid deadline.

Two layers of responsibility

● WHAT CRACHECK DOES

Documentation generation

Generates a structured Annex VII dossier you can attach to your RFP response. 8 documents. 15–25 minutes. €149. Demonstrates compliance capability to the evaluation committee.

∅ WHAT CRACHECK DOES NOT DO

What falls outside CRACheck

Does not write your RFP narrative response. Does not guarantee you win the bid. Does not replace the actual conformity assessment (Art. 32) that will be required during contract execution.

We produce the compliance artefact. Your bid team integrates it into the proposal.

Enforcement regime

Article 64 of Regulation (EU) 2024/2847.

🇪🇺
Non-compliance with Annex I + Art. 13, 14
€15M / 2.5%

Art. 64(2).

🇪🇺
Missing documentation (Art. 31)
€10M / 2%

Art. 64(3).

🇪🇺
Incorrect information
€5M / 1%

Art. 64(4).

Alternatives

AlternativeCostWhat you get
Compliance consultant for bid support€5,000–€10,000Expert narrative + documentation. 2–4 weeks.
Bid team writes CRA section internallyFree + bid team hoursGeneric text. No structured artefact. Low evaluation score.
Skip the CRA section of the RFP€0Disqualification or minimum score on a weighted criterion.
CRACheck€1498 documents. 15–25 min. Attach as evidence to the bid.

Your company responds to multiple European RFPs per quarter?

Each RFP product needs its own Annex VII dossier. If your pre-sales team handles 10+ EU bids per year, volume pricing makes CRACheck a standard line item in the bid budget. Contact us.

Request Volume Pricing
One-business-day response

What CRACheck guarantees and what it does not

CRACheck generates a structured document under Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy of the information is your responsibility.

We guarantee that the document structure follows Article 31 and Annex VII and that the legal references are correct. We do not guarantee that the document will satisfy a specific RFP evaluation criterion or lead to contract award.

CRACheck is not legal advice. For bid-specific regulatory questions, consult a qualified lawyer.

Frequently asked questions

European RFPs now require CRA compliance evidence. What do they expect?
European RFPs referencing Regulation (EU) 2024/2847 typically evaluate: (a) ability to produce Annex VII technical documentation, (b) evidence of a vulnerability handling process per Annex I Part II, (c) an SBOM capability, and (d) awareness of notification obligations under Art. 14. CRACheck generates artefacts covering all four.
Can I use the same CRACheck documentation across multiple RFPs?
Each product requires its own Annex VII dossier. If two RFPs involve the same product, you can reuse the documentation. If they involve different products, each needs a separate licence and dossier.
Should the CRACheck dossier replace our RFP narrative answer?
No. The dossier is an annex that supports your narrative. Your RFP response should describe your CRA compliance approach in text. The CRACheck dossier provides the structured evidence that backs up that narrative.
Our client is a public sector entity. Does the CRA apply to government contracts?
Regulation (EU) 2024/2847 applies to products with digital elements on the EU market. Public sector procurement of digital products is within scope. Art. 2(7) excludes only products developed exclusively for national security or defence — standard government IT procurement does not qualify for this exclusion.
Is it a subscription?
No. One-time payment. 30 days of editing, 10 regenerations. The PDF is yours to keep.
Can I request a refund?
Under Article 16(m) of Directive (EU) 2011/83, by activating the licence you consent to immediate digital content generation, waiving the 14-day withdrawal. Refunds only for reproducible technical failures.
What if the regulation changes?
Regenerate at no additional cost during your licence period.

Official legal sources

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.

The RFP deadline is approaching. Generate the CRA compliance artefact in 15 minutes.

Eight documents. Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.

€149 one-time
8 documents · 15–25 min · Attach to your bid · 100% browser-side
Generate Annex VII dossier — €149

Related landings

🏢 Indian IT

CRA compliance for Indian IT company — EU client
📋 Contract

CRA documentation Indian developer — EU contract clause
🏗️ Outsourcing

CRA requirements outsourcing agency India — EU project
✓ Last regulatory check: 28 April 2026 · No substantive changes detected · View history