Data analytics platforms occupy a unique position in CRA scope: they often access sensitive client infrastructure, collect system metrics or business data, and transmit it to a cloud backend for processing and visualization. The data collection agent installed on the client's infrastructure is the product with digital elements. The cloud platform is remote data processing. Together, they form a single regulated product under the CRA. Article 13 requires the manufacturer to document the product's cybersecurity design, assess its risks, and declare conformity. CRACheck generates the 8-document dossier in 15-25 minutes for €149.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.
CRA applies to products with digital elements based on their market placement and data connectivity, not based on data sensitivity. Annex I essential requirements cover product integrity, availability, access control, and secure-by-default configuration regardless of what data the product handles. An analytics agent that collects anonymized metrics still needs technical documentation and a risk assessment.
Limited runtime permissions reduce attack surface but do not reduce CRA obligations. Article 13 requires technical documentation for every product with digital elements placed on the EU market, regardless of the product's privilege level. The risk assessment under Article 13(2)-(3) should document your limited permission model as a mitigation — but the documentation obligation exists regardless.
You designed and developed the agent. You are the manufacturer under Article 3(13). The client's deployment responsibility covers their infrastructure configuration. Your manufacturer responsibility covers the agent's design, security properties, and vulnerability handling. CRA assigns obligations based on the economic operator's role, not the deployment location.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Classification under Annex III. Security monitoring and network analytics tools may classify as Important Class I.
Art. 31 + Annex VII covering: data collection agent architecture, cloud processing platform, API design, data pipeline security, encryption implementation, and authentication mechanisms.
Analytics-specific: agent compromise scenarios, data pipeline manipulation, unauthorized data access, agent update hijacking, credential theft, and cross-tenant data leakage in multi-tenant analytics platforms.
Annex II for IT administrators: agent installation requirements, permissions needed, data collection scope, encryption details, update mechanism, and security contact.
Art. 28 + Annex V for your analytics product.
Vulnerability disclosure policy covering both agent and cloud platform vulnerabilities.
ENISA template per Article 14 for analytics platform incidents: compromised agent updates, data pipeline breaches, API exploitation. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.
CRA milestones and support period for agent maintenance and security updates.
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated from your data, in your browser. No data leaves your device.
Generates CRA documentation for your analytics product: agent and cloud platform as a unified product, with technical documentation, risk assessment, and conformity declaration.
Does not test your agent for vulnerabilities. Does not verify your data pipeline encryption. Does not audit multi-tenant isolation. Does not monitor your cloud platform security. Those are engineering and operations responsibilities.
CRACheck documents your product's cybersecurity architecture. Your engineering team ensures it works as documented.
Article 64 of Regulation (EU) 2024/2847.
Non-compliance with essential requirements or manufacturer obligations.
Missing documentation or conformity assessment.
Misleading information to authorities.
| Criteria | Data security consultant | Generic CRA consultant | Internal compliance | CRACheck |
|---|---|---|---|---|
| Time | 8-14 weeks | 6-12 weeks | 4-8 weeks | 15-25 minutes |
| Cost | €12,000-€25,000 | €10,000-€20,000 | Staff hours | €149 |
| Covers agent + cloud layers | If briefed | Partially | Depends | Yes — unified dossier |
| Ready for client vendor review | Custom report | Custom report | Internal doc | 8 standardized PDFs |
If your platform includes a monitoring agent, a log collector, and a BI dashboard sold as separate products, each needs its own Article 31 dossier. Volume: 10 at €99, 30 at €79.
Request Volume PricingCRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy of that information is your responsibility as the manufacturer.
We guarantee the document structure follows Article 31 + Annex VII and legal references are correct. We do not guarantee acceptance by a specific client's security assessment.
CRACheck is not legal advice. For questions about analytics product classification or data-specific requirements, consult a qualified attorney.
Eight documents. Article 31 + Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.