Our analytics agent collects system metrics from client servers. Does the client's data trigger additional CRA requirements?

CRA requirements are based on your product's characteristics, not on the specific data it processes. However, the data your agent accesses informs the risk assessment scope. If your agent has access to system logs, network traffic, or application data, the risk assessment per Article 13(2)-(3) should address the threats associated with that access level — unauthorized data collection, data exfiltration, and privilege escalation.

We distribute our agent via a package manager (apt, yum, brew). Is that "placing on the EU market"?

Yes. Making software available for download by EU users through any distribution channel — including package managers — constitutes making it available on the market per Article 3(22) of Regulation (EU) 2024/2847, provided it is in the course of commercial activity.

Our platform is multi-tenant. Do we need separate CRA documentation per tenant?

No. CRA documentation is per product, not per deployment or tenant. One Article 31 dossier covers the product regardless of how many tenants use it. Multi-tenant architecture is a design characteristic documented in the technical documentation and addressed in the risk assessment.

Our EU clients are asking for an SBOM of our agent. Is that a CRA requirement?

Annex I, Part II(1) of Regulation (EU) 2024/2847 requires manufacturers to "identify and document vulnerabilities and components contained in the product, including by drawing up a software bill of materials." The SBOM is part of your internal documentation and vulnerability management process. CRACheck structures this requirement in the technical documentation.

We open-source our data collection agent but sell the cloud analytics platform. Which is under CRA?

Both may be within scope. The open-source agent, if distributed in the course of commercial activity (which it is, if it feeds your paid cloud platform), falls under CRA per Recital 18. The cloud platform is remote data processing under Article 3(2). The entire system — agent plus cloud — is one regulated product.

Is CRACheck a subscription?

No. One-time payment. 30 days of editing, 10 regenerations. The PDF is yours to keep.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, activating the license constitutes express consent for immediate generation. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate at no additional cost during your license period.

Your analytics platform collects data from European client infrastructure through an installed agent, an SDK, or a desktop application. That installable component is a product with digital elements under Article 3(1) of Regulation (EU) 2024/2847. The cloud analytics engine processing the data is remote data processing under Article 3(2). Your European enterprise customer's security team needs Article 31 documentation for their vendor assessment. CRACheck generates it.

Data analytics platforms occupy a unique position in CRA scope: they often access sensitive client infrastructure, collect system metrics or business data, and transmit it to a cloud backend for processing and visualization. The data collection agent installed on the client's infrastructure is the product with digital elements. The cloud platform is remote data processing. Together, they form a single regulated product under the CRA. Article 13 requires the manufacturer to document the product's cybersecurity design, assess its risks, and declare conformity. CRACheck generates the 8-document dossier in 15-25 minutes for €149.

Generate CRA documentation — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

Art. 3(1)-(2)

Your installable agent + cloud backend = one regulated product with remote data processing

Annex I

Essential requirements include data confidentiality and integrity — critical for analytics platforms handling client data

€149

One-time cost for the full CRA dossier per product

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Define your product

Analytics platform name, data collection agent (type, OS support), cloud processing engine, and visualization interface. CRACheck treats the agent + cloud as one product.

Classify under Annex III

Analytics platforms typically classify as Default. Platforms performing network monitoring or security analytics may classify as Important Class I if they serve a security function.

Describe data flows

What data does the agent collect? System metrics, logs, business data, user behavior? How is it transmitted, encrypted, and stored? Map against Annex I data protection requirements.

Document agent security

Installation permissions, auto-update mechanism, local data caching, credential handling, and communication protocol. These are CRA-relevant security properties.

Generate risk assessment

Analytics-specific threats: agent compromise leading to client infrastructure access, data exfiltration through analytics pipelines, unauthorized data aggregation, API key exposure, and supply chain attacks through agent updates.

Produce 8 documents

Technical documentation, risk assessment, declaration of conformity, user information (for IT admins deploying the agent), CVD policy, ENISA template, obligations calendar.

Deliver to your EU client

Attach CRA documentation to vendor security questionnaire responses. The client's security team evaluates your product's documented cybersecurity posture.

Common mistakes

❌

DATA TYPE IRRELEVANT

"We only collect anonymized metrics — cybersecurity requirements are minimal"

CRA applies to products with digital elements based on their market placement and data connectivity, not based on data sensitivity. Annex I essential requirements cover product integrity, availability, access control, and secure-by-default configuration regardless of what data the product handles. An analytics agent that collects anonymized metrics still needs technical documentation and a risk assessment.

❌

PERMISSION ≠ SCOPE

"Our agent runs with limited permissions on the client's infrastructure"

Limited runtime permissions reduce attack surface but do not reduce CRA obligations. Article 13 requires technical documentation for every product with digital elements placed on the EU market, regardless of the product's privilege level. The risk assessment under Article 13(2)-(3) should document your limited permission model as a mitigation — but the documentation obligation exists regardless.

❌

MANUFACTURER OBLIGATION

"The client deploys the agent on their infrastructure — they are responsible for security"

You designed and developed the agent. You are the manufacturer under Article 3(13). The client's deployment responsibility covers their infrastructure configuration. Your manufacturer responsibility covers the agent's design, security properties, and vulnerability handling. CRA assigns obligations based on the economic operator's role, not the deployment location.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Classification under Annex III. Security monitoring and network analytics tools may classify as Important Class I.

Technical Documentation

Art. 31 + Annex VII covering: data collection agent architecture, cloud processing platform, API design, data pipeline security, encryption implementation, and authentication mechanisms.

Risk Assessment

Analytics-specific: agent compromise scenarios, data pipeline manipulation, unauthorized data access, agent update hijacking, credential theft, and cross-tenant data leakage in multi-tenant analytics platforms.

User Information

Annex II for IT administrators: agent installation requirements, permissions needed, data collection scope, encryption details, update mechanism, and security contact.

Declaration of Conformity

Art. 28 + Annex V for your analytics product.

CVD Policy

Vulnerability disclosure policy covering both agent and cloud platform vulnerabilities.

Notification Template

ENISA template per Article 14 for analytics platform incidents: compromised agent updates, data pipeline breaches, API exploitation. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

CRA milestones and support period for agent maintenance and security updates.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 DATA SECURITY CONSULTANT

€12,000–€25,000

8-14 weeks. Requires architecture deep-dive sessions covering agent deployment, data pipelines, and cloud infrastructure.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history