Is my SDK a "product with digital elements" or just a component?

Both. Article 3(1) of Regulation (EU) 2024/2847 explicitly includes "software or hardware components being placed on the market separately." If you distribute your SDK through a package manager or direct download as a separately identifiable product, it is a product with digital elements. The fact that it is intended for integration into other products does not exempt it — it is placed on the market separately.

My EU customers are asking for CRA documentation as part of their supply chain due diligence. What exactly do they need?

Article 13(5) requires manufacturers to exercise due diligence on third-party components. Your EU customers need evidence that you, as the component manufacturer, have met your Article 13 obligations: technical documentation (Art. 31 + Annex VII), cybersecurity risk assessment (Art. 13(2)-(3)), and declaration of conformity (Art. 28 + Annex V). CRACheck generates all of these as structured PDFs that your customers can incorporate into their own compliance records.

We version our SDK frequently. Does each version need separate CRA documentation?

Minor updates and patches do not typically require new documentation. The documentation covers the product as placed on the market. A "substantial modification" (Article 22) — one that affects compliance with essential requirements — triggers a reassessment. Major version changes with new security-relevant features or architectural changes may qualify as substantial modifications. CRACheck allows 10 regenerations within 30 days to cover iterative documentation updates.

We offer a free tier API with limited calls. Does CRA apply to the free tier?

If the free tier is part of your commercial offering — serving as a gateway to paid plans — it is supplied in the course of commercial activity and falls within CRA scope per Article 3(22) and Recital 18. The free tier and paid tiers of the same product typically constitute a single product with digital elements for CRA purposes.

Our competitors do not have CRA documentation yet. Why should we invest first?

Because your EU developer customers cannot complete their own Article 13(5) due diligence without your documentation. The first SDK vendor in your category to provide CRA documentation becomes the path of least resistance for compliance-conscious EU integrators. This is not a cost — it is a sales accelerator at €149.

Is CRACheck a subscription?

No. One-time payment. 30 days of editing, 10 regenerations. The PDF is yours to keep.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, activating the license constitutes express consent for immediate generation. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate at no additional cost during your license period.

European developers integrating your SDK or API into their products must conduct due diligence on third-party components under Article 13(5) of Regulation (EU) 2024/2847. They need your CRA documentation — not your marketing page, not your developer docs, but the structured technical file under Article 31 and Annex VII. CRACheck generates it so your EU customers can complete their own compliance.

An SDK or API client library distributed commercially is a software component "placed on the market separately" under Article 3(1) of the Cyber Resilience Act. You are the manufacturer. Your EU customers who integrate your component into their products are also manufacturers — and Article 13(5) requires them to exercise due diligence on third-party components they integrate. This means they will ask you for CRA documentation. CRACheck generates the 8-document dossier under Article 31 + Annex VII in 15-25 minutes for €149. Having it ready before your customers ask is a competitive advantage.

Generate CRA documentation — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

Art. 13(5)

EU manufacturers must exercise due diligence on third-party components — including your SDK

Art. 3(1)

Software components placed on the market separately are products with digital elements under CRA

€149

One-time cost for the complete CRA dossier for your API/SDK product

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Define your component product

Enter SDK/API name, version, supported platforms, distribution method (npm, pip, NuGet, Maven, direct download), and your legal entity details.

Classify under Annex III

SDKs and API libraries typically classify as Default category. SDKs performing authentication, encryption, or network security functions may fall under Important Class I per Annex III.

Describe your component architecture

Languages, platforms, external dependencies, authentication methods (API keys, OAuth), data handling, and what functions the SDK performs on the integrator's device.

Map the API surface

Document the API endpoints, data transmitted, encryption in transit, rate limiting, error handling, and how your SDK interacts with the integrator's product.

Generate risk assessment

Component-specific threat analysis: API key exposure, dependency chain vulnerabilities, SDK code injection, man-in-the-middle attacks on API calls, and insecure default configurations.

Produce 8 documents

Technical documentation, risk assessment, declaration of conformity, user information (for developer-integrators), CVD policy, ENISA template, obligations calendar.

Share with your EU customers

Proactively provide CRA documentation to EU customers. They need it for their own Article 13(5) due diligence. Having it ready demonstrates supply chain maturity.

Common mistakes

❌

COMPONENT DEFINITION

"We provide an API service, not a product. CRA does not apply."

If you distribute any client-side code — an SDK, a library, a client binary, an npm package — that code is a software component placed on the market separately under Article 3(1). The API service behind it may be remote data processing under Article 3(2) if the client-side code cannot function without it. Even if your core value proposition is the API, the distributed code makes you a product manufacturer.

❌

SHARED RESPONSIBILITY

"Our EU customers are responsible for the final product, not the components"

Article 13(5) creates a chain: your EU customer must exercise due diligence on your component, but you as the component manufacturer bear your own Article 13 obligations. The final product manufacturer's compliance does not absolve the component manufacturer. Each economic operator in the chain has independent obligations.

❌

COMMERCIAL OPEN SOURCE

"Our SDK is open-source, so the community handles security"

If your open-source SDK is distributed in the course of commercial activity — and it is, if it enables paid API usage — Recital 18 of Regulation (EU) 2024/2847 brings it within CRA scope. Community security contributions do not transfer your manufacturer obligations. You document, you assess risk, you handle vulnerabilities per Annex I, Part II.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Classification of your SDK/API product under Annex III. Determines whether your component falls into Default or Important category based on its security functions.

Technical Documentation

Art. 31 + Annex VII dossier for your SDK/API: architecture, supported platforms, dependency tree, security implementation, authentication mechanism, and data handling.

Risk Assessment

Component-specific cybersecurity analysis: supply chain attack vectors (compromised package registries), API credential exposure, SDK code injection, transitive dependency vulnerabilities, and cryptographic implementation weaknesses.

User Information

Annex II document for developer-integrators: integration requirements, security best practices, data handling disclosure, update policy, breaking change notification process, and known limitations.

Declaration of Conformity

Article 28 + Annex V declaration for your SDK/API product.

CVD Policy

Vulnerability disclosure policy for API/SDK products: security.txt, vulnerability reporting channel, triage process, coordinated disclosure timeline, and embargo policy for critical fixes.

Notification Template

ENISA notification structure per Article 14 for component-level incidents: compromised package releases, API authentication bypass, dependency chain attacks. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

SDK/API-specific timeline: Art. 14 reporting from September 2026, full enforcement December 2027, support period per Article 13(8), and versioning strategy implications.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 LOSE EU CUSTOMERS OR HIRE CONSULTANT

€15,000–€25,000

8-12 weeks. Or lose EU customers who cannot complete their own CRA due diligence without your documentation. Revenue impact: $100K-$1M+ in annual contracts.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history