An SDK or API client library distributed commercially is a software component "placed on the market separately" under Article 3(1) of the Cyber Resilience Act. You are the manufacturer. Your EU customers who integrate your component into their products are also manufacturers — and Article 13(5) requires them to exercise due diligence on third-party components they integrate. This means they will ask you for CRA documentation. CRACheck generates the 8-document dossier under Article 31 + Annex VII in 15-25 minutes for €149. Having it ready before your customers ask is a competitive advantage.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.
If you distribute any client-side code — an SDK, a library, a client binary, an npm package — that code is a software component placed on the market separately under Article 3(1). The API service behind it may be remote data processing under Article 3(2) if the client-side code cannot function without it. Even if your core value proposition is the API, the distributed code makes you a product manufacturer.
Article 13(5) creates a chain: your EU customer must exercise due diligence on your component, but you as the component manufacturer bear your own Article 13 obligations. The final product manufacturer's compliance does not absolve the component manufacturer. Each economic operator in the chain has independent obligations.
If your open-source SDK is distributed in the course of commercial activity — and it is, if it enables paid API usage — Recital 18 of Regulation (EU) 2024/2847 brings it within CRA scope. Community security contributions do not transfer your manufacturer obligations. You document, you assess risk, you handle vulnerabilities per Annex I, Part II.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Classification of your SDK/API product under Annex III. Determines whether your component falls into Default or Important category based on its security functions.
Art. 31 + Annex VII dossier for your SDK/API: architecture, supported platforms, dependency tree, security implementation, authentication mechanism, and data handling.
Component-specific cybersecurity analysis: supply chain attack vectors (compromised package registries), API credential exposure, SDK code injection, transitive dependency vulnerabilities, and cryptographic implementation weaknesses.
Annex II document for developer-integrators: integration requirements, security best practices, data handling disclosure, update policy, breaking change notification process, and known limitations.
Article 28 + Annex V declaration for your SDK/API product.
Vulnerability disclosure policy for API/SDK products: security.txt, vulnerability reporting channel, triage process, coordinated disclosure timeline, and embargo policy for critical fixes.
ENISA notification structure per Article 14 for component-level incidents: compromised package releases, API authentication bypass, dependency chain attacks. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.
SDK/API-specific timeline: Art. 14 reporting from September 2026, full enforcement December 2027, support period per Article 13(8), and versioning strategy implications.
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated from your data, in your browser. No data leaves your device.
Generates the CRA technical documentation that your EU developer customers need when they integrate your SDK/API into their regulated products. Covers Article 31, Annex VII, and all supporting documents.
Does not audit your SDK source code. Does not scan your npm/pip/NuGet packages for vulnerabilities. Does not verify your API endpoint security. Does not monitor your dependency supply chain. Those are your engineering team's responsibilities.
CRACheck produces the documentation. Your security engineering produces the substance. Your EU customers need both from you.
Article 64 of Regulation (EU) 2024/2847.
Non-compliance with essential requirements or manufacturer obligations.
Missing documentation or conformity assessment.
Misleading information to authorities.
| Criteria | No documentation (status quo) | EU regulatory consultant | Internal compliance team | CRACheck |
|---|---|---|---|---|
| Impact on EU customer retention | High risk — customers cannot complete due diligence | Mitigated after 8-12 weeks | Mitigated after 4-8 weeks | Mitigated in 15-25 minutes |
| Cost | EU revenue at risk | €15,000-€25,000 | Staff hours ($30K+) | €149 |
| Proactive supply chain signal | No | Delayed | Delayed | Immediate |
| Format for developer customers | None | Custom report | Internal doc | 8 standardized PDFs |
Each independently marketed SDK or API product is a separate product with digital elements under CRA. If you offer a payments SDK, an auth SDK, and a messaging SDK, each needs its own Article 31 dossier. Volume pricing: 10 products at €99, 30 at €79.
Request Volume PricingCRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy of that information is your responsibility as the manufacturer.
We guarantee the document structure follows Article 31 + Annex VII and that legal references cited are correct. We do not guarantee that a specific customer will accept the documentation for their due diligence process.
CRACheck is not legal advice. For questions about component vs. product classification or supply chain liability, consult a qualified attorney.
Eight documents. Article 31 + Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.