CRA Compliance Checklist for Manufacturers 2027

The three numbers you must remember

11 Dec 2027

Full application date (Art. 71)

5 years

Minimum support period (Art. 13(8))

10 years

Technical documentation retention (Art. 13(13))

The 13 checklist items

These are the 13 documentary and procedural deliverables every manufacturer must close. Each cites the article that demands it.

Cybersecurity risk assessment

Art. 13(2)–(4): document risks during planning, design, development, production, delivery and maintenance. Must justify why each Annex I, Part I requirement does or does not apply. Updated during the support period.

Design and develop without known exploitable vulnerabilities

Annex I, Part I, point (2)(a): the product must be placed on the market without known exploitable vulnerabilities. Apply the 13 essential properties (secure by default, access control, confidentiality, integrity, availability, data minimisation, attack-surface reduction, logging, etc.).

Due diligence on third-party components

Art. 13(5)–(6): exercise due diligence on integrated components, including free and open-source. On identifying a vulnerability in a component, report it to its maintainer and remediate it in your product.

Vulnerability handling processes

Art. 13(8) + Annex I, Part II (8 requirements): SBOM, address vulnerabilities without delay, regular security tests, public disclosure once fixed, coordinated vulnerability disclosure policy, secure update mechanism, free security updates.

Determine and publish the support period

Art. 13(8) + Art. 13(19): minimum 5 years (or shorter only if the product is in use for less than 5 years). End date — at least month and year — must be clearly displayed at the time of purchase.

Single point of contact

Art. 13(17): designate a SPOC for vulnerability reports. Must allow user-chosen communication channels, not only automated tools.

Technical documentation

Art. 31 + Annex VII: product description, design, development, vulnerability handling specs, risk assessment, support-period rationale, list of harmonised standards or common specifications applied, test reports, copy of the EU declaration of conformity.

Conformity assessment

Art. 32: Module A (internal control) for default products and Class I when harmonised standards are fully applied; Module B+C or Module H, or applicable EU cybersecurity certification scheme, for Class I without standards; Module B+C / H / scheme at “substantial” level for Class II; certification scheme for Critical (Art. 32(4)).

EU declaration of conformity

Art. 28 + Annex V: drawn up before placing on market, in the language(s) required by each Member State of distribution. Single declaration if multiple Union acts apply (Art. 28(3)).

CE marking

Art. 30: visible, legible and indelible. For software-only products, the marking may be on the EU declaration or on the website page accompanying the software. Notified body identification number when Module H is used.

Information and instructions to the user

Art. 13(18) + Annex II: 9 mandatory items — manufacturer details, single point of contact, intended purpose, support-period end date, secure installation, secure decommissioning, automatic-update opt-out instructions, where applicable the SBOM address.

Article 14 reporting (from 11 September 2026)

Notify actively exploited vulnerabilities and severe incidents via the single reporting platform to ENISA and the relevant CSIRT designated as coordinator: 24h early warning, 72h notification, 14-day final report (1 month for incidents).

Continued conformity for serial production

Art. 13(14): processes must ensure ongoing conformity, taking into account changes in development, design or in the standards / certifications relied on. Substantial modifications (Art. 3(30) + Art. 22) trigger a new conformity assessment.

Common mistakes

❌

DEADLINE CONFUSION

“We have until December 2027 for everything”

False. Article 14 vulnerability reporting applies from 11 September 2026 — fifteen months earlier. Chapter IV on notified bodies applies from 11 June 2026. Only the rest of the substantive obligations apply from 11 December 2027 (Article 71).

❌

SCOPE OMISSION

“We just need the CE mark and a declaration of conformity”

Wrong. Article 13 imposes 25 numbered obligations — not 2. Risk assessment, due diligence on third-party components, vulnerability handling processes (Annex I, Part II, 8 requirements), single point of contact, support-period publication and Article 14 notifications are independent of the CE mark.

❌

SUPPORT PERIOD ERROR

“We will set the support period to 2 years like we always do”

Not permitted unless the product is genuinely in use for less than 2 years. Article 13(8) sets a 5-year floor by default, justified by reasonable user expectations and product nature. Industrial and hardware products often require longer. The Commission may set sector minima by delegated act.

Does the CRA apply to your product?

Four-question self-check. If you answer YES to all four, your product is in scope of Regulation (EU) 2024/2847.

Is it a hardware or software product (or component) with digital elements?

Art. 3(1) — “product with digital elements”

Can it connect directly or indirectly to a device or network?

Art. 2(1) — logical or physical data connection

Will it be placed or made available on the EU market in the course of a commercial activity?

Art. 3(21)(22) + Recital 15

Is it NOT excluded? (not a medical device, not a motor vehicle, not certified aviation, not marine equipment, not national security/defence-only, not a spare part)

Art. 2(2)–(7)

Take the full product classification test →

Choose your licence

One-time payment. No subscription. The downloaded dossier is yours forever.

1 PRODUCT

149 €

/ product

8-document CRA dossier (ZIP)
Product Classifier + Technical Documentation
Risk Assessment + User Information
10 regenerations · 30 days
1 licence = 1 product

Buy licence →

PROFESSIONAL PACK

1,199 €

70 generations · 1 key

For multi-product catalogues

70 generations with a single key
70 complete dossiers (8 documents each)
Switch product between generations
Ideal for importers with large catalogues
For consultants billing CRA compliance

Buy Professional Pack →

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Determines whether your product is Default, Important Class I, Important Class II (Annex III) or Critical (Annex IV). Documents the rationale and the applicable conformity assessment procedure under Article 32.

Technical Documentation

Article 31 + Annex VII dossier. Product description, design and development, vulnerability handling processes, risk assessment, list of harmonised standards applied, conformity solutions.

Cybersecurity Risk Assessment

Annex I, Part I analysis. Intended purpose, reasonably foreseeable use, operational environment, applicability of each essential requirement, mitigation measures.

User Information & Instructions

Annex II. Manufacturer details, single point of contact, intended purpose, support period end date, secure decommissioning, automatic-update opt-out instructions.

EU Declaration of Conformity

Article 28 + Annex V. Pre-structured with your classification, applicable conformity module, harmonised standards or certificates relied on, notified body number when applicable.

Coordinated Vulnerability Disclosure Policy

Annex I, Part II, point (5). Single point of contact, intake workflow, triage and remediation timeline, public disclosure rules.

ENISA Notification Template

Article 14 reporting. Pre-filled 24h early warning, 72h vulnerability/incident notification, 14-day final report templates.

Obligations Calendar

Personalised milestones: Article 14 reporting starts 11 September 2026, full application 11 December 2027, document retention 10 years, support period (Art. 13(8)) end date.

See before you buy — Download sample dossier (PDF, fictional company). Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧦 OUTSIDE CONSULTANT FOR FULL CRA DOSSIER

€8,000–€25,000

6–12 weeks of scoping, interviews, drafting and review across Articles 13, 14, 31 and Annex VII. Scope often unclear until classification is confirmed.

CRACHECK — SAME OUTPUT

€149

15–25 minutes of structured input. Generates the 8-document ZIP that maps onto every paragraph of Article 13 + Annex VII.

Legal sources

Every article and recital cited on this page comes from the official text of Regulation (EU) 2024/2847 (Cyber Resilience Act), published in the Official Journal of the European Union on 20 November 2024 (ELI: data.europa.eu/eli/reg/2024/2847/oj).

→ Full text on EUR-Lex (CELEX 32024R2847)
→ HTML version (article-by-article)
→ Official PDF (81 pages)
→ All 24 EU language versions

Related: Regulation (EU) 2019/881 (Cybersecurity Act, EUCC) · Directive (EU) 2022/2555 (NIS2) · Regulation (EU) 2019/1020 (market surveillance) · Regulation (EU) 2024/1689 (AI Act).

Important notice

This is not legal advice. CRACheck is structured self-assessment software based on Regulation (EU) 2024/2847. The dossier you download is structured documentation, not a third-party audit or certification.

Class II and Critical products still need a notified body. CRACheck prepares the dossier that the notified body will examine — it does not replace the third-party conformity assessment required by Article 32(3) and Article 32(4).

Maximum liability: the amount you paid for the licence. Always verify your specific situation with your legal counsel.

Frequently asked questions

Does Article 13 apply to me if I only assemble third-party hardware in the EU?

If you place the product on the market under your name or trademark, you are the manufacturer for the purposes of the CRA (Art. 3(13) + Art. 21). All Article 13 obligations apply. If you are an importer or distributor but substantially modify a product already on the market, you are treated as the manufacturer for that product (Art. 21 + Art. 22).

What exactly is the 5-year support period?

Article 13(8) requires the manufacturer to handle vulnerabilities effectively during a period that reflects how long the product is reasonably expected to be in use. The floor is 5 years. If the product is expected to be in use for less than 5 years (e.g. a contact-tracing app), the support period corresponds to the expected use time. Hardware that lasts 10–15 years (industrial controllers, network gear) requires correspondingly longer support.

Which Article 13 obligations apply earlier than 11 December 2027?

Article 14 (reporting of actively exploited vulnerabilities and severe incidents) applies from 11 September 2026 (Art. 71(2)). Article 14 also applies retroactively under Article 69(3): even products placed on the market before 11 December 2027 must comply with Article 14 reporting once it kicks in. Chapter IV (notified bodies, Arts. 35–51) applies from 11 June 2026.

What changes between Class I, Class II and Critical for this checklist?

All 13 checklist items apply to every manufacturer. What changes is the conformity assessment procedure (Art. 32): self-assessment with Module A is available for default products and for Class I when harmonised standards are fully applied; Class II always requires third-party assessment (Module B+C, Module H, or EU cybersecurity certification at ‘substantial’ level); Critical products may require a European cybersecurity certificate under Article 8.

Is this a subscription?

No. One-time payment. 30-day editing window. 10 regenerations. The PDF dossier is yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, the act of licence activation constitutes express consent for immediate digital content generation, which removes the right of withdrawal. Refunds are issued only for reproducible technical failures.

What if the regulation changes before I file my dossier?

Regenerate at no additional cost during your licence validity. Substantive amendments to Regulation (EU) 2024/2847 are tracked weekly from EUR-Lex; if a clause you cited is amended, you can regenerate the affected sections.

The CRA manufacturer checklist: 13 obligations from Article 13, plus Articles 14, 31 and 32, that you must close before 11 December 2027