Does the CRA apply to manufacturers outside the EU?

Yes. Article 2.1 of Regulation (EU) 2024/2847 applies to products with digital elements made available on the EU market. It does not require the manufacturer to be established in the EU. If you manufacture in Shenzhen and your product is sold by a distributor in Germany, the CRA applies to your product. The obligation to produce technical documentation under Article 31 falls on you as the manufacturer.

Do I need an authorised representative in the EU?

Article 18 of Regulation (EU) 2024/2847 allows manufacturers to appoint an authorised representative by written mandate. The authorised representative can keep your EU declaration of conformity and technical documentation at the disposal of market surveillance authorities. Consult a lawyer to determine whether you need one — CRACheck generates the documentation, not the representation.

Is my smart sensor Default or Important Class I?

Annex III of Regulation (EU) 2024/2847 lists the categories of Important products. Most basic IoT sensors, gateways and smart plugs are Default products eligible for self-assessment under Module A (Art. 32.1(a)). Products with security functionalities (smart locks, cameras, baby monitors) fall under Class I (Annex III point 17). Use the free CRACheck classifier to determine your category.

What is the SBOM requirement?

Annex VII point 2(b) of Regulation (EU) 2024/2847 requires the technical documentation to include the software bill of materials. The SBOM documents all software components integrated in the product, including third-party and open-source components. CRACheck generates the SBOM section as part of the Technical Documentation document.

When does the CRA enter into force?

Regulation (EU) 2024/2847 applies fully from 11 December 2027. However, Article 14 — reporting obligations for actively exploited vulnerabilities and severe incidents — applies from 11 September 2026. Chapter IV on conformity assessment bodies applies from 11 June 2026.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours to keep.

Can I request a refund?

Pursuant to Art. 16(m) of Directive (EU) 2011/83 on consumer rights, by activating the licence you give express consent for the immediate generation of the digital content, waiving the 14-day withdrawal period. Refunds are accepted only for reproducible technical failures.

What if the regulation changes?

If the regulation changes during the validity of your licence, you can regenerate the document with the updated version of the generator at no additional cost.

You manufacture IoT devices in China and sell them to European distributors. Article 13 of Regulation (EU) 2024/2847 makes you responsible for the technical documentation under Annex VII before placing any product with digital elements on the EU market. Your buyer will ask for it. CRACheck generates it.

The Cyber Resilience Act applies to every product with digital elements placed on the EU market, regardless of where the manufacturer is established. Article 2.1 of Regulation (EU) 2024/2847 is explicit: if the product has a direct or indirect data connection and is made available in the EU, it is in scope. Your European distributor has importer obligations under Article 19 — they must verify your documentation exists before placing the product on the market. CRACheck generates 8 PDF documents structured according to Article 31 and Annex VII. 15-25 minutes. €149 one-time payment. 100% browser-side — no data leaves your device.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

Art. 31

Technical documentation obligation. Annex VII defines 8 mandatory content sections.

€15M

Maximum fine under Art. 64.2 for non-compliance with essential cybersecurity requirements. Or 2.5% of global turnover.

15 min

Time to generate a complete 8-document CRA dossier. Compare with 3-6 months of consultancy.

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Classify your product

Use the free CRACheck classifier to determine whether your IoT device is Default, Important Class I, Important Class II or Critical under Annex III. Most IoT sensors and gateways are Default products eligible for self-assessment under Module A.

Gather your product data

Internal product specifications, firmware version, network interfaces, update mechanism, known vulnerability list, intended purpose, expected support period.

Enter data in CRACheck

The generator guides you through each section of Annex VII. 15-25 minutes per product. All processing runs in your browser — no product data is transmitted to any server.

Download 8 PDF documents

Product Classifier, Technical Documentation, Risk Assessment, User Information, Declaration of Conformity, CVD Policy, ENISA Notification Template, Obligations Calendar. One ZIP file.

Review with your compliance team

Your quality or compliance officer reviews the documentation. CRACheck includes 10 regenerations per licence for adjustments.

Deliver to your EU importer

Attach the documentation to the product file alongside your existing CE dossier. Under Art. 19.2, the EU importer must verify this documentation exists before placing the product on the market.

Common mistakes

❌

COMPLIANCE GAP

"We already have CE marking — that covers cybersecurity"

CE marking under the EMC Directive (2014/30/EU) or RED (2014/53/EU) covers electromagnetic compatibility and radio spectrum. Regulation (EU) 2024/2847 introduces a separate set of essential cybersecurity requirements under Annex I and a separate technical documentation obligation under Article 31 and Annex VII. Your existing CE dossier does not contain vulnerability handling processes, cybersecurity risk assessment, SBOM or coordinated vulnerability disclosure policy. These are Annex VII requirements.

❌

ART. 19

"Our European distributor handles the compliance"

The distributor has obligations under Article 20 of Regulation (EU) 2024/2847, but they are verification obligations — they must check that the product bears CE marking and that documentation exists. The obligation to produce the technical documentation under Article 31 and Annex VII falls on the manufacturer. Article 3(13) defines the manufacturer as the entity who develops or manufactures the product and places it on the market under their name or trademark. That is you.

❌

ART. 14

"Enforcement starts in December 2027 — we have time"

Full enforcement of the CRA starts on 11 December 2027. However, Article 14 — the obligation to report actively exploited vulnerabilities to ENISA within 24 hours — applies from 11 September 2026. If a vulnerability in your IoT device is actively exploited after that date and you fail to notify, you are already in breach. The documentation obligation gives you the framework to handle vulnerability reporting. Starting late means starting unprepared.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Determines whether your IoT device falls under Default, Important Class I, Important Class II or Critical category per Annex III. Defines which conformity assessment procedure applies under Art. 32.

Technical Documentation

Complete technical documentation structured per Art. 31 and Annex VII. Covers product description, design and development information, vulnerability handling processes, cybersecurity risk assessment, standards applied, test reports, EU declaration of conformity, and SBOM.

Risk Assessment

Cybersecurity risk assessment as required by Art. 13.2 and Art. 13.3, covering analysis of cybersecurity risks based on intended purpose, foreseeable use and operational environment. Mapped against essential cybersecurity requirements in Annex I Part I.

User Information

Information and instructions for the user as required by Annex II. Covers product identification, manufacturer contact, security properties, support period, installation guidance, vulnerability reporting mechanism and secure disposal.

Declaration of Conformity

EU declaration of conformity per Art. 28 and Annex V. Identifies the product, states conformity with the applicable requirements, lists the conformity assessment procedure applied and the standards or specifications used.

CVD Policy

Coordinated Vulnerability Disclosure policy. Part of the vulnerability handling requirements under Annex I Part II. Establishes the process for external researchers to report vulnerabilities and the timeline for remediation.

Notification Template

Pre-structured template for vulnerability and incident notification to ENISA and the designated CSIRT under Art. 14. Covers the three-step reporting timeline: 24h early warning, 72h notification, 14-day final report.

Obligations Calendar

Timeline of all CRA obligations with key dates: Art. 14 reporting from 11 September 2026, full enforcement from 11 December 2027, support period obligations per Art. 13.8.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 EUROPEAN COMPLIANCE CONSULTANCY

€10,000–€25,000

Per product. 3-6 months. Requires NDA, data transfer, multiple meetings.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history