A browser extension is software that users install on their device. When distributed through a store available to EU users in the course of commercial activity, it is "made available on the market" under Article 3(22) of the Cyber Resilience Act. The developer is the manufacturer under Article 3(13). Browser extensions often handle sensitive data — passwords, browsing history, authentication tokens — making the cybersecurity risk assessment under Article 13(2)-(3) particularly important. CRACheck generates the 8-document dossier under Article 31 + Annex VII in 15-25 minutes for €149. Your extension's CRA documentation exists before Google, Mozilla, or Microsoft make it a store requirement.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.
The CRA does not set a minimum size, complexity, or user base for products with digital elements. Article 3(1) defines a product with digital elements as software placed on the market. A 50KB extension with 500 users is as much a regulated product as a 500MB application with 5 million users. The scope trigger is market placement, not product size.
Chrome Web Store review checks for malware and basic policy compliance. It does not produce technical documentation under Article 31, conduct a risk assessment per Article 13, or issue a declaration of conformity per Article 28. The store is a distribution channel. The manufacturer obligations under CRA rest with you.
If your extension is part of a commercial activity — ad-supported, monetized through a premium version, bundled with a paid service, or developed by a business entity — it falls within CRA scope per Recital 18. The open-source license type (MIT, Apache, GPL) does not create an exemption. The test is commercial activity context, not license terms.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Classification under Annex III. Password managers and identity-related extensions may classify as Important Class I.
Art. 31 + Annex VII for browser extensions: manifest permissions, content scripts, background service workers, storage usage, API communications, and third-party dependencies.
Extension-specific analysis: content script injection attacks, cross-site data leakage, permission escalation, third-party analytics SDK risks, and update supply chain integrity.
Annex II adapted for extension users: what permissions the extension requires and why, what data is collected, how updates are delivered, how to report security issues, and developer contact.
Art. 28 + Annex V for your extension.
Vulnerability disclosure policy for extension developers: how security researchers report issues, response timeline, and coordinated disclosure process.
ENISA template per Article 14 for extension incidents: compromised update push, data exfiltration discovery, permission abuse exploitation. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.
Developer timeline: Art. 14 reporting from September 2026, full enforcement December 2027, support period.
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated from your data, in your browser. No data leaves your device.
Generates CRA documentation for your browser extension: product classification, technical documentation covering manifest, permissions, data flows, and architecture, plus risk assessment, declaration of conformity, and vulnerability handling policies.
Does not audit your content scripts for vulnerabilities. Does not test your extension's data handling. Does not verify your Chrome Web Store compliance. Does not monitor your third-party dependencies. Security engineering is your responsibility.
CRACheck documents. Your code review process validates. €149 for the documentation, your development discipline for the substance.
Article 64 of Regulation (EU) 2024/2847.
Non-compliance with essential requirements or manufacturer obligations.
Missing documentation or conformity assessment.
Misleading information to authorities.
| Criteria | Regulatory attorney | Browser security service | DIY from regulation | CRACheck |
|---|---|---|---|---|
| Time | 4-10 weeks | N/A (no CRA focus) | Weeks | 15-25 minutes |
| Cost | $11,000-$20,000 | N/A | Your time | €149 |
| Extension-specific risk analysis | Unlikely | Security but no CRA | If you can | Yes |
| CRA documentation output | Legal memo | No | DIY | 8 structured PDFs |
Each extension is a separate product with digital elements. If you publish 5 extensions across Chrome and Firefox, each needs independent CRA documentation. Volume pricing: 10 products at €99, 30 at €79.
Request Volume PricingCRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy of that information is your responsibility as the manufacturer.
We guarantee the document structure follows Article 31 + Annex VII and legal references are correct. We do not guarantee acceptance by a market surveillance authority.
CRACheck is not legal advice. For edge cases involving extension scope or open-source exemptions, consult a qualified attorney.
Eight documents. Article 31 + Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.