What exactly counts as "remote data processing" under the CRA?

Article 3(2) of Regulation (EU) 2024/2847 defines remote data processing as "data processing at a distance for which the software is designed and developed by the manufacturer, or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions." If your mobile app cannot function without your cloud backend, that backend is remote data processing and falls within CRA scope. If you operate a standalone cloud service not tied to a downloadable product, it falls under NIS2 (Directive (EU) 2022/2555) instead.

We distribute an open-source SDK. Does CRA apply?

Recital 18 of Regulation (EU) 2024/2847 excludes free and open-source software developed outside a commercial activity. However, if your open-source SDK is distributed as part of your commercial product offering — for example, to enable integration with your paid platform — it is placed on the market in the course of commercial activity and falls within CRA scope. The key test is commercial context, not license type.

We are a 5-person startup. Are there any CRA exemptions for small companies?

The Cyber Resilience Act does not exempt companies based on size. However, Recital 93 and Article 31 provide for a simplified technical documentation form for microenterprises and small enterprises, reducing the administrative burden while maintaining the same security requirements. CRACheck's output is compatible with both the full and simplified documentation formats.

Our product changes every sprint. How often do we need to update CRA documentation?

Article 13(9) requires you to update technical documentation throughout the support period. Routine updates (bug fixes, minor features) do not trigger a full reassessment. A "substantial modification" (Article 22) — one that affects the product's compliance with essential requirements — requires a new conformity assessment. CRACheck allows 10 regenerations within 30 days, which covers typical iteration cycles during initial compliance setup.

Can we prepare CRA documentation before the enforcement date?

Yes, and it is advisable. Article 14 vulnerability reporting obligations apply from 11 September 2026 — 15 months before full enforcement. Having your technical documentation, CVD policy, and notification templates ready early demonstrates due diligence and prepares you for EU sales conversations now.

Is CRACheck a subscription?

No. One-time payment. 30 days of editing, 10 regenerations. The PDF is yours to keep.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, activating the license constitutes express consent for immediate digital content generation, waiving the 14-day withdrawal right. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate with the updated generator version at no additional cost during your license period.

Your startup ships a cloud product with a client-side component — a mobile app, a CLI, an SDK, a browser extension. Under Article 3(2) of Regulation (EU) 2024/2847, the cloud backend is "remote data processing" tied to that component. The entire product falls within CRA scope. CRACheck generates the technical documentation before your next EU sales call.

Recital 12 of the Cyber Resilience Act draws a clear line: cloud services that support the functionality of a product with digital elements are remote data processing within scope. Cloud services that exist independently are not. If your product has any downloadable element — even a lightweight CLI or an npm package — the cloud infrastructure behind it becomes part of the regulated product. CRACheck generates the 8-document dossier under Article 31 + Annex VII in 15-25 minutes for €149. Designed for founders who cannot spend €15K on regulatory counsel before product-market fit.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

24 hours

Maximum time to submit early warning to ENISA after discovering an actively exploited vulnerability (Art. 14(2)(a))

€149

One-time cost for the full 8-document CRA dossier per product

0 bytes

Data transmitted to external servers during document generation. Zero. Everything runs in your browser.

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Define your product boundary

CRACheck helps you delineate what constitutes your "product with digital elements": the client-side component plus its remote data processing backend. This boundary determines documentation scope.

Classify under Annex III

Determine if your product is Default, Important Class I/II, or Critical. Most cloud-native startup products with no privileged network functions classify as Default.

Map your architecture

Describe client-server data flows, API endpoints, authentication mechanisms, third-party dependencies, and open-source components.

Generate risk assessment

Structured analysis per Article 13(2)-(3) covering your cloud-native architecture: API security, data-in-transit encryption, access control, update delivery integrity, and container/infrastructure risks.

Produce technical documentation

Article 31 + Annex VII dossier covering both the client-side component and the remote data processing layer as a single regulated product.

Complete supporting documents

Declaration of conformity (Annex V), user information (Annex II), CVD policy, ENISA notification template, obligations calendar.

Download and present

8 PDFs ready for your EU prospect, your investor deck's compliance section, or a future market surveillance request.

Common mistakes

❌

MARKET PLACEMENT

"Our product is cloud-native, so there is nothing placed on the EU market"

If your product has a mobile app on the App Store or Google Play available to EU users, or distributes an npm/pip package, a CLI binary, a browser extension, or any code that executes on the user's device, that component is "placed on the market" per Article 3(21). The cloud backend then becomes remote data processing under Article 3(2), and the full product falls within CRA scope.

❌

COMMERCIAL ACTIVITY

"We are pre-revenue, so regulations do not apply yet"

The CRA applies to products "made available on the market" (Article 2(1)), defined as any supply for distribution or use on the EU market in the course of a commercial activity (Article 3(22)). A free tier, a freemium model, or a beta with paying design partners constitutes commercial activity. Revenue is not the trigger — market availability is.

❌

DESIGN OBLIGATION

"We will build compliance into the product later when we scale"

Article 13(1) requires that products be "designed, developed and produced in accordance with the essential cybersecurity requirements set out in Part I of Annex I." This is a design-time obligation, not a post-launch audit. Retrofitting secure-by-default configuration, data minimization, and update mechanisms into an architecture built without them costs exponentially more than building them in from the start.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Maps your cloud-native product against Annex III categories. Identifies whether the client-side component or the remote data processing layer triggers a higher classification.

Technical Documentation

Article 31 + Annex VII dossier covering your full product: client-side component architecture, remote data processing backend, data flows, security controls, and third-party dependencies.

Risk Assessment

Cloud-specific cybersecurity risk analysis per Article 13(2)-(3): API attack surfaces, authentication weaknesses, supply chain risks from dependencies, data residency implications, and CI/CD pipeline integrity.

User Information

Annex II document adapted for a cloud product: how the client communicates with the backend, what data is processed remotely, how updates are delivered, and what security properties the user can expect.

Declaration of Conformity

Article 28 + Annex V formal declaration that your product meets CRA essential requirements. Covers both the client-side and remote processing components as a single product.

CVD Policy

Coordinated vulnerability disclosure policy per Annex I, Part II. Includes security.txt reference, responsible disclosure timeline, and researcher communication protocol.

Notification Template

ENISA notification structure per Article 14 adapted for cloud-native incident scenarios: API breaches, dependency compromises, and container escapes.

Obligations Calendar

Startup-relevant timeline: Art. 14 reporting from September 2026, full enforcement December 2027, support period per Article 13(8), and conformity reassessment triggers upon substantial product changes (Article 22).

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 REGULATORY CONSULTANT

€8,000–€20,000

6-12 weeks. Requires explaining your microservices architecture to someone who may not know what Kubernetes is. Cash your startup does not have.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history