CRA Cloud Software & Remote Data Processing

Key numbers

24 hours

Maximum time to submit early warning to ENISA after discovering an actively exploited vulnerability (Art. 14(2)(a))

€149

One-time cost for the full 8-document CRA dossier per product

0 bytes

Data transmitted to external servers during document generation. Zero. Everything runs in your browser.

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Define your product boundary

CRACheck helps you delineate what constitutes your "product with digital elements": the client-side component plus its remote data processing backend. This boundary determines documentation scope.

Classify under Annex III

Determine if your product is Default, Important Class I/II, or Critical. Most cloud-native startup products with no privileged network functions classify as Default.

Map your architecture

Describe client-server data flows, API endpoints, authentication mechanisms, third-party dependencies, and open-source components.

Generate risk assessment

Structured analysis per Article 13(2)-(3) covering your cloud-native architecture: API security, data-in-transit encryption, access control, update delivery integrity, and container/infrastructure risks.

Produce technical documentation

Article 31 + Annex VII dossier covering both the client-side component and the remote data processing layer as a single regulated product.

Complete supporting documents

Declaration of conformity (Annex V), user information (Annex II), CVD policy, ENISA notification template, obligations calendar.

Download and present

8 PDFs ready for your EU prospect, your investor deck's compliance section, or a future market surveillance request.

Common mistakes

❌

MARKET PLACEMENT

"Our product is cloud-native, so there is nothing placed on the EU market"

If your product has a mobile app on the App Store or Google Play available to EU users, or distributes an npm/pip package, a CLI binary, a browser extension, or any code that executes on the user's device, that component is "placed on the market" per Article 3(21). The cloud backend then becomes remote data processing under Article 3(2), and the full product falls within CRA scope.

❌

COMMERCIAL ACTIVITY

"We are pre-revenue, so regulations do not apply yet"

The CRA applies to products "made available on the market" (Article 2(1)), defined as any supply for distribution or use on the EU market in the course of a commercial activity (Article 3(22)). A free tier, a freemium model, or a beta with paying design partners constitutes commercial activity. Revenue is not the trigger — market availability is.

❌

DESIGN OBLIGATION

"We will build compliance into the product later when we scale"

Article 13(1) requires that products be "designed, developed and produced in accordance with the essential cybersecurity requirements set out in Part I of Annex I." This is a design-time obligation, not a post-launch audit. Retrofitting secure-by-default configuration, data minimization, and update mechanisms into an architecture built without them costs exponentially more than building them in from the start.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Maps your cloud-native product against Annex III categories. Identifies whether the client-side component or the remote data processing layer triggers a higher classification.

Technical Documentation

Article 31 + Annex VII dossier covering your full product: client-side component architecture, remote data processing backend, data flows, security controls, and third-party dependencies.

Risk Assessment

Cloud-specific cybersecurity risk analysis per Article 13(2)-(3): API attack surfaces, authentication weaknesses, supply chain risks from dependencies, data residency implications, and CI/CD pipeline integrity.

User Information

Annex II document adapted for a cloud product: how the client communicates with the backend, what data is processed remotely, how updates are delivered, and what security properties the user can expect.

Declaration of Conformity

Article 28 + Annex V formal declaration that your product meets CRA essential requirements. Covers both the client-side and remote processing components as a single product.

CVD Policy

Coordinated vulnerability disclosure policy per Annex I, Part II. Includes security.txt reference, responsible disclosure timeline, and researcher communication protocol.

Notification Template

ENISA notification structure per Article 14 adapted for cloud-native incident scenarios: API breaches, dependency compromises, and container escapes.

Obligations Calendar

Startup-relevant timeline: Art. 14 reporting from September 2026, full enforcement December 2027, support period per Article 13(8), and conformity reassessment triggers upon substantial product changes (Article 22).

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 REGULATORY CONSULTANT

€8,000–€20,000

6-12 weeks. Requires explaining your microservices architecture to someone who may not know what Kubernetes is. Cash your startup does not have.

✓ CRACHECK

€149

8 documents. 15–25 min. You describe your own architecture. One-time payment. No subscription.

Two layers

● LAYER 1

Documentation (CRACheck)

Produces the 8 regulatory documents required before your product can be legally placed on the EU market. Covers technical documentation, risk assessment, declaration of conformity, user information, vulnerability handling policy, and incident notification templates. This is the documentation layer your EU prospect or investor asks about.

∅ LAYER 2

What CRACheck does NOT do

Does not run SAST/DAST scans on your code. Does not perform penetration testing on your APIs. Does not certify your container orchestration security. Does not monitor your third-party dependency updates. Does not serve as a notified body. Those are operational security tasks your engineering team handles.

CRACheck is the documentation. Your security practices are the substance. Both are necessary. CRACheck takes 15 minutes. The other is your ongoing engineering work.

Enforcement regime

Article 64 of Regulation (EU) 2024/2847.

🔴

Essential requirements + manufacturer obligations (Art. 64(2))

€15,000,000 / 2.5%

Non-compliance with Annex I essential requirements or Art. 13/14 obligations.

🟠

Documentation and conformity obligations (Art. 64(3))

€10,000,000 / 2%

Missing Art. 31 technical documentation or Art. 28 declaration.

🟡

Misleading information (Art. 64(4))

€5,000,000 / 1%

Misleading information to authorities.

Alternatives

Criteria	Regulatory consultant	Law firm	Y Combinator compliance template	CRACheck
Time	6-12 weeks	8-16 weeks	Self-guided (weeks)	15-25 minutes
Cost	€8,000-€20,000	€15,000-€30,000	Free but generic	€149
Understands cloud-native	Varies	Rarely	No	Architecture-agnostic input
Covers all 8 CRA documents	Partial	Partial	No	Yes

Shipping multiple products or modules to EU customers?

Each independently marketed product needs its own Article 31 dossier. If your startup offers separate products — a main platform, an analytics add-on, a developer SDK — each requires documentation. Volume pricing: 10 products at €99, 30 at €79.

Request Volume Pricing

We respond within 24 business hours.

What CRACheck guarantees and what it does not

CRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy of that information is your responsibility as the manufacturer.

We guarantee that the document structure follows Article 31 + Annex VII and that the legal references cited are correct. We do not guarantee acceptance by a specific market surveillance authority.

CRACheck is not legal advice. For questions about CRA scope, remote data processing classification, or conformity assessment requirements specific to your product, consult a qualified attorney.

Frequently asked questions

What exactly counts as "remote data processing" under the CRA?

Article 3(2) of Regulation (EU) 2024/2847 defines remote data processing as "data processing at a distance for which the software is designed and developed by the manufacturer, or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions." If your mobile app cannot function without your cloud backend, that backend is remote data processing and falls within CRA scope. If you operate a standalone cloud service not tied to a downloadable product, it falls under NIS2 (Directive (EU) 2022/2555) instead.

We distribute an open-source SDK. Does CRA apply?

Recital 18 of Regulation (EU) 2024/2847 excludes free and open-source software developed outside a commercial activity. However, if your open-source SDK is distributed as part of your commercial product offering — for example, to enable integration with your paid platform — it is placed on the market in the course of commercial activity and falls within CRA scope. The key test is commercial context, not license type.

We are a 5-person startup. Are there any CRA exemptions for small companies?

The Cyber Resilience Act does not exempt companies based on size. However, Recital 93 and Article 31 provide for a simplified technical documentation form for microenterprises and small enterprises, reducing the administrative burden while maintaining the same security requirements. CRACheck's output is compatible with both the full and simplified documentation formats.

Our product changes every sprint. How often do we need to update CRA documentation?

Article 13(9) requires you to update technical documentation throughout the support period. Routine updates (bug fixes, minor features) do not trigger a full reassessment. A "substantial modification" (Article 22) — one that affects the product's compliance with essential requirements — requires a new conformity assessment. CRACheck allows 10 regenerations within 30 days, which covers typical iteration cycles during initial compliance setup.

Can we prepare CRA documentation before the enforcement date?

Yes, and it is advisable. Article 14 vulnerability reporting obligations apply from 11 September 2026 — 15 months before full enforcement. Having your technical documentation, CVD policy, and notification templates ready early demonstrates due diligence and prepares you for EU sales conversations now.

Is CRACheck a subscription?

No. One-time payment. 30 days of editing, 10 regenerations. The PDF is yours to keep.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, activating the license constitutes express consent for immediate digital content generation, waiving the 14-day withdrawal right. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate with the updated generator version at no additional cost during your license period.

Official legal sources

Regulation (EU) 2024/2847 — Cyber Resilience Act
Directive (EU) 2022/2555 — NIS2 Directive

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.