Who is responsible for CRA compliance — us or the integrator?

Both carry distinct obligations. You, as the manufacturer of the component under Article 3(13), are responsible for your product's compliance with the essential cybersecurity requirements of Annex I. The integrator, as manufacturer of the final product, must exercise due diligence under Article 13(5) when incorporating your component. They need your documentation to fulfil their own obligations.

Do we need an authorised representative in the EU?

Article 18 of Regulation (EU) 2024/2847 allows a manufacturer to appoint an authorised representative in the EU by written mandate. This is optional but recommended if you do not have a legal entity within the EU. The authorised representative can keep your Declaration of Conformity and technical documentation available for market surveillance authorities.

Our component has no direct internet connection. Is it still covered?

Article 2(1) covers products with a direct or indirect logical or physical data connection to a device or network. If your component connects to a network through the system it is integrated into, the indirect connection brings it within scope.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are available only for reproducible technical failures.

What if the regulation is amended?

If the CRA text is updated during your licence validity period, you can regenerate your documents using the updated version of CRACheck at no additional cost.

You manufacture electronic components in Taiwan and ship them to EU integrators. Your buyer's compliance team has started requesting cybersecurity documentation under Annex VII of Regulation (EU) 2024/2847. CRACheck generates it from your engineering specs.

Q: Does the CRA apply to components that are not final products?

Yes. Article 2(1) of Regulation (EU) 2024/2847 covers products with digital elements made available on the EU market. Article 3(6) defines "component" as software or hardware intended for integration into an electronic information system. If your component contains firmware, handles data, or establishes network connections, it is within scope — even if it is never sold directly to an end user.

Article 13(5) of the Cyber Resilience Act requires manufacturers to exercise due diligence when integrating components. Your EU buyer is the manufacturer of the final product — but they need documented evidence from you. If you cannot provide structured cybersecurity documentation aligned with Annex VII, procurement teams will source from a competitor who can. CRACheck generates an 8-document dossier in 15–25 minutes from your browser. €149 per product. No data leaves your device.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

11 Dec 2027

Full CRA enforcement deadline

Art. 13(5)

Due diligence on component integration

15 min

Complete dossier generation time

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Enter your component category

CRACheck determines whether it falls under Default, Important Class I (Annex III), or Class II

Input product specifications

Hardware version, firmware details, connectivity interfaces, intended integration context

Map your cybersecurity measures

Encryption protocols, authentication mechanisms, update channels, data handling

Complete the vulnerability handling section

Disclosure policy, patch cycle, coordinated reporting procedures

Define your support commitment

Security update period, end-of-support date, communication channels with integrators

Generate your 8-document dossier

PDF output aligned with Art. 31 and Annex VII, ready to attach to your customer's procurement file

Review, edit, and download

30-day editing window with 10 regenerations included

Common mistakes

❌

SUPPLY CHAIN MISCONCEPTION

"We only make components, the CRA does not apply to us"

Article 2(1) of Regulation (EU) 2024/2847 applies to products with digital elements made available on the EU market, including components placed on the market separately. Article 3(6) defines a component as software or hardware intended for integration into an electronic information system. If your component has firmware, processes data, or connects to a network, it falls within scope.

❌

DOCUMENTATION GAP

"Our EU buyer handles all the compliance paperwork"

Article 13(5) requires manufacturers to exercise due diligence when integrating components from third parties. Your buyer's compliance team cannot complete their Annex VII technical documentation without structured cybersecurity data from you — vulnerability handling procedures, SBOM, risk assessment. If you do not provide it, they carry the gap as a compliance risk.

❌

CLASSIFICATION BLIND SPOT

"Components are always classified as Default products"

Annex III lists specific component categories under Important Class I — including microcontrollers with security-related functionalities (item 14), network interfaces (item 10), and routers and switches (item 12). If your component matches any Annex III category, it requires a stricter conformity assessment under Article 32.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Determines if your component is Default, Important Class I, or Class II under Annex III. Critical for your EU buyer's conformity assessment path.

Technical Documentation

Structured dossier per Art. 31 + Annex VII covering design, development, production, and vulnerability handling. Formatted for direct integration into your customer's technical file.

Risk Assessment

Cybersecurity risk evaluation per Annex I Part I. Maps threats specific to your component's integration context — firmware vulnerabilities, interface attack surfaces, supply chain vectors.

User Information

Instructions and security information per Annex II. Adapted for B2B component integration — what the downstream manufacturer needs to know about secure deployment.

Declaration of Conformity

EU Declaration per Art. 28 + Annex V. Pre-structured with manufacturer data, component identification, and applicable essential requirements.

CVD Policy

Coordinated vulnerability disclosure policy. Documents your reporting channel, response timelines, and coordination procedures with downstream manufacturers and ENISA.

Notification Template

Art. 14 notification structure for ENISA: 24-hour early warning, 72-hour vulnerability notification, 14-day final report. Pre-formatted for your component context. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Key dates: Art. 14 reporting active 11 September 2026, full enforcement 11 December 2027, your stated support period, patch cycle milestones.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 EU COMPLIANCE CONSULTANT

€8,000–€15,000

4–8 weeks lead time. Requires sharing proprietary specs with external firm. Repeat cost for each new component variant. No structured digital output.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history