Article 13(5) of the Cyber Resilience Act requires manufacturers to exercise due diligence when integrating components. Your EU buyer is the manufacturer of the final product — but they need documented evidence from you. If you cannot provide structured cybersecurity documentation aligned with Annex VII, procurement teams will source from a competitor who can. CRACheck generates an 8-document dossier in 15–25 minutes from your browser. €149 per product. No data leaves your device.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.
Article 2(1) of Regulation (EU) 2024/2847 applies to products with digital elements made available on the EU market, including components placed on the market separately. Article 3(6) defines a component as software or hardware intended for integration into an electronic information system. If your component has firmware, processes data, or connects to a network, it falls within scope.
Article 13(5) requires manufacturers to exercise due diligence when integrating components from third parties. Your buyer's compliance team cannot complete their Annex VII technical documentation without structured cybersecurity data from you — vulnerability handling procedures, SBOM, risk assessment. If you do not provide it, they carry the gap as a compliance risk.
Annex III lists specific component categories under Important Class I — including microcontrollers with security-related functionalities (item 14), network interfaces (item 10), and routers and switches (item 12). If your component matches any Annex III category, it requires a stricter conformity assessment under Article 32.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Determines if your component is Default, Important Class I, or Class II under Annex III. Critical for your EU buyer's conformity assessment path.
Structured dossier per Art. 31 + Annex VII covering design, development, production, and vulnerability handling. Formatted for direct integration into your customer's technical file.
Cybersecurity risk evaluation per Annex I Part I. Maps threats specific to your component's integration context — firmware vulnerabilities, interface attack surfaces, supply chain vectors.
Instructions and security information per Annex II. Adapted for B2B component integration — what the downstream manufacturer needs to know about secure deployment.
EU Declaration per Art. 28 + Annex V. Pre-structured with manufacturer data, component identification, and applicable essential requirements.
Coordinated vulnerability disclosure policy. Documents your reporting channel, response timelines, and coordination procedures with downstream manufacturers and ENISA.
Art. 14 notification structure for ENISA: 24-hour early warning, 72-hour vulnerability notification, 14-day final report. Pre-formatted for your component context. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.
Key dates: Art. 14 reporting active 11 September 2026, full enforcement 11 December 2027, your stated support period, patch cycle milestones.
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated from your data, in your browser. No data leaves your device.
CRACheck generates 8 structured PDF documents aligned with Art. 31 and Annex VII of Regulation (EU) 2024/2847. It classifies your component, maps your cybersecurity measures to the essential requirements of Annex I, and produces a dossier your EU buyer can integrate directly into their technical file. This is the documentation layer — the part you can automate now.
CRACheck does not redesign your firmware architecture. It does not conduct penetration testing on your component. It does not negotiate with notified bodies on your behalf. If your component falls under Annex III Class I or II, you may need third-party conformity assessment under Article 32 — CRACheck documents your product, but the assessment itself is a separate process.
Most Taiwanese component manufacturers need Layer 1 first. The documentation is what your EU buyer is asking for today. Layer 2 comes when enforcement requires it.
Article 64 of Regulation (EU) 2024/2847.
Non-compliance with essential cybersecurity requirements (Annex I) and manufacturer obligations (Art. 13, Art. 14).
Non-compliance with Art. 18–23, Art. 28, Art. 31, Art. 32. Includes failure to maintain technical documentation.
Providing incorrect, incomplete, or misleading information to notified bodies or market surveillance authorities.
| Criterion | EU Consultant | Manual DIY | Trade Association Template | CRACheck |
|---|---|---|---|---|
| Time to complete | 4–8 weeks | 3–6 weeks | 1–2 weeks (if applicable) | 15–25 minutes |
| Cost per product | €8,000–€15,000 | Internal staff cost | €500–€2,000 membership | €149 |
| Data privacy | Shared with third party | Internal | Shared with association | 100% browser-side |
| Annex VII alignment | Depends on consultant | Uncertain without legal review | Generic, not product-specific | Structured per Art. 31 + Annex VII |
If you manufacture 10 or more distinct components for EU markets, volume pricing applies: €99 per product for packs of 10, €79 per product for packs of 30. Each product receives its own 8-document dossier. Contact us to arrange your volume order.
Request Volume PricingCRACheck generates a structured document aligned with Article 31 and Annex VII of Regulation (EU) 2024/2847 based on the information you provide. The accuracy, completeness, and truthfulness of the input data is your responsibility as the component manufacturer.
We guarantee that the document structure follows Art. 31 + Annex VII and that all legal references cited in the output are correct. We do not guarantee that a specific document will be accepted by a market surveillance authority in a particular case or by a commercial buyer in a procurement process.
CRACheck is not legal advice. For situations specific to your component's classification, supply chain position, or conformity assessment path, consult a regulatory attorney or specialised compliance consultancy.
Eight documents. Article 31 + Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.