CRA Compliance Cost — Manufacturer Breakdown

Three cost lines you can predict

5 years

Minimum support / vulnerability handling — fixed cost (Art. 13(8))

10 years

Document retention — Annex VII + EU DoC (Art. 13(13))

Art. 14

24h/72h/14-day notification — PSIRT capacity from 11 Sept 2026

Where the money actually goes — obligation by obligation

Each line below is an obligation that costs labour, third-party fees, or both. The article reference shows what the regulation actually requires — the rest is your scope decision.

Cybersecurity risk assessment

Art. 13(2)–(4): mostly internal labour. Identify intended purpose, foreseeable use, operational environment, applicable Annex I Part I requirements. Updated through the support period. Cost driver: number of variants and integration scenarios.

Due diligence on integrated components

Art. 13(5)–(6): SBOM tooling, OSS audit, vulnerability scanning. Annex I, Part II, point (1) makes the top-level SBOM mandatory. Cost driver: complexity of your software supply chain.

Vulnerability handling capability (PSIRT)

Annex I, Part II (8 requirements) + Art. 13(8): intake channel, triage, remediation, public disclosure once fixed, secure update distribution, free security updates. Recurring cost across the 5-year (or longer) support period.

Technical documentation (Annex VII)

Art. 31: 8 documentation areas — product description, design and development, vulnerability handling, risk assessment, harmonised standards list, test reports, EU DoC, SBOM on request. Continuously updated during support period. CRACheck collapses this into the 8-document ZIP.

Conformity assessment fees

Art. 32: zero out-of-pocket for default products (Module A self-assessment). Class I without standards: Module B+C or H — notified body fees €15–80k. Class II: third-party mandatory. Critical: EU cybersecurity certificate. Recurring for surveillance under Module H.

CE marking and EU DoC

Art. 28 + Art. 30: minimal incremental cost when the underlying conformity work is done. Internal time to produce the EU DoC in each required Member State language.

Article 14 reporting capability

From 11 September 2026. 24h early-warning, 72h notification, 14-day final report. Out-of-hours coverage if your product is widely exploited. Final-report quality drives reputational risk.

End-of-support notification + support-period display

Art. 13(19): the end date of the support period (month + year) must be visible at the time of purchase. Art. 56 + Annex I, Part I, (2)(c): user notification of available updates and of end-of-support, where technically feasible.

Document retention — 10 years

Art. 13(13): technical documentation and EU DoC must be kept at the disposal of market surveillance authorities for 10 years after placing on market, or for the support period — whichever is longer. Storage and accessibility cost is small but non-zero.

Translation costs

Art. 13(18) + Recital 94: information and instructions to the user must be in a language easily understood by users and market surveillance authorities of each Member State of distribution. Translation budget scales with the number of national markets.

Penalty exposure (downside cost)

Art. 64: up to €15M or 2.5% of worldwide annual turnover for non-compliance with essential requirements / Arts 13–14. Up to €10M or 2% for breaches of Arts 18–23, 28, 30–33, 39, 41, 47, 49, 53. Up to €5M or 1% for incorrect/incomplete information to notified bodies and market surveillance authorities (Art. 64(2)–(4)).

Common mistakes

❌

FIXED-COST DENIAL

“We only need to budget for the notified body”

Notified-body fees are the visible tip. The hidden cost is the recurring 5-year vulnerability handling capability under Annex I, Part II — PSIRT staffing, secure update distribution, advisory writing, ENISA reporting on a 24h clock. That is where 60–80% of the lifetime cost sits for most manufacturers.

❌

PENALTY BLIND SPOT

“We will deal with non-compliance when it happens”

Article 64 sets penalties up to €15M or 2.5% of worldwide annual turnover for the highest-tier breaches (essential requirements and Arts. 13–14), €10M or 2% for the second tier, €5M or 1% for the third. Market surveillance authorities cooperate across Member States via the Union Product Compliance Network (Art. 52(15) ADCO). Multi-market exposure is the rule, not the exception.

❌

TRANSLATION OMISSION

“English documentation is enough”

Article 13(18) requires information and instructions to the user in a language easily understood by users and market surveillance authorities of each Member State where the product is placed. Annex II lists 9 mandatory items. Each new market adds a translation line item; Recital 94 acknowledges this is a significant cost for smaller manufacturers.

Does the CRA apply to your product?

Four-question self-check. If you answer YES to all four, your product is in scope of Regulation (EU) 2024/2847.

Is it a hardware or software product (or component) with digital elements?

Art. 3(1) — “product with digital elements”

Can it connect directly or indirectly to a device or network?

Art. 2(1) — logical or physical data connection

Will it be placed or made available on the EU market in the course of a commercial activity?

Art. 3(21)(22) + Recital 15

Is it NOT excluded? (not a medical device, not a motor vehicle, not certified aviation, not marine equipment, not national security/defence-only, not a spare part)

Art. 2(2)–(7)

Take the full product classification test →

Choose your licence

One-time payment. No subscription. The downloaded dossier is yours forever.

1 PRODUCT

149 €

/ product

8-document CRA dossier (ZIP)
Product Classifier + Technical Documentation
Risk Assessment + User Information
10 regenerations · 30 days
1 licence = 1 product

Buy licence →

PROFESSIONAL PACK

1,199 €

70 generations · 1 key

For multi-product catalogues

70 generations with a single key
70 complete dossiers (8 documents each)
Switch product between generations
Ideal for importers with large catalogues
For consultants billing CRA compliance

Buy Professional Pack →

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Determines whether your product is Default, Important Class I, Important Class II (Annex III) or Critical (Annex IV). Documents the rationale and the applicable conformity assessment procedure under Article 32.

Technical Documentation

Article 31 + Annex VII dossier. Product description, design and development, vulnerability handling processes, risk assessment, list of harmonised standards applied, conformity solutions.

Cybersecurity Risk Assessment

Annex I, Part I analysis. Intended purpose, reasonably foreseeable use, operational environment, applicability of each essential requirement, mitigation measures.

User Information & Instructions

Annex II. Manufacturer details, single point of contact, intended purpose, support period end date, secure decommissioning, automatic-update opt-out instructions.

EU Declaration of Conformity

Article 28 + Annex V. Pre-structured with your classification, applicable conformity module, harmonised standards or certificates relied on, notified body number when applicable.

Coordinated Vulnerability Disclosure Policy

Annex I, Part II, point (5). Single point of contact, intake workflow, triage and remediation timeline, public disclosure rules.

ENISA Notification Template

Article 14 reporting. Pre-filled 24h early warning, 72h vulnerability/incident notification, 14-day final report templates.

Obligations Calendar

Personalised milestones: Article 14 reporting starts 11 September 2026, full application 11 December 2027, document retention 10 years, support period (Art. 13(8)) end date.

See before you buy — Download sample dossier (PDF, fictional company). Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

💶 EXTERNAL CONSULTANCY FOR FULL CRA PROGRAMME

€25,000–€120,000

Programme covering risk assessment, technical documentation, conformity-assessment preparation and PSIRT bootstrap. Necessary for complex catalogues; overpriced for a single product line.

CRACHECK — SAME OUTPUT

€149

Per-product documentation set — risk assessment, Annex VII, Annex II, EU DoC, CVD policy, ENISA notification templates, obligations calendar — generated from your inputs in 15–25 minutes.

Legal sources

Every article and recital cited on this page comes from the official text of Regulation (EU) 2024/2847 (Cyber Resilience Act), published in the Official Journal of the European Union on 20 November 2024 (ELI: data.europa.eu/eli/reg/2024/2847/oj).

→ Full text on EUR-Lex (CELEX 32024R2847)
→ HTML version (article-by-article)
→ Official PDF (81 pages)
→ All 24 EU language versions

Related: Regulation (EU) 2019/881 (Cybersecurity Act, EUCC) · Directive (EU) 2022/2555 (NIS2) · Regulation (EU) 2019/1020 (market surveillance) · Regulation (EU) 2024/1689 (AI Act).

Important notice

This is not legal advice. CRACheck is structured self-assessment software based on Regulation (EU) 2024/2847. The dossier you download is structured documentation, not a third-party audit or certification.

Class II and Critical products still need a notified body. CRACheck prepares the dossier that the notified body will examine — it does not replace the third-party conformity assessment required by Article 32(3) and Article 32(4).

Maximum liability: the amount you paid for the licence. Always verify your specific situation with your legal counsel.

Frequently asked questions

What is the cheapest legal path to CRA compliance?

For default products (not in Annex III or IV), Module A self-assessment under Article 32(1)(a) is the cheapest — no notified body fee. You still need the full Article 13 dossier: risk assessment, Annex VII technical documentation, Annex II user information, EU DoC, CVD policy, Article 14 reporting capability, and vulnerability handling for the 5-year support period. CRACheck collapses the documentation half to €149.

How much does a notified body cost?

There is no single figure. Notified-body fees depend on the product, the module chosen (B+C vs H), product complexity, and the surveillance frequency under Module H (Annex VIII, Part IV, point 4.3 — periodic audits). Recital 96 instructs conformity assessment bodies to take into account the specific interests and needs of microenterprises and SMEs when setting fees, and to reduce them proportionately.

Can I save money by waiting for harmonised standards?

Not really. The 11 December 2027 application date does not move. If standards are not published in time, Article 27(2) allows fallback common specifications. Waiting compresses your testing and assessment window, raising risk and likely cost. For Class I without standards, Module A is not available — you must use Module B+C or H (Art. 32(2)).

Do micro and small enterprises get any cost relief?

Yes, several. Article 33 (support measures), Article 32(6) (fees ‘reduced proportionately’ to specific needs), Article 33(5) (simplified technical-documentation form by Commission implementing act), Recital 94 (translation cost flexibility), and Article 64(10) (early-warning deadline penalty derogation for micro and small enterprises).

Is this a subscription?

No. One-time payment. 30-day editing window. 10 regenerations. The PDF dossier is yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, the act of licence activation constitutes express consent for immediate digital content generation, which removes the right of withdrawal. Refunds are issued only for reproducible technical failures.

What if the regulation changes before I file my dossier?

Regenerate at no additional cost during your licence validity. Substantive amendments to Regulation (EU) 2024/2847 are tracked weekly from EUR-Lex; if a clause you cited is amended, you can regenerate the affected sections.

The real cost of CRA compliance for a manufacturer: what each Article 13 obligation actually requires you to spend on, before and after 11 December 2027