CRA Compliance Cost for US Small Business

Key numbers

€149

CRACheck cost per product. Compare: €15,000 average consultant cost for the same documentation.

15 min

Time to generate the full dossier. Compare: 8-16 weeks with a consultant.

100x

Cost difference: CRACheck vs. average regulatory consultant for a single product.

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Decide your compliance approach

This page compares four options. Read the comparison, then choose.

If CRACheck: open the generator

Enter your product details. No onboarding call. No NDA. No statement of work.

Classify your product

CRACheck determines your Annex III category. Most small business software products classify as Default — eligible for self-assessment.

Describe your product

Architecture, security controls, third-party components. You know your product better than any consultant.

Generate 8 documents

Technical documentation, risk assessment, declaration of conformity, user information, CVD policy, ENISA template, obligations calendar.

Download and deliver

8 PDFs in ZIP. Ready for your EU customer. Total elapsed time: 15-25 minutes. Total cost: €149.

Repeat for each product

If you have multiple products, each needs its own dossier. Pack of 10: €99 each. Pack of 30: €79 each.

Common mistakes

❌

ENFORCEMENT REALITY

"We are too small for EU regulators to notice"

CRA enforcement applies to products, not company size. Article 64 does not set a minimum revenue threshold for fines. More importantly, the practical enforcement mechanism is commercial: your EU customers will refuse to buy products without documentation, and EU importers cannot legally place undocumented products on the market (Article 19). Regulatory enforcement is secondary — commercial exclusion is primary.

❌

COMMERCIAL RISK

"We will wait and see if any small company actually gets fined"

By the time a fine is publicized, you have already lost EU market access. EU importers and enterprise customers are building compliant supply chains now. Vendors without CRA documentation are excluded from procurement shortlists before any fine is issued. The cost of exclusion — lost revenue from EU customers — exceeds the €149 documentation cost by orders of magnitude.

❌

SPECIALIZATION GAP

"We will ask our accountant/general attorney to handle EU compliance"

CRA compliance requires understanding of Regulation (EU) 2024/2847 — a 81-page EU regulation with specific technical documentation requirements. A general attorney or accountant without EU product safety law expertise will spend 40-80 hours researching the regulation before producing a single document. At $200-$400/h, the research cost alone exceeds €15,000. CRACheck eliminates the research step.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Determines your Annex III category. For small businesses, confirming Default classification (Module A self-assessment) is the most cost-relevant finding — no notified body fees required.

Technical Documentation

Art. 31 + Annex VII. The core document that demonstrates CRA compliance. Structured for your product's specific architecture.

Risk Assessment

Art. 13(2)-(3). Product-specific cybersecurity risk analysis mapped to Annex I requirements.

User Information

Annex II. What you must disclose to your EU users about your product's security.

Declaration of Conformity

Art. 28 + Annex V. The formal compliance statement.

CVD Policy

Vulnerability disclosure policy per Annex I, Part II.

Notification Template

Art. 14 ENISA notification structure. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Key dates and support period obligations.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 ALL OTHER OPTIONS

€8,000–€100,000

EU law firm: €15K-€25K, 8-16 weeks. US consultant: $8K-$15K, 6-12 weeks. Internal counsel: 40-80 hours at $200-$400/h. Or ignore CRA: €0 upfront, lose EU market access.

✓ CRACHECK

€149

€149 per product. 15 minutes. No research phase. No consultant onboarding. No scope creep. 8 structured documents. Pack of 10: €99. Pack of 30: €79.

Two layers

● LAYER 1

Documentation (CRACheck)

Produces the complete CRA documentation package at a cost that fits a small business budget. The same 8 documents a €15,000 consultant produces, structured against the same regulation, for €149.

∅ LAYER 2

What CRACheck does NOT do

Does not audit your product. Does not provide ongoing compliance monitoring. Does not replace your security engineering practices. Does not guarantee market surveillance authority acceptance. The tool produces documentation — the substance behind the documentation is your engineering responsibility.

CRACheck levels the playing field. A 20-person company gets the same documentation structure as a 2,000-person company. The difference is €149 vs. €15,000, not documentation quality.

Enforcement regime

Article 64 of Regulation (EU) 2024/2847.

🔴

Essential requirements + manufacturer obligations (Art. 64(2))

€15,000,000 / 2.5%

Note: Article 64(5)(c) requires consideration of company size, including SMEs and startups, when determining fine amounts.

🟠

Documentation and conformity obligations (Art. 64(3))

€10,000,000 / 2%

Missing documentation or conformity assessment.

🟡

Misleading information (Art. 64(4))

€5,000,000 / 1%

Misleading information to authorities.

Alternatives

Criteria	EU law firm	US consultant	Internal counsel	Ignore CRA	CRACheck
Cost per product	€15K-€25K	$8K-$15K	$8K-$32K	€0	€149
Time	8-16 weeks	6-12 weeks	40-80 hours	N/A	15-25 min
Documents produced	Varies	Varies	Varies	0	8 PDFs
EU market risk	Low	Low	Medium	High	Low

Multiple products for the EU market?

Each product needs its own Article 31 dossier. Volume pricing makes multi-product compliance accessible for small businesses: 10 products at €99, 30 at €79.

Request Volume Pricing

Response within 24 business hours.

What CRACheck guarantees and what it does not

CRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy of that information is your responsibility as the manufacturer.

We guarantee the document structure follows Article 31 + Annex VII and legal references are correct. We do not guarantee acceptance by a market surveillance authority.

CRACheck is not legal advice. For company-specific questions about CRA obligations, consult a qualified attorney.

Frequently asked questions

Are there CRA exemptions for small businesses?

The CRA does not exempt companies based on size. However, Recital 93 and Article 31 provide for a simplified technical documentation form for microenterprises (fewer than 10 employees) and small enterprises (fewer than 50 employees), reducing administrative burden. Article 64(5)(c) requires fines to consider company size. CRACheck's output is compatible with both full and simplified documentation formats.

What is the minimum CRA compliance cost for a small US company?

Using CRACheck, the minimum is €149 per product for the complete 8-document dossier. If your product classifies as Default under Annex III, you qualify for Module A self-assessment with no notified body fees. Total compliance documentation cost: €149. Ongoing costs: maintaining security updates and vulnerability handling processes per Annex I, Part II — which your engineering team should be doing regardless.

Can I use CRACheck for all my products or do I need a consultant for some?

CRACheck covers all product categories. For Default products (the majority), the full dossier is sufficient. For Important Class II or Critical products, you will also need notified body involvement per Article 32(3), which CRACheck cannot provide. CRACheck still generates the documentation these categories require — but the conformity assessment adds an external cost.

How does CRACheck compare to free templates available online?

Free CRA templates, where they exist, typically provide blank document structures without product-specific content generation. CRACheck generates populated documents from your product data, mapped to Annex I requirements, with pre-structured risk assessment categories, pre-filled regulatory references, and integrated cross-references between documents. The difference is between a blank template and a populated dossier.

If I start with CRACheck, can I switch to a consultant later?

Yes. CRACheck documentation can serve as a starting point for a more detailed engagement. A consultant reviewing an existing CRACheck dossier will spend less time than starting from scratch, potentially reducing their fees. The documents are standard PDFs with no lock-in.

Is CRACheck a subscription?

No. One-time payment. 30 days of editing, 10 regenerations. The PDF is yours to keep.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, activating the license constitutes express consent for immediate generation. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate at no additional cost during your license period.

Official legal sources

Regulation (EU) 2024/2847 — Cyber Resilience Act

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.