What exactly must I have ready by 11 September 2026?

Article 14 applies from that date. You need: a coordinated vulnerability disclosure policy (Part II, point (5) of Annex I), a contact address for vulnerability reports (Part II, point (6)), and the capacity to submit early warning notifications to ENISA within 24 hours (Article 14(2)(a)).

Is 15 months enough to prepare for full enforcement?

For default-category products using Module A self-assessment, the documentation can be completed in days. For Important Class I/II products requiring notified body examination, the process can take 3–6 months. Starting now is advisable for any product that may need third-party assessment.

Can I generate the documentation now and update it later?

Yes. CRACheck includes 30 days of editing and 10 regenerations per licence. The technical documentation must be continuously updated during the support period per Article 31(2). You can generate a first version now and refine it as your product evolves.

Is this a subscription?

No. One-time payment. 30 days editing, 10 regenerations. PDF yours permanently.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, licence activation constitutes express consent. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate with the updated version at no additional cost during licence validity.

Regulation (EU) 2024/2847 applies from 11 December 2027. Article 14 reporting obligations start on 11 September 2026. If you place a product with digital elements on the EU market, here is what you need, in what order, and how CRACheck covers the documentation layer.

The Cyber Resilience Act has three application dates. Chapter IV (notified bodies) applies from 11 June 2026. Article 14 (vulnerability and incident reporting to ENISA) applies from 11 September 2026. Everything else — technical documentation under Article 31, conformity assessment under Article 32, CE marking under Article 30, essential cybersecurity requirements under Annex I — applies from 11 December 2027. Products placed on the market before that date are not subject to the CRA unless placed on the market again after it. CRACheck generates the eight documentation components in 15–25 minutes for €149.

Generate CRA documentation — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

11 Dec 2027

full enforcement — all obligations under the CRA apply from this date

11 Sept 2026

Article 14 reporting starts — vulnerability notifications to ENISA within 24 hours

documents CRACheck generates per product to cover the documentation layer

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Now: classify your products

Determine whether each product is default, Important Class I/II (Annex III), or Critical (Annex IV). This determines the conformity assessment path and timeline for any third-party assessment.

Now: assess vulnerability handling readiness

Article 14 applies from 11 September 2026. You need a CVD policy, a contact address for vulnerability reporting, and the capacity to submit early warning notifications to ENISA within 24 hours.

Q3 2026: establish ENISA reporting capability

Familiarise yourself with the single reporting platform under Article 16. Prepare the notification templates for early warning (24h), vulnerability notification (72h), and final report (14 days).

Q4 2026–Q2 2027: build the documentation

Draw up technical documentation per Article 31 and Annex VII. Conduct the cybersecurity risk assessment per Article 13(2)–(3). Prepare the EU declaration of conformity per Article 28.

Q3 2027: complete conformity assessment

For default products, Module A. For Important Class I without harmonised standards, Module B+C or H. For Class II, Module B+C or H per Article 32(3).

Before 11 December 2027: affix CE marking

Per Article 30, CE marking may only be affixed after the conformity assessment procedure is complete.

From 11 December 2027: maintain compliance

Ongoing security updates per Part II, point (8) of Annex I, vulnerability handling per Part II, and support period obligations per Article 13(8) for a minimum of five years.

Common mistakes

❌

DATES

"Ignoring the September 2026 reporting deadline"

Article 14 applies from 11 September 2026, sixteen months before full enforcement. From that date, manufacturers must notify actively exploited vulnerabilities to ENISA within 24 hours, submit a vulnerability notification within 72 hours, and deliver a final report within 14 days. Missing this intermediate deadline is a separate violation.

❌

GRANDFATHERING

"Assuming products already on the market are exempt"

Article 69(1) states that products placed on the market before 11 December 2027 are subject to the CRA only where they undergo a substantial modification after that date. However, Article 13(8) and Part II of Annex I still apply during the support period for vulnerability handling.

❌

TIMELINE

"Leaving documentation to the last quarter before enforcement"

Article 13(12) requires technical documentation to be drawn up before placing the product on the market. For Important Class I/II products, Article 32(2)–(3) requires third-party examination, which adds months. Starting in Q4 2027 risks missing the deadline.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

First step in any compliance timeline. Determines whether you need Module A or third-party examination, which directly impacts how far in advance you need to start.

Technical Documentation

Per Article 31 and Annex VII. The central document that must exist before market placement. Starting early means you have time to iterate.

Risk Assessment

Per Article 13(2) and (3). Maps your product against Part I of Annex I. Must be updated during the support period.

User Information

Per Annex II. Nine mandatory items that must accompany the product at market placement.

Declaration of Conformity

Per Article 28 and Annex V. Cannot be issued until the conformity assessment is complete.

CVD Policy

Required from 11 September 2026 for Article 14 compliance. Starting early is not optional for this document.

Notification Template

Article 14 structure. Operational from 11 September 2026. Must be in place before the first vulnerability is discovered.

Obligations Calendar

Maps the three enforcement dates, your product's support period, and documentation retention requirements (10 years per Article 13(13)) onto a single timeline.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 WAIT AND REACT

€20,000+ (rush rates)

No cost now, but €15M maximum fine per Article 64(2) after December 2027. Scramble to hire a consultant in Q4 2027 when every firm is booked. No time for notified body examination if product is Class I/II.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history