Reg (EU) 2024/2847Generate dossier — €149
LIVE — Enforcement tracker · Deadline dashboard · Transposition status — Updated weekly from EUR-Lex, Safety Gate, OEIL & 12 official sourcesView regulatory intelligence →

Your edtech platform in India is used by European universities and schools. Students log in, attend virtual classes, submit assignments, take proctored exams. The platform is a product with digital elements under Article 3(1) of Regulation (EU) 2024/2847. You market it under your brand. You are the manufacturer. The university's procurement team has started asking for Annex VII documentation. CRACheck generates it.

European higher education institutions are modernising their procurement processes. The shift started with GDPR data processing agreements. Now Regulation (EU) 2024/2847 adds cybersecurity documentation requirements. University IT procurement in Germany, the Netherlands, France, and the Nordics increasingly references the CRA in vendor assessments. Your Indian edtech platform processes student data, handles authentication, stores exam results, and integrates with university identity systems. Each of these functions is relevant to Annex I cybersecurity requirements. CRACheck generates 8 PDF documents under Art. 31 + Annex VII in 15–25 minutes. €149 per platform. 100% browser-side — student data never leaves your machine.

Generate Annex VII dossier — €149Free: check if your product is in scope

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Regulation (EU) 2024/2847 · Art. 31 + Annex VII · 8 documents · 100% browser-side — your data never leaves your device

Key numbers

Art. 2(1)
Products with digital elements and a data connection. Your LMS qualifies.
Annex I §2(d)
Protection from unauthorised access. Student data access control is an essential cybersecurity requirement.
€149
Per platform. The cost is invisible compared to the value of a university contract.

How it works

1
Confirm CRA scope for your edtech product
LMS, virtual classroom, proctoring, student management: all are software products with data connections (Art. 2(1)). In scope.
2
Classify the product
Use the free CRACheck classifier. Most edtech platforms are Default category. Platforms with identity management (SSO, student authentication) may be Important Class I (Annex III §1).
3
Complete CRACheck
15–25 minutes. Edtech-specific inputs: student authentication, exam data integrity, LTI integration, SAML/OIDC identity federation, data retention.
4
Download the 8-PDF dossier
Structured Annex VII documentation.
5
Include in university procurement response
Attach the dossier to your vendor assessment submission.
6
Maintain for ongoing procurement cycles
University procurement is recurring. Keep the dossier updated for each academic year's renewal.

Three mistakes to avoid

COMMON MISTAKE

"Education software is exempt from the CRA"

Regulation (EU) 2024/2847 contains no education sector exemption. Article 2(2) exempts medical devices (MDR), motor vehicles (2019/2144), aviation (2018/1139), and marine equipment (2014/90). Education software is not on the exemption list. If the platform is a product with digital elements on the EU market, the CRA applies.

COMMON MISTAKE

"The university handles compliance — we just provide the platform"

If you market the platform under your brand and sell it to European universities, you are the manufacturer under Article 3(1). The university is the user. Article 13 manufacturer obligations — including Annex VII documentation — are yours. The university may have its own NIS2 obligations, but CRA product compliance is the manufacturer's responsibility.

COMMON MISTAKE

"FERPA compliance covers European requirements"

FERPA is a US regulation governing student education records. European universities operate under GDPR and now under Regulation (EU) 2024/2847. FERPA does not satisfy either. The CRA requires product cybersecurity documentation. GDPR requires data protection documentation. Both are European requirements independent of US regulations.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

1

Product Classifier

Edtech product classification. Identity management components (SSO, authentication) may trigger Important Class I.

2

Technical Documentation

Annex VII: LMS architecture, integration points (LTI, SIS), data flows, student authentication, exam integrity mechanisms.

3

Risk Assessment

Art. 13(2). Edtech threat model: student data breach, exam fraud, service disruption during exam periods, identity theft.

4

User Information

Annex II. University IT team documentation: deployment, security configuration, data migration, account provisioning/deprovisioning.

5

Declaration of Conformity

Art. 28 + Annex V.

6

CVD Policy

Annex I Part II §5.

7

Notification Template

Art. 14. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

8

Obligations Calendar

Key dates.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 EUROPEAN EDTECH COMPLIANCE CONSULTANT
€8,000–€15,000
3–5 months. Per platform.
✓ CRACHECK
€149
8 documents. 15–25 minutes. University procurement-ready.

Two layers of responsibility

● WHAT CRACHECK DOES

Documentation generation

Generates Annex VII documentation for your edtech platform. 8 PDFs. 15–25 minutes. €149. Designed to satisfy university procurement requirements.

∅ WHAT CRACHECK DOES NOT DO

What falls outside CRACheck

Does not assess GDPR compliance for student data. Does not evaluate accessibility (EAA Directive 2019/882). Does not interact with university IT procurement portals.

We document the product. You handle data protection and accessibility.

Enforcement regime

Article 64 of Regulation (EU) 2024/2847.

🇪🇺
Non-compliance with Annex I + Art. 13, 14
€15M / 2.5%

Art. 64(2). Student data breaches are high-visibility enforcement scenarios.

🇪🇺
Missing documentation (Art. 31)
€10M / 2%

Art. 64(3).

🇪🇺
Incorrect information
€5M / 1%

Art. 64(4).

Alternatives

AlternativeCostWhat you get
Edtech compliance consultant€8,000–€15,000CRA + GDPR + accessibility review. 3–5 months.
Internal team reads the regulationFree + weeksNon-standard documentation. University rejects.
Withdraw from EU university procurement€0Lose the European education market.
CRACheck€1498 documents. 15–25 min. University procurement-ready.

Your edtech company has multiple products for European education?

LMS, proctoring, student management — each platform needs its own Annex VII dossier. Contact us for edtech volume pricing.

Request Volume Pricing
One-business-day response

What CRACheck guarantees and what it does not

CRACheck generates a structured document under Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy is your responsibility as the manufacturer.

We guarantee structure and legal references. We do not guarantee acceptance by a university procurement committee or market surveillance authority.

CRACheck is not legal advice. For edtech-specific regulatory questions, consult a qualified lawyer.

Frequently asked questions

Does the CRA apply to learning management systems?
Article 2(1) of Regulation (EU) 2024/2847 applies to products with digital elements with a data connection on the EU market. An LMS is a software product (Art. 3(1)) with data connections (student logins, API integrations, content delivery). If marketed on the EU market, it falls within CRA scope. There is no education sector exemption.
Our platform integrates with university identity systems via SAML/OIDC. Does that affect classification?
Identity management systems are Important Class I under Annex III §1. If your platform includes an identity management component — such as a built-in authentication system — it may be classified as Important. If identity management is handled entirely by the university's identity provider and your platform only consumes assertions, the classification may remain Default. CRACheck's classifier helps determine this.
European universities already require GDPR compliance. Is CRA on top of that?
Yes. GDPR and the CRA are complementary regulations. GDPR governs how you process student personal data. The CRA governs the cybersecurity of your product. University procurement will increasingly require evidence of both.
Our proctoring software uses biometric data. Does that change CRA requirements?
Biometric data processing affects GDPR and potentially the AI Act (Regulation 2024/1689). Under the CRA, the relevant requirements are Annex I Part I §2(e) (data confidentiality, including biometric data), §2(d) (access control), and §2(g) (data minimisation). CRACheck documents these cybersecurity aspects. GDPR and AI Act compliance are separate.
Is it a subscription?
No. One-time payment. 30 days editing, 10 regenerations.
Can I request a refund?
Art. 16(m) Directive (EU) 2011/83. Activation = express consent. Refunds only for reproducible technical failures.
What if the regulation changes?
Regenerate at no additional cost during your licence period.

Official legal sources

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.

European universities are asking for CRA documentation. Generate it in 15 minutes.

Eight documents. Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.

€149 one-time
8 documents · 15–25 min · No subscription · 100% browser-side
Generate Annex VII dossier — €149

Related landings

🏥 Healthtech

CRA compliance healthtech telemedicine app India — EU
🚀 SaaS startup

CRA compliance Indian SaaS startup — EU customers
💼 ERP SaaS

CRA compliance Indian SaaS ERP accounting — EU
✓ Last regulatory check: 28 April 2026 · No substantive changes detected · View history