My IoT device is not listed in Annex III or Annex IV. Does that mean I can self-assess?

Yes. Article 32(1) of Regulation (EU) 2024/2847 allows manufacturers of default-category products to use the internal control procedure based on Module A as set out in Annex VIII, Part I. No notified body is required. You draw up the technical documentation, perform the risk assessment, and issue the EU declaration of conformity under your sole responsibility.

Does Article 33 provide any concrete support for SMEs?

Article 33(1) requires Member States to organise awareness-raising and training activities, establish dedicated communication channels for microenterprises and small enterprises, and support testing and conformity assessment. Article 33(2) allows Member States to establish cyber resilience regulatory sandboxes. Article 32(6) requires conformity assessment fees to be reduced proportionately for SMEs and startups.

Do I need a software bill of materials (SBOM) for Module A?

Yes. Part II, point (1) of Annex I requires manufacturers to identify and document vulnerabilities and components, including by drawing up an SBOM in a commonly used and machine-readable format covering at least the top-level dependencies. Annex VII, point (2)(b) requires this SBOM to be part of the technical documentation.

What happens if I affix CE marking without the technical documentation?

Affixing CE marking without completing the conformity assessment procedure is a violation of Article 30 and Article 13(12). Article 64(3) subjects non-compliance with Articles 28, 30, 31, and 32 to fines of up to €10,000,000 or 2% of global annual turnover.

Can market surveillance authorities request my full technical file?

Yes. Article 13(13) requires manufacturers to keep the technical documentation and EU declaration of conformity at the disposal of market surveillance authorities for at least 10 years after the product has been placed on the market, or for the support period, whichever is longer.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, by activating the licence you give express consent for immediate generation of the digital content, waiving the 14-day withdrawal right. Refunds are only accepted for reproducible technical failures.

What if the regulation changes?

If the regulation is amended during the validity of your licence, you can regenerate the document with the updated version of the generator at no additional cost.

You manufacture an IoT device in Europe and it does not appear in Annex III or Annex IV of Regulation (EU) 2024/2847. Article 32(1)(a) allows you to self-assess under Module A. CRACheck produces the eight documents that Module A requires.

Module A under Annex VIII, Part I of the Cyber Resilience Act is the internal control procedure: no notified body, no external audit. You draw up the technical documentation per Annex VII, perform the cybersecurity risk assessment per Article 13(2), draft the EU declaration of conformity per Article 28, and affix CE marking per Article 30. CRACheck generates all eight documents from your input data in 15–25 minutes. One-time payment of €149. Your data never leaves your browser.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

90%

of products with digital elements are default category — eligible for Module A self-assessment (EC estimate)

PDF documents generated: from Product Classifier to Obligations Calendar

€149

one-time payment — no subscription, no recurring fees

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Classify your product

CRACheck determines whether your IoT device is default, Important Class I/II, or Critical per Annex III and Annex IV. If default, Module A applies under Article 32(1)(a).

Input product data

You describe your device, its intended purpose, connectivity, data processing, and security features. Everything stays in your browser.

Cybersecurity risk assessment

CRACheck structures your risk assessment following Article 13(2) and (3), mapping risks against the essential requirements in Part I of Annex I.

Technical documentation

The system compiles the documentation per Article 31 and the eight points of Annex VII.

Declaration of conformity

Drafted per Article 28 and the model structure in Annex V. Identifies your product, references the applicable standards, and declares conformity.

Vulnerability handling documentation

CVD policy per Part II, point (5) of Annex I and ENISA notification template per Article 14.

Download and review

Eight PDFs in a single ZIP. Review, adjust within 30 days, regenerate up to 10 times.

Common mistakes

❌

CONFORMITY ASSESSMENT

"Assuming CE marking alone proves CRA compliance"

CE marking under Article 30 is the final step, not the first. Before affixing CE, Article 13(12) requires drawing up technical documentation per Article 31 and completing the conformity assessment per Article 32. Without the underlying documentation, CE marking is an empty declaration that exposes you to the penalties in Article 64(3).

❌

TECHNICAL DOCUMENTATION

"Using a generic risk assessment template not mapped to Annex I"

Article 13(3) requires that the cybersecurity risk assessment explicitly indicate how Part I, point (1) and Part I, point (2) of Annex I are implemented and how Part II vulnerability handling requirements are applied. A generic ISO 27001 template does not cover these CRA-specific mappings.

❌

SUPPORT PERIOD

"Not documenting the rationale for your support period"

Article 13(8) requires manufacturers to determine the support period considering expected use time, user expectations, and product nature — with a minimum of five years. Annex VII, point (4) requires that the rationale for this determination be included in the technical documentation. Omitting it is a documentation gap that market surveillance authorities will flag.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Determines if your IoT device falls under default, Important Class I (Annex III), Class II, or Critical (Annex IV). Maps the conformity assessment path under Article 32.

Technical Documentation

Structured per Article 31 and the eight points of Annex VII. Covers product description, design architecture, risk assessment, support period rationale, standards, test reports, declaration reference, and SBOM provision.

Risk Assessment

Cybersecurity risk analysis per Article 13(2) and (3), mapping your product against the 13 essential requirements in Part I of Annex I and the 8 vulnerability handling requirements in Part II.

User Information

Document structured per Annex II with the 9 mandatory information points: manufacturer contact, vulnerability reporting point, product identification, intended purpose, known risks, declaration URL, support period, security instructions, and SBOM access.

Declaration of Conformity

Per Article 28 and Annex V model. Product identification, manufacturer details, conformity statement, standards referenced, notified body (if applicable), signature block.

CVD Policy

Coordinated vulnerability disclosure policy per Part II, point (5) of Annex I. Contact address, response timelines, disclosure process.

Notification Template

ENISA notification structure per Article 14: early warning (24h), vulnerability notification (72h), final report (14 days).

Obligations Calendar

Key dates: Article 14 reporting from 11 September 2026, full application from 11 December 2027, support period milestones.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 REGULATORY CONSULTANT

€10,000–€20,000

8–16 weeks timeline. Iterative review rounds, dependency on consultant availability, separate invoice for each regulation update.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history