Module A under Annex VIII, Part I of the Cyber Resilience Act is the internal control procedure: no notified body, no external audit. You draw up the technical documentation per Annex VII, perform the cybersecurity risk assessment per Article 13(2), draft the EU declaration of conformity per Article 28, and affix CE marking per Article 30. CRACheck generates all eight documents from your input data in 15–25 minutes. One-time payment of €149. Your data never leaves your browser.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.
CE marking under Article 30 is the final step, not the first. Before affixing CE, Article 13(12) requires drawing up technical documentation per Article 31 and completing the conformity assessment per Article 32. Without the underlying documentation, CE marking is an empty declaration that exposes you to the penalties in Article 64(3).
Article 13(3) requires that the cybersecurity risk assessment explicitly indicate how Part I, point (1) and Part I, point (2) of Annex I are implemented and how Part II vulnerability handling requirements are applied. A generic ISO 27001 template does not cover these CRA-specific mappings.
Article 13(8) requires manufacturers to determine the support period considering expected use time, user expectations, and product nature — with a minimum of five years. Annex VII, point (4) requires that the rationale for this determination be included in the technical documentation. Omitting it is a documentation gap that market surveillance authorities will flag.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Determines if your IoT device falls under default, Important Class I (Annex III), Class II, or Critical (Annex IV). Maps the conformity assessment path under Article 32.
Structured per Article 31 and the eight points of Annex VII. Covers product description, design architecture, risk assessment, support period rationale, standards, test reports, declaration reference, and SBOM provision.
Cybersecurity risk analysis per Article 13(2) and (3), mapping your product against the 13 essential requirements in Part I of Annex I and the 8 vulnerability handling requirements in Part II.
Document structured per Annex II with the 9 mandatory information points: manufacturer contact, vulnerability reporting point, product identification, intended purpose, known risks, declaration URL, support period, security instructions, and SBOM access.
Per Article 28 and Annex V model. Product identification, manufacturer details, conformity statement, standards referenced, notified body (if applicable), signature block.
Coordinated vulnerability disclosure policy per Part II, point (5) of Annex I. Contact address, response timelines, disclosure process.
ENISA notification structure per Article 14: early warning (24h), vulnerability notification (72h), final report (14 days).
Key dates: Article 14 reporting from 11 September 2026, full application from 11 December 2027, support period milestones.
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated from your data, in your browser. No data leaves your device.
Generates the structured documentation that Article 31, Annex VII, Article 28, and Annex V require. Maps your product data against the essential cybersecurity requirements in Annex I. Produces the eight PDFs that a market surveillance authority expects to see when they ask for your technical file.
CRACheck does not perform penetration testing, code auditing, or physical security inspection of your product. It does not act as a notified body under Chapter IV. It does not provide legal advice. If your product is Important Class I or II under Annex III, you may need third-party assessment per Article 32(2) or (3).
Your documentation layer is a prerequisite regardless of the conformity assessment path. CRACheck builds that layer. The rest is yours to complete.
Article 64 of Regulation (EU) 2024/2847.
Non-compliance with Annex I and manufacturer obligations (Articles 13 and 14).
Non-compliance with Art. 19–23, Art. 28, Art. 31, Art. 32.
Supplying incorrect, incomplete or misleading information to notified bodies or market surveillance authorities.
| Criterion | DIY / manual | Consultant | Legal firm | CRACheck |
|---|---|---|---|---|
| Time to complete | Weeks–months | 8–16 weeks | 12–20 weeks | 15–25 minutes |
| Cost per product | Staff hours (unquantified) | €10K–€20K | €15K–€30K | €149 |
| CRA-specific mapping to Annex I + VII | Manual, error-prone | Depends on expertise | General legal, not CRA-specific | Automated, article-by-article |
| Updates when regulation changes | Start over | New engagement, new invoice | New engagement | Regenerate at no cost |
Pack of 10: €99 per product. Pack of 30: €79 per product. Contact us for custom volume pricing.
Request Volume PricingCRACheck generates a structured document based on Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy, completeness, and truthfulness of that information is your responsibility as the manufacturer.
We guarantee that the document structure follows Article 31 and Annex VII and that the legal references cited are correct. We do not guarantee that a specific document will be accepted by a market surveillance authority in a particular case or by a commercial buyer in a procurement process.
CRACheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.
Eight documents. Article 31 + Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.