The CRA's healthcare exclusion is narrower than it appears. Art. 2(2)(a) excludes products subject to Regulation (EU) 2017/745 (medical devices). Art. 2(2)(b) excludes products subject to Regulation (EU) 2017/746 (in vitro diagnostic devices). Everything else — hospital information systems, clinical decision support that does not qualify as a medical device, patient scheduling platforms, health data analytics, EHR middleware, wellness apps — falls within CRA scope as products with digital elements under Art. 3(1). If your product has a data connection and you market it in the EU, Art. 13 manufacturer obligations apply. CRACheck generates the 8-document technical file under Art. 31 and Annex VII. €149 per product. 15-25 minutes. Patient-adjacent data architecture stays in your browser.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
Art. 2(2)(a)-(b) of Regulation (EU) 2024/2847 excludes only products subject to Regulation (EU) 2017/745 (MDR) or 2017/746 (IVDR). Hospital IT systems, clinical analytics, scheduling platforms and health data middleware are not medical devices under MDR. The CRA applies to them in full.
Annex I Part I point (2)(e) of Regulation (EU) 2024/2847 requires encryption of data at rest and in transit. In healthcare, this includes patient-identifiable data, clinical workflow data and access credentials. A cybersecurity risk assessment under Art. 13(2) that does not specifically address healthcare data sensitivity is incomplete.
Annex I Part I point (2)(h) requires availability protection even after incidents. For software deployed in clinical workflows — even if not a medical device — availability failures can disrupt care delivery. A risk assessment that omits availability is missing one of the Annex I essential requirements.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Confirms that your product falls within CRA scope (not excluded under Art. 2(2)) and identifies the category: Default or Important Class I if identity/access management is a core function.
Art. 31 and Annex VII documentation structured for healthcare IT: system architecture, data flows, API integrations with hospital systems, authentication mechanisms.
Cybersecurity risk assessment per Art. 13(2)-(3) covering healthcare-specific vectors: patient data exposure, clinical workflow disruption, integration point vulnerabilities, medical device interoperability risks.
Annex II information adapted for hospital IT departments: secure deployment in clinical environments, configuration for data protection, support period, vulnerability reporting.
EU Declaration per Art. 28 and Annex V for the healthcare software product.
Coordinated vulnerability disclosure policy aligned with healthcare sector responsible disclosure practices and CERT coordination.
ENISA notification template per Art. 14 with healthcare urgency context.
Key dates with healthcare procurement cycles: Art. 14 from September 2026, full enforcement December 2027, hospital contract renewal windows.
See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.
Generated from your data, in your browser. No data leaves your device.
CRACheck generates the Art. 31 and Annex VII documentation for your healthcare software product that is not classified as a medical device. The output addresses cybersecurity requirements relevant to healthcare deployment: data confidentiality, integrity, availability and vulnerability handling. Eight documents per product.
CRACheck does not determine whether your product qualifies as a medical device under MDR (Regulation (EU) 2017/745). That classification determines CRA scope under Art. 2(2) and must be assessed separately. CRACheck does not produce MDR technical documentation, clinical evaluation reports, or notified body submissions. It does not perform security testing on hospital-integrated systems. It does not conduct GDPR data protection impact assessments.
If your product is not a medical device, the CRA applies. CRACheck produces the CRA documentation. MDR classification is a separate question with separate tools.
A vulnerability in hospital-deployed software triggers the 24h ENISA early warning. In healthcare contexts, the operational urgency of reporting exceeds the regulatory minimum.
Healthcare software products on the EU market must have Art. 31 documentation. Hospital procurement will require this as standard evidence in supplier cybersecurity assessments.
No exemption for healthcare-adjacent software. The MDR exclusion under Art. 2(2) does not extend to CRA penalties — it determines scope, not penalty severity.
| Criterio | Healthcare compliance consultant | Internal IT security team | MDR-only approach | CRACheck |
|---|---|---|---|---|
| Price | €12K-30K | Staff time | Does not cover CRA | €149 per product |
| CRA Art. 31 coverage | Report, not file | Depends on expertise | None | 8-document technical file |
| Healthcare-specific | Yes | Partially | MDR only | Yes — healthcare risk context |
| Data stays with you | Shared with consultant | Internal | N/A | 100% browser-side |
| CRACheck | €149 | Yes | Healthcare | Browser-side |
Pack 10: €99 per product. Pack 30: €79 per product. For healthtech companies with multi-module platforms deployed across EU hospitals, contact us.
Request volume pricingCRACheck generates a structured document set according to Art. 31 and Annex VII of Regulation (EU) 2024/2847 based on the information you provide. The accuracy of that information — including system architecture, data flows and security mechanisms — is your responsibility as manufacturer.
We guarantee that the document structure follows Art. 31 and Annex VII and that the legal references cited are correct. We do not determine whether your product is a medical device under MDR, nor do we guarantee acceptance by a hospital procurement process or market surveillance authority.
CRACheck is not legal advice. For MDR classification and the CRA/MDR boundary under Art. 2(2), consult a qualified health technology regulatory lawyer.
Art. 2(2) excludes MDR/IVDR devices. Everything else in healthcare IT falls under the CRA. Eight documents. €149 per product. Browser-side.