Indian IT services companies develop software deployed in the EU market every day. Until now, no EU regulation required the development partner to produce cybersecurity documentation. Regulation (EU) 2024/2847 changes that. Your European client is the manufacturer under Article 3(1). Article 13(5) makes them responsible for due diligence on components sourced from third parties. In practice, they will pass that obligation to you via contract. CRACheck generates 8 PDF documents structured under Article 31 and Annex VII in 15–25 minutes. €149 per product. 100% browser-side — no data leaves your machine.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
Your client is the manufacturer under Article 3(1) of Regulation (EU) 2024/2847. Article 13(5) requires them to exercise due diligence on components sourced from third parties. That includes your software. In practice, your client will require Annex VII documentation as a contract deliverable. If you cannot provide it, the next vendor will.
ISO 27001 certifies your organisation's information security management system. The CRA requires product-level documentation under Annex VII — a description of the specific product's design, development, vulnerability handling processes, SBOM, and cybersecurity risk assessment. They are complementary, not interchangeable. Annex VII §5 allows you to reference harmonised standards, but the documentation itself must exist.
Article 2(1) of Regulation (EU) 2024/2847 applies to products with digital elements made available on the market with a direct or indirect data connection. Article 3(1) defines "product with digital elements" as a software or hardware product and its remote data processing solutions. If your software is deployed as a product in the EU market — even as a component of your client's product — it falls within scope.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Determines if the product is Default, Important Class I, Class II, or Critical under Annex III and Annex IV. Defines which conformity assessment procedure applies (Art. 32).
Complete technical documentation structured under Art. 31 + Annex VII. 8 sections covering product description, design and development, cybersecurity risk assessment, support period, standards applied, test reports, declaration of conformity, and SBOM.
Cybersecurity risk assessment as required by Art. 13(2) and Annex I Part I. Documents risks, mitigation measures, and residual risk analysis.
Information and instructions for the user as required by Annex II. 9 mandatory points including vulnerability reporting contact, support period end-date, and decommissioning instructions.
EU declaration of conformity structured under Art. 28 + Annex V. Ready for the manufacturer to sign.
Coordinated vulnerability disclosure policy as required by Annex I Part II §5. Includes contact address, response timelines, and disclosure process.
Template for ENISA vulnerability notification under Art. 14. Covers the three-stage process: 24h early warning, 72h notification, 14-day final report.
Calendar with all key dates: Art. 14 reporting from 11 September 2026, full enforcement 11 December 2027, and product-specific milestones.
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated from your data, in your browser. No data leaves your device.
Generates the technical documentation under Art. 31 + Annex VII. 8 documents. 15–25 minutes. €149. Your deliverable to the EU client.
CRACheck does not determine whether the CRA applies to your specific product, does not replace the conformity assessment your EU client must perform under Art. 32, and does not substitute legal advice on contract liability allocation.
We document. You and your client handle the conformity assessment and legal allocation.
Article 64 of Regulation (EU) 2024/2847.
Art. 64(2). Up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher.
Art. 64(3). Includes failure to prepare technical documentation under Art. 31 and Annex VII.
Art. 64(4).
| Alternative | Cost | What you get |
|---|---|---|
| European compliance consultant | €8,000–€15,000 | Full audit + documentation. 3–6 months per product. |
| Build documentation internally from Annex VII text | Free + engineering time | Weeks per product. Risk of gaps. No validation. |
| Ignore the CRA clause in the contract | €0 now | Client terminates. Or: up to €15M fine for your client under Art. 64(2) — and contractual liability flows to you. |
| CRACheck | €149 | 8 documents. 15–25 minutes. Structured under Art. 31 + Annex VII. Ready to deliver. |
Each CRACheck licence documents one product. If you develop 5, 10 or 20 software products for European clients, each one needs its own Annex VII dossier. Write to us for a Volume Pack with per-product pricing.
Request Volume PricingCRACheck generates a structured document under Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy, precision and completeness of that information is your responsibility as the economic operator.
We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct as of the last verification date. We do not guarantee that a specific document will be accepted by a market surveillance authority in a specific case or by your EU client in a specific procurement process.
CRACheck is not legal advice. For specific situations — including the allocation of CRA obligations between you and your EU client — consult a qualified lawyer or regulatory consultancy.
Eight documents. Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.