Reg (EU) 2024/2847Generate dossier — €149
LIVE — Enforcement tracker · Deadline dashboard · Transposition status — Updated weekly from EUR-Lex, Safety Gate, OEIL & 12 official sourcesView regulatory intelligence →

Your mobile app agency in Bangalore or Pune builds applications for European clients. Those apps reach EU users through App Store and Google Play. Article 2(1) of Regulation (EU) 2024/2847 applies. Your client is the manufacturer — and Article 13(5) requires them to verify the cybersecurity of components you provide. The Annex VII documentation is becoming a standard deliverable. CRACheck generates it.

Mobile app agencies in Bangalore and Pune have delivered hundreds of apps for European brands. The development workflow is mature: sprint planning, builds, QA, release. Regulation (EU) 2024/2847 adds a new artefact to the delivery pipeline — the technical documentation under Annex VII. Your EU client needs it for their conformity assessment under Article 32. A European compliance firm charges €8K–€12K and takes months. Your sprint cycle is 2 weeks. CRACheck fits the sprint: 15–25 minutes, 8 PDF documents, €149 per app. 100% browser-side — no client data uploaded anywhere.

Generate Annex VII dossier — €149Free: check if your product is in scope

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Regulation (EU) 2024/2847 · Art. 31 + Annex VII · 8 documents · 100% browser-side — your data never leaves your device

Key numbers

Art. 13(5)
Third-party component due diligence. Your EU client must verify what you build.
15–25 min
Per app. One developer, one sprint session, one deliverable.
€149
Per app. Add it to the project quote. Client absorbs the cost.

How it works

1
Identify which apps are in scope
Any app available to EU users through App Store or Google Play. Article 2(1): products with digital elements with a data connection to a device or network.
2
Classify each app
Use the free CRACheck classifier. Most consumer and business apps are Default category. Apps with identity management features may be Important Class I (Annex III §1).
3
Assign one developer per app
The developer who built the architecture completes the CRACheck questionnaire. 15–25 minutes.
4
Generate the 8-PDF dossier
CRACheck maps engineering answers to Annex VII structure. Download the ZIP.
5
Include in the sprint delivery
Attach the Annex VII ZIP alongside the build artifacts. Update your delivery checklist template.
6
Standardise across the agency
Once the first app is documented, replicate the process for all EU client projects. Add CRACheck to your standard project template.

Three mistakes to avoid

COMMON MISTAKE

"Mobile apps are published by Apple and Google — they handle compliance"

Apple and Google are distributors under Article 20 of Regulation (EU) 2024/2847. The manufacturer is the entity that markets the app under its name or trademark — your EU client (Art. 3(1)). The distributor verifies that the CE marking exists (Art. 20(2)(a)), but the technical documentation obligation falls on the manufacturer, who passes it to you.

COMMON MISTAKE

"Our apps are B2B — the CRA is only for consumer products"

Article 2(1) of Regulation (EU) 2024/2847 applies to all products with digital elements made available on the EU market. There is no B2B exemption. Whether the app is used by consumers or by enterprise users, if it has a data connection and is available in the EU market, it falls within scope.

COMMON MISTAKE

"We will add CRA documentation when the client asks — no need to offer proactively"

Agencies that include Annex VII documentation in their standard delivery win contracts over agencies that do not. European procurement teams are updating their vendor evaluation criteria. By December 2027, CRA documentation will be a minimum requirement, not a differentiator. Agencies that start now build the process cheaply. Agencies that wait will scramble under deadline pressure.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

1

Product Classifier

Annex III/IV classification per app. Identity management apps may fall under Important Class I.

2

Technical Documentation

Annex VII structured for mobile app architecture: client-server model, API surface, local data storage, push notification handling.

3

Risk Assessment

Art. 13(2) cybersecurity risk assessment specific to mobile app threat vectors: insecure storage, man-in-the-middle, reverse engineering.

4

User Information

Annex II. Support period end-date, vulnerability reporting contact, data erasure instructions.

5

Declaration of Conformity

Art. 28 + Annex V. For the EU client to sign as manufacturer.

6

CVD Policy

Annex I Part II §5 vulnerability disclosure policy.

7

Notification Template

Art. 14 ENISA notification template. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

8

Obligations Calendar

Key enforcement dates.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 COMPLIANCE CONSULTANT PER APP
€8,000–€12,000
2–4 months. Per app. Destroys agency margins.
✓ CRACHECK
€149
8 documents. 15–25 minutes. Per app. Add to the project quote.

Two layers of responsibility

● WHAT CRACHECK DOES

Documentation generation

Generates Annex VII documentation per app. 8 PDFs in 15–25 minutes. €149. Designed to fit inside your sprint delivery workflow.

∅ WHAT CRACHECK DOES NOT DO

What falls outside CRACheck

Does not review the app's code for vulnerabilities. Does not perform the conformity assessment (Art. 32). Does not substitute Apple or Google's app review process.

We document. Your client assesses conformity. Apple and Google distribute.

Enforcement regime

Article 64 of Regulation (EU) 2024/2847.

🇪🇺
Non-compliance with Annex I + Art. 13, 14
€15M / 2.5%

Art. 64(2). Applied to the manufacturer — your EU client. Contractual liability flows to you.

🇪🇺
Missing technical documentation (Art. 31)
€10M / 2%

Art. 64(3).

🇪🇺
Incorrect information to authorities
€5M / 1%

Art. 64(4).

Alternatives

AlternativeCostWhat you get
Hire a compliance firm per app€8,000–€12,000Documentation + review. 2–4 months per app.
Developer writes docs manuallyFree + 30-60 hrsNon-standard format. No regulatory validation.
Skip CRA documentation€0Client finds agency that includes it.
CRACheck€1498 documents. 15–25 min. Standard Annex VII format.

Your agency delivers 10+ apps per year for EU clients?

Each app requires its own Annex VII dossier. A 20-app agency needs 20 licences. Write to us for agency volume pricing — per-licence cost decreases significantly at scale.

Request Volume Pricing
One-business-day response

What CRACheck guarantees and what it does not

CRACheck generates a structured document under Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy of the information is your responsibility as the development agency.

We guarantee that the document structure follows Article 31 and Annex VII and that the legal references are correct. We do not guarantee acceptance by a market surveillance authority or by your EU client.

CRACheck is not legal advice. For app-specific regulatory questions, consult a qualified lawyer.

Frequently asked questions

Do mobile apps fall under Regulation (EU) 2024/2847?
Article 3(1) of Regulation (EU) 2024/2847 defines "product with digital elements" as a software or hardware product and its remote data processing solutions. A mobile app marketed as a product on the EU market — whether B2C or B2B — falls within this definition if it has a data connection to a device or network (Art. 2(1)).
Our agency builds the app but the EU client publishes it. Who complies?
The manufacturer under Article 3(1) is the entity that markets the product under its name or trademark. If your EU client publishes the app under their brand, they are the manufacturer. You are a development partner. Article 13(5) requires the manufacturer to exercise due diligence on your components — which means they will require Annex VII documentation from you.
Does one licence cover both the iOS and Android version?
If the iOS and Android apps are the same product with the same architecture and components, one licence can document the product. If they are architecturally distinct products with different codebases and security profiles, each needs separate documentation.
Can we standardise CRACheck across all EU projects?
Yes. Run CRACheck once for each EU client project, include the ZIP in your standard delivery checklist, and add the €149 cost to the project quote. Standardising the process takes 30 minutes the first time and 15 minutes for every subsequent app.
Is it a subscription?
No. One-time payment. 30 days of editing, 10 regenerations. The PDF is yours to keep.
Can I request a refund?
Under Article 16(m) of Directive (EU) 2011/83, by activating the licence you consent to immediate digital content generation, waiving the 14-day withdrawal. Refunds only for reproducible technical failures.
What if the regulation changes?
Regenerate at no additional cost during your licence period.

Official legal sources

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.

Each app your agency delivers to an EU client needs Annex VII documentation. Generate it in 15 minutes.

Eight documents. Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.

€149 one-time
8 documents · 15–25 min · No subscription · 100% browser-side
Generate Annex VII dossier — €149

Related landings

🏢 Outsourcing

CRA requirements for outsourcing agency India — EU project
📄 Contract

CRA documentation Indian developer — EU contract clause
🏙️ Hyderabad Chennai

CRA compliance Hyderabad Chennai software company — EU
✓ Last regulatory check: 28 April 2026 · No substantive changes detected · View history