A mobile app distributed through an app store available in EU countries is "made available on the market" per Article 3(22) of the Cyber Resilience Act. The developer is the manufacturer under Article 3(13). If the app relies on a cloud API, the backend is remote data processing under Article 3(2), and the entire system — app plus cloud — constitutes the regulated product. CRACheck generates the 8-document dossier required under Article 31 + Annex VII in 15-25 minutes for €149. No data leaves your browser. No legal team required.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.
App stores are distribution platforms, not manufacturers. Article 3(13) defines the manufacturer as the entity that develops the product. If you wrote the code, you are the manufacturer regardless of the distribution channel. Apple and Google may enforce CRA requirements through their developer policies, but the legal obligation rests with you.
Article 3(22) includes supply in the course of commercial activity "whether or not for payment." If your app is monetized through ads, in-app purchases, data collection, or serves as a gateway to a paid service, it is distributed in the course of commercial activity. Even a completely free utility app distributed by a company (not a private individual) is placed on the market in a commercial context.
Geo-blocking the EU means losing access to 450 million potential users. The CRA documentation obligation for a Default category product — which covers most consumer apps — requires self-assessment via Module A. CRACheck generates this documentation for €149 in 15 minutes. The compliance cost is almost certainly lower than the revenue loss from geo-blocking the EU.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Determines your app's Annex III category. Consumer apps typically classify as Default. Apps with security functions (password managers, VPNs, parental controls) may classify as Important Class I.
Art. 31 + Annex VII dossier structured for mobile applications: client architecture, API integration, platform-specific security features, third-party SDK inventory, and update delivery mechanism.
Mobile-specific cybersecurity analysis: insecure data storage, certificate pinning, jailbreak/root detection, third-party analytics privacy, biometric data handling, and push notification security.
Annex II document for app users: security properties, data handling, update policy, known limitations, and manufacturer contact. Compatible with app store privacy labels.
Article 28 + Annex V declaration for your mobile app. Covers the app and any remote data processing backend as a unified product.
Vulnerability disclosure policy: how security researchers can report issues in your app, response timeline, coordinated disclosure process.
ENISA notification structure per Article 14 for mobile app incidents: compromised APIs, data breaches through app vulnerabilities, third-party SDK exploits. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.
Key dates: Art. 14 reporting from September 2026, full enforcement December 2027, support period obligations per Article 13(8).
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated from your data, in your browser. No data leaves your device.
Generates the regulatory documentation a mobile app developer needs under CRA: product classification, technical documentation, risk assessment, user information, declaration of conformity, and vulnerability handling policies.
Does not scan your APK/IPA for vulnerabilities. Does not test your API endpoints. Does not review your third-party SDK licenses. Does not verify your actual implementation of security controls. Those are engineering and security testing tasks.
CRACheck is the documentation. Your code review, penetration testing, and SDK auditing are the substance. A €149 documentation tool does not replace your security engineering — it complements it.
Article 64 of Regulation (EU) 2024/2847.
Essential requirement / manufacturer obligation violations.
Missing documentation or conformity assessment.
Misleading information to authorities.
| Criteria | Regulatory attorney | App compliance service | DIY from regulation text | CRACheck |
|---|---|---|---|---|
| Time | 4-12 weeks | 2-4 weeks | Weeks of reading | 15-25 minutes |
| Cost per app | $13,000-$28,000 | $3,000-$8,000 | Staff time | €149 |
| Mobile-specific risk template | Depends on expertise | Varies | No | Yes |
| Data stays on your device | No | No | Yes | Yes — 100% |
Each app is a separate product with digital elements and needs its own Article 31 dossier. If you maintain 5 apps available to EU users, you need 5 independent documentation sets. Volume pricing: 10 products at €99, 30 at €79.
Request Volume PricingCRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy of that information is your responsibility as the manufacturer.
We guarantee the document structure follows Article 31 + Annex VII and that legal references cited are correct. We do not guarantee acceptance by a market surveillance authority in a specific case.
CRACheck is not legal advice. For questions about specific app classifications or edge cases, consult a qualified attorney.
Eight documents. Article 31 + Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.