Reg (EU) 2024/2847Generate dossier — €149
LIVE — Enforcement tracker · Deadline dashboard · Transposition status — Updated weekly from EUR-Lex, Safety Gate, OEIL & 12 official sourcesView regulatory intelligence →

Your fintech in India develops a payment gateway integrated by European banks and neobanks. Payment terminals and POS systems appear in the scope of Regulation (EU) 2024/2847. Your EU banking partner's compliance team has requested Annex VII technical documentation. Article 13(5) requires them to verify third-party components. CRACheck generates the documentation they expect.

Indian fintech companies powering cross-border payments into Europe face a new compliance gate. Regulation (EU) 2024/2847 applies to products with digital elements on the EU market — and payment software integrated by EU financial institutions is within scope. European banking compliance teams are adding CRA clauses to integration agreements. They need Annex VII documentation for every third-party software component that touches their payment infrastructure. Your fintech has SOC 2, PCI DSS, and RBI compliance. None of these are Annex VII. CRACheck generates 8 structured PDF documents under Art. 31 + Annex VII in 15–25 minutes. €149 per product. 100% browser-side — payment data never leaves your machine.

Generate CRA dossier — €149Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Regulation (EU) 2024/2847 · Art. 31 + Annex VII · 8 documents · 100% browser-side — your data never leaves your device

What the CRA means for your payment software

Annex III
Payment terminals and POS systems in scope. Identity management software is Important Class I.
Art. 14
24h vulnerability notification to ENISA. Applies from 11 September 2026. Non-negotiable for payment systems.
€149
Per product. Compare with €20,000+ for a European fintech compliance consultant.

How to generate the Annex VII dossier for your payment product

1
Map your product against the CRA scope
Payment gateways, lending APIs, remittance platforms, and KYC software are products with digital elements under Art. 3(1). Check if any component falls under Annex III (Important Class I: identity management, authentication readers).
2
Classify the product
Use the free CRACheck classifier. If the product includes identity management functions, it may be Important Class I (Annex III §1), requiring conformity assessment beyond self-assessment Module A.
3
Identify your EU partner's requirements
The integration agreement will reference Art. 31 + Annex VII. It may also require SBOM (Annex VII §2(b)) and CVD policy (Annex I Part II §5).
4
Complete CRACheck
15–25 minutes. The questionnaire addresses payment-specific considerations: encryption of data in transit and at rest (Annex I Part I §2(e)), authentication mechanisms (§2(d)), data minimisation (§2(g)).
5
Download the 8-PDF dossier
Structured under Annex VII. Formatted for EU banking compliance review.
6
Submit to your EU partner
Attach to the integration deliverables. The partner's compliance team integrates it into their product-level conformity file.
7
Prepare for Art. 14 (September 2026)
Vulnerability notification to ENISA applies from 11 September 2026. Use the ENISA Notification Template in the ZIP to set up your internal reporting process.

Three mistakes fintech companies make with the CRA

COMMON MISTAKE

"We have PCI DSS — that covers CRA"

PCI DSS certifies cardholder data security. Regulation (EU) 2024/2847 requires product-level documentation under Annex VII — including a product-specific cybersecurity risk assessment (Art. 13(2)), SBOM (Annex VII §2(b)), vulnerability handling evidence (Annex I Part II), and user information (Annex II). PCI DSS addresses payment card data. Annex VII addresses the product. They are complementary frameworks with different scopes.

COMMON MISTAKE

"The CRA does not apply to financial services — PSD2 and DORA cover that"

Article 2(5) of Regulation (EU) 2024/2847 allows limitation or exclusion where sectoral rules achieve the same or higher level of protection. As of the publication date, no such limitation has been adopted for PSD2 or DORA via delegated act. Until that happens, payment software products on the EU market remain within CRA scope. Article 12 addresses the relationship with other Union legal acts.

COMMON MISTAKE

"Our EU partner should document our component — they are the manufacturer"

Your EU partner is the manufacturer of their product. Article 13(5) requires them to exercise due diligence on your component. They fulfil this by requesting documentation from you. If you do not provide it, they document it themselves at your expense — or replace you. Producing the documentation proactively is a competitive advantage.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

1

Product Classifier

Classification considering Annex III (identity management, authentication components).

2

Technical Documentation

Annex VII covering payment-specific architecture: API endpoints, encryption, tokenisation, data flows, third-party integrations.

3

Risk Assessment

Art. 13(2) risk assessment for payment system threat model: fraud, data breach, API abuse, man-in-the-middle.

4

User Information

Annex II. Integration partner documentation: API security configuration, key rotation, support period.

5

Declaration of Conformity

Art. 28 + Annex V.

6

CVD Policy

Annex I Part II §5. Vulnerability disclosure for payment software. Includes responsible disclosure timelines.

7

Notification Template

Art. 14 ENISA notification. Critical for payment systems: 24h early warning mandatory.

8

Obligations Calendar

Sept 2026 (Art. 14), Dec 2027 (full), PCI DSS renewal dates (for cross-reference).

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 EUROPEAN FINTECH COMPLIANCE CONSULTANT
€15,000–€25,000
4–6 months. Per product.
✓ CRACHECK
€149
8 documents. 15–25 minutes. Per product.

Two layers: what CRACheck does and does not do

● What CRACheck does

Generates Annex VII documentation for your payment product

8 documents. 15–25 minutes. €149. Ready for EU banking partner compliance review.

∅ What CRACheck does NOT do

PCI, PSD2, DORA assessment

Does not assess PCI DSS or PSD2 compliance. Does not determine whether a DORA exemption applies to your product. Does not replace legal advice on financial services regulation.

We produce the CRA documentation. You handle PCI, PSD2, and DORA separately.

Enforcement regime

Article 64 of Regulation (EU) 2024/2847.

🇪🇺
Non-compliance with Annex I + Art. 13, 14
€15M / 2.5%

Art. 64(2). For payment systems, vulnerability notification failures (Art. 14) are the highest-visibility infringement.

🇪🇺
Missing documentation (Art. 31)
€10M / 2%

Art. 64(3).

🇪🇺
Incorrect information
€5M / 1%

Art. 64(4).

Alternatives

AlternativeCostWhat you get
European fintech compliance firm€15,000–€25,000Full CRA + DORA review. 4–6 months.
Internal legal team drafts documentationFree + weeksNon-standard format. May not match Annex VII.
Tell the EU partner "we are PCI compliant"€0They ask again. PCI is not Annex VII. Integration stalls.
CRACheck€1498 documents. 15–25 min. Annex VII structured for payment software.

Your fintech has multiple products integrated by EU partners?

Payment gateway, KYC module, lending API — each product needs its own Annex VII dossier. Contact us for fintech volume pricing.

Request Volume Pricing
Response within one business day

What CRACheck guarantees and what it does not

CRACheck generates a structured document under Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy is your responsibility as the fintech developer.

We guarantee structure and legal references. We do not guarantee acceptance by a market surveillance authority or by your EU banking partner.

CRACheck is not legal advice. For payment-specific regulatory questions — including PSD2, DORA, and CRA interaction — consult a qualified fintech lawyer.

Frequently asked questions

Does the CRA apply to payment gateway software?
Article 2(1) of Regulation (EU) 2024/2847 applies to products with digital elements with a data connection on the EU market. Payment gateway software marketed as a product and integrated by EU financial institutions falls within scope. Annex III includes identity management systems and authentication components as Important Class I products.
How does the CRA interact with PSD2 and DORA?
PSD2 regulates payment services. DORA (Regulation (EU) 2022/2554) regulates ICT risk management for financial entities. The CRA regulates products with digital elements. They operate at different levels. Article 2(5) of the CRA allows limitation where sectoral rules achieve the same protection level, but no such limitation has been adopted for PSD2 or DORA as of the regulation's publication date.
Our product handles sensitive financial data. Is browser-side processing safe?
CRACheck processes 100% in your browser. No data is uploaded to any server. The questionnaire asks about your product's architecture and security measures — not about your customers' financial data. The output PDF contains only the information you provide about how the product works.
Do we need a notified body for our payment product?
It depends on classification. If your product includes identity management or authentication functions (Annex III §1), it is Important Class I. Under Art. 32(2), if you have not applied harmonised standards or certification schemes, you need either module B+C or module H (both involving a notified body). If your product is Default category, self-assessment Module A suffices.
Is it a subscription?
No. One-time payment. 30 days editing, 10 regenerations. PDF is yours.
Can I request a refund?
Art. 16(m) Directive (EU) 2011/83. Activation = express consent. Refunds only for reproducible technical failures.
What if the regulation changes?
Regenerate at no additional cost during your licence period.

Official legal sources

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.

Your EU banking partner needs Annex VII documentation for your payment software. Generate it now.

8 professional documents. Structured under Article 31 and Annex VII of Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.

€149 one-time
8 documents · 15–25 min · No subscription · 100% browser-side
Generate CRA dossier — €149

Related landings

🚀 SaaS startup

CRA compliance Indian SaaS startup — EU customers
🏢 IT company

CRA compliance Indian IT company — EU client
🏥 Healthtech

CRA compliance healthtech telemedicine app India — EU
✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history