Our PM tool has an Electron desktop app. Does that trigger CRA?

Yes. An Electron application is software installed on the user's device — a product with digital elements under Article 3(1). The cloud platform behind it is remote data processing under Article 3(2). The Electron architecture (Chromium wrapper) does not change the legal classification.

We offer a free tier for small teams. Does CRA apply to the free version?

If the free tier is part of your commercial offering (gateway to paid plans), it is supplied in the course of commercial activity per Recital 18 of Regulation (EU) 2024/2847. CRA applies to both free and paid tiers.

Our platform integrates with Slack, GitHub, and Google Drive. Does that affect CRA?

Article 13(5) requires due diligence on third-party components. Document integrations in your technical documentation. Assess risks introduced by each integration: credential handling, data flow, and API security. You are not responsible for Slack's CRA compliance but are responsible for secure integration.

European teams store sensitive client data in our PM tool. Does data sensitivity affect CRA obligations?

CRA obligations are based on product characteristics, not data sensitivity. However, Annex I, Part I requires data confidentiality and integrity as essential cybersecurity requirements. Your risk assessment should address threats to the data your product handles.

We release updates weekly. How does that affect CRA documentation?

Routine updates (bug fixes, feature additions) do not typically require documentation updates. Substantial modifications per Article 22 — those affecting compliance with essential requirements — trigger reassessment. Your weekly release cadence is normal; document your update mechanism in the Annex II user information.

Is CRACheck a subscription?

No. One-time payment. 30 days of editing, 10 regenerations. The PDF is yours to keep.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, activating the license constitutes express consent for immediate generation. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate at no additional cost during your license period.

Your project management tool is used by teams across Europe. The desktop app, the mobile app, and the browser extension are products with digital elements under Article 3(1) of Regulation (EU) 2024/2847. Your European enterprise customers manage sensitive project data, client information, and internal communications through your platform. Their procurement teams now ask for CRA documentation alongside your security certifications. CRACheck generates it.

Project management platforms typically offer multiple installable components: desktop applications for offline access, mobile apps for on-the-go task management, browser extensions for notifications, and API clients for integrations. Each installable component, plus the cloud platform as remote data processing, forms a regulated product under the CRA. Article 13 requires technical documentation, risk assessment, and conformity declaration. CRACheck generates the 8-document dossier in 15-25 minutes for €149.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

Art. 3(1)-(2)

Desktop app + mobile app + cloud backend = one regulated product with remote data processing

€15M

Maximum fine for non-compliance (Art. 64(2))

€149

Full CRA dossier per product

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Define product scope

PM platform, desktop app, mobile app, browser extension, API connectors. CRACheck documents everything as one product.

Classify under Annex III

PM tools typically classify as Default. No privileged security functions.

Describe collaboration architecture

Real-time sync, file sharing, commenting, notification systems, integration APIs, webhook handlers.

Map data handling

Project data, task assignments, file attachments, internal messages, client information stored within projects.

Generate risk assessment

PM-specific: unauthorized access to project data, file sharing vulnerabilities, notification interception, API abuse, and third-party integration credential exposure.

Produce 8 documents

Complete dossier covering all platform components.

Attach to vendor renewal

EU enterprise clients evaluate CRA documentation alongside your SOC 2 and GDPR DPA.

Common mistakes

❌

PRODUCT vs INTERNAL TOOL

"PM tools are internal productivity software — not regulated products"

Your PM tool is not an internal tool — it is a commercial product placed on the EU market. Internal tools developed by a company for their own use are not placed on the market. Your product is sold to external customers. It is a product with digital elements under Article 3(1).

❌

WRAPPER = PRODUCT

"Our desktop app is just an Electron wrapper — the real product is the web app"

An Electron desktop application is software installed on the user's device. Regardless of its technical architecture, it is a product with digital elements placed on the EU market. The fact that it wraps web content does not exempt it from CRA scope.

❌

MARKET SHIFT

"Enterprise customers care about SOC 2, not European-specific regulations"

European enterprise customers are adding CRA to their vendor requirements alongside SOC 2. As enforcement approaches, CRA documentation becomes as expected as SOC 2 for products placed on the EU market. SOC 2 covers organizational controls; CRA covers product cybersecurity documentation. Both expected.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Default classification for PM software.

Technical Documentation

Art. 31 + Annex VII: platform architecture, desktop/mobile apps, sync engine, file storage, and integration layer.

Risk Assessment

PM-specific: project data access, file sharing security, real-time communication integrity, integration credential management.

User Information

Annex II for workspace admins: access control, data retention, integration permissions, update policy.

Declaration of Conformity

Art. 28 + Annex V.

CVD Policy

Vulnerability disclosure for PM platforms.

Notification Template

ENISA template per Article 14. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

CRA milestones.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 SaaS COMPLIANCE CONSULTANT

€12,000–€25,000

8-14 weeks.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history