Does the Cyber Resilience Act apply to SaaS products?

It depends on your product's architecture. Regulation (EU) 2024/2847 applies to "products with digital elements," defined in Article 3(1) as software and its remote data processing solutions. If your SaaS includes any downloadable component placed on the EU market — a mobile app, a desktop agent, an SDK, a browser extension — that component is a product with digital elements, and the cloud backend qualifies as remote data processing under Article 3(2). Recital 12 clarifies that pure cloud services with no associated downloadable product fall under Directive (EU) 2022/2555 (NIS2) instead. Most US SaaS companies have at least one downloadable component, which brings the full product into CRA scope.

Our SaaS product is browser-only with no downloadable component. Are we covered?

If users access your product exclusively through a web browser with no client-side installation, no mobile app, no browser extension, and no SDK, your product likely falls outside CRA scope and under NIS2 instead. However, if you distribute any code that runs on the user's device — including JavaScript libraries, embedded widgets, or progressive web apps with offline capability — the analysis changes. CRACheck helps you classify your product under Annex III to determine which regime applies.

We are a US company. Can the EU fine us?

Article 64 of Regulation (EU) 2024/2847 empowers EU Member State market surveillance authorities to impose fines on any economic operator placing products on the EU market, regardless of where the company is established. If your product is available to EU users, you are within enforcement reach. Additionally, your EU enterprise customers may refuse to procure your product without CRA documentation, creating commercial pressure independent of regulatory enforcement.

What is the difference between CRA and NIS2 for a US software company?

The Cyber Resilience Act (Regulation (EU) 2024/2847) regulates products with digital elements placed on the EU market. It requires technical documentation, risk assessment, vulnerability handling, and conformity declaration from the manufacturer. NIS2 (Directive (EU) 2022/2555) regulates essential and important entities providing services in the EU, including cloud computing services. A US SaaS company may be subject to both: CRA for the product itself (if it includes downloadable components) and NIS2 for the service it provides (if it meets the size thresholds in NIS2). CRACheck covers the CRA documentation obligations.

How does CRA interact with SOC 2 or ISO 27001 certifications we already have?

SOC 2 and ISO 27001 are voluntary certifications that address organizational security controls. The Cyber Resilience Act requires product-specific technical documentation under Article 31 + Annex VII, a cybersecurity risk assessment per Article 13, and a declaration of conformity per Article 28 + Annex V. These are distinct legal obligations. Your existing SOC 2 report does not substitute for CRA technical documentation, although the security controls documented in your SOC 2 may inform the content of your CRA risk assessment.

Is CRACheck a subscription?

No. One-time payment. The license includes 30 days of editing and 10 regenerations. The downloaded PDF is yours to keep.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, by activating the license you give express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only accepted for reproducible technical failures.

What if the regulation changes?

If the regulation is amended during your license validity period, you can regenerate the document with the updated version of the generator at no additional cost.

Your European enterprise customers are adding Cyber Resilience Act clauses to procurement questionnaires. If your SaaS includes any downloadable component — a desktop agent, a mobile app, an SDK, a browser extension — Article 13 of Regulation (EU) 2024/2847 makes you the manufacturer. CRACheck generates the technical documentation they are asking for.

Regulation (EU) 2024/2847 defines "product with digital elements" as any software and its remote data processing solutions (Article 3(1)). If your SaaS product has a client-side component placed on the EU market, the cloud backend qualifies as remote data processing under Article 3(2), and the full product falls within CRA scope. CRACheck generates the 8-document dossier required under Article 31 and Annex VII in 15-25 minutes, from your browser, for €149 per product. No data leaves your device.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

€15,000,000

Maximum fine for non-compliance with essential cybersecurity requirements (Art. 64(2))

11 Dec 2027

Full enforcement date for all manufacturer obligations under the Cyber Resilience Act

15–25 min

Time to generate the complete 8-document technical dossier with CRACheck

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Classify your product

CRACheck determines whether your software falls under Default, Important Class I, Important Class II, or Critical category per Annex III. Most SaaS products with no privileged OS access classify as Default.

Describe your architecture

Enter your product details: tech stack, data flows, authentication methods, third-party components. All processing stays in your browser.

Map security requirements

CRACheck cross-references your input against the essential cybersecurity requirements in Annex I, Part I (product requirements) and Part II (vulnerability handling).

Generate risk assessment

The tool produces a structured cybersecurity risk assessment per Article 13(2)-(3), covering intended purpose, foreseeable use, and operational environment.

Produce technical documentation

CRACheck generates the full Article 31 + Annex VII dossier, including product description, design documentation, conformity assessment references, and risk analysis.

Generate supporting documents

Declaration of conformity (Annex V), user information (Annex II), CVD policy, ENISA notification template (Art. 14), and obligations calendar.

Download and review

8 PDFs in a single ZIP. Edit within 30 days, regenerate up to 10 times. The documents are yours to keep.

Common mistakes

❌

SCOPE MISREADING

"We are SaaS, so CRA does not apply to us"

Article 3(1) defines "product with digital elements" as software and its remote data processing solutions. If your SaaS includes any downloadable component placed on the EU market — a mobile app, a desktop agent, a browser extension, an SDK — the entire product, including the cloud backend, falls within CRA scope. Recital 12 only excludes cloud services that are not integral to a product with digital elements.

❌

MANUFACTURER OBLIGATION

"Our EU distributor handles compliance"

Article 13 places the obligation for technical documentation, risk assessment, and conformity procedures on the manufacturer. The manufacturer is whoever designs and develops the product (Article 3(13)). If you wrote the code in San Francisco, you are the manufacturer regardless of who distributes it in the EU. Your EU partner has separate importer obligations under Article 19, but they do not absorb yours.

❌

TIMELINE MISCALCULATION

"We will deal with it when enforcement starts in 2027"

Article 14 vulnerability reporting obligations apply from 11 September 2026. By that date, you must have a coordinated vulnerability disclosure policy and the infrastructure to notify ENISA within 24 hours of becoming aware of an actively exploited vulnerability. The technical documentation under Article 31 takes months to prepare properly. Starting in Q4 2027 means missing both deadlines.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Determines if your SaaS product classifies as Default, Important Class I/II, or Critical under Annex III. Most US SaaS products without privileged OS access or network management functions classify as Default, eligible for self-assessment under Module A (Annex VIII).

Technical Documentation

Structured dossier per Article 31 + Annex VII: product description, design and development information, cybersecurity risk assessment, conformity assessment references, and applicable standards.

Risk Assessment

Cybersecurity risk analysis per Article 13(2)-(3) and Annex I, Part I. Maps your product's threat model against the essential cybersecurity requirements, covering data protection, access control, integrity, and availability.

User Information

Document per Annex II with the 9 information items you must provide to your EU users: manufacturer identity, support contact, security properties, known residual risks, SBOM reference, and update procedures.

Declaration of Conformity

EU Declaration per Article 28 + Annex V. Pre-filled with your product data, applicable modules, and legal references. Your EU enterprise customer expects this document.

CVD Policy

Coordinated vulnerability disclosure policy required under Annex I, Part II. Includes intake channel, acknowledgment timelines, and the 90-day disclosure framework.

Notification Template

Pre-structured template for ENISA notifications under Article 14: 24-hour early warning, 72-hour vulnerability notification, and 14-day final report. Ready to use if you discover an actively exploited vulnerability.

Obligations Calendar

Timeline with every CRA milestone relevant to your product: Art. 14 reporting from September 2026, full enforcement December 2027, support period obligations, and conformity reassessment triggers.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 HIRE A EUROPEAN LAW FIRM

€12,000–€25,000

8–16 weeks. Requires you to explain your architecture to lawyers who may not understand microservices, CI/CD pipelines, or cloud-native deployment. Result: a bespoke legal opinion, not the standardized technical file your EU customer actually needs.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history