CRA Compliance for US SaaS Companies Selling to EU

Key numbers

€15,000,000

Maximum fine for non-compliance with essential cybersecurity requirements (Art. 64(2))

11 Dec 2027

Full enforcement date for all manufacturer obligations under the Cyber Resilience Act

15–25 min

Time to generate the complete 8-document technical dossier with CRACheck

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Classify your product

CRACheck determines whether your software falls under Default, Important Class I, Important Class II, or Critical category per Annex III. Most SaaS products with no privileged OS access classify as Default.

Describe your architecture

Enter your product details: tech stack, data flows, authentication methods, third-party components. All processing stays in your browser.

Map security requirements

CRACheck cross-references your input against the essential cybersecurity requirements in Annex I, Part I (product requirements) and Part II (vulnerability handling).

Generate risk assessment

The tool produces a structured cybersecurity risk assessment per Article 13(2)-(3), covering intended purpose, foreseeable use, and operational environment.

Produce technical documentation

CRACheck generates the full Article 31 + Annex VII dossier, including product description, design documentation, conformity assessment references, and risk analysis.

Generate supporting documents

Declaration of conformity (Annex V), user information (Annex II), CVD policy, ENISA notification template (Art. 14), and obligations calendar.

Download and review

8 PDFs in a single ZIP. Edit within 30 days, regenerate up to 10 times. The documents are yours to keep.

Common mistakes

❌

SCOPE MISREADING

"We are SaaS, so CRA does not apply to us"

Article 3(1) defines "product with digital elements" as software and its remote data processing solutions. If your SaaS includes any downloadable component placed on the EU market — a mobile app, a desktop agent, a browser extension, an SDK — the entire product, including the cloud backend, falls within CRA scope. Recital 12 only excludes cloud services that are not integral to a product with digital elements.

❌

MANUFACTURER OBLIGATION

"Our EU distributor handles compliance"

Article 13 places the obligation for technical documentation, risk assessment, and conformity procedures on the manufacturer. The manufacturer is whoever designs and develops the product (Article 3(13)). If you wrote the code in San Francisco, you are the manufacturer regardless of who distributes it in the EU. Your EU partner has separate importer obligations under Article 19, but they do not absorb yours.

❌

TIMELINE MISCALCULATION

"We will deal with it when enforcement starts in 2027"

Article 14 vulnerability reporting obligations apply from 11 September 2026. By that date, you must have a coordinated vulnerability disclosure policy and the infrastructure to notify ENISA within 24 hours of becoming aware of an actively exploited vulnerability. The technical documentation under Article 31 takes months to prepare properly. Starting in Q4 2027 means missing both deadlines.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Determines if your SaaS product classifies as Default, Important Class I/II, or Critical under Annex III. Most US SaaS products without privileged OS access or network management functions classify as Default, eligible for self-assessment under Module A (Annex VIII).

Technical Documentation

Structured dossier per Article 31 + Annex VII: product description, design and development information, cybersecurity risk assessment, conformity assessment references, and applicable standards.

Risk Assessment

Cybersecurity risk analysis per Article 13(2)-(3) and Annex I, Part I. Maps your product's threat model against the essential cybersecurity requirements, covering data protection, access control, integrity, and availability.

User Information

Document per Annex II with the 9 information items you must provide to your EU users: manufacturer identity, support contact, security properties, known residual risks, SBOM reference, and update procedures.

Declaration of Conformity

EU Declaration per Article 28 + Annex V. Pre-filled with your product data, applicable modules, and legal references. Your EU enterprise customer expects this document.

CVD Policy

Coordinated vulnerability disclosure policy required under Annex I, Part II. Includes intake channel, acknowledgment timelines, and the 90-day disclosure framework.

Notification Template

Pre-structured template for ENISA notifications under Article 14: 24-hour early warning, 72-hour vulnerability notification, and 14-day final report. Ready to use if you discover an actively exploited vulnerability.

Obligations Calendar

Timeline with every CRA milestone relevant to your product: Art. 14 reporting from September 2026, full enforcement December 2027, support period obligations, and conformity reassessment triggers.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 HIRE A EUROPEAN LAW FIRM

€12,000–€25,000

8–16 weeks. Requires you to explain your architecture to lawyers who may not understand microservices, CI/CD pipelines, or cloud-native deployment. Result: a bespoke legal opinion, not the standardized technical file your EU customer actually needs.

✓ CRACHECK

€149

8 documents. 15–25 min. You enter your own architecture because you know it. Pack of 10 products: €99 each. Pack of 30: €79 each.

Two layers

● LAYER 1

What CRACheck does (documentation layer)

CRACheck generates the structured technical documentation required under Article 31 + Annex VII of Regulation (EU) 2024/2847. It covers product classification (Annex III), risk assessment (Article 13 + Annex I), declaration of conformity (Article 28 + Annex V), user information (Annex II), CVD policy (Annex I, Part II), and ENISA notification templates (Article 14). This is the documentation layer — the paperwork your EU customer or market surveillance authority will request.

∅ LAYER 2

What CRACheck does NOT do

CRACheck does not perform penetration testing on your infrastructure. It does not audit your source code. It does not certify your product. It does not replace a notified body assessment for Important Class II or Critical products (Article 32(3)). It does not monitor your vulnerability disclosure process. Those are operational and audit activities that require separate tooling or services.

Two layers, two budgets. CRACheck solves layer 1 in 15 minutes for €149. Layer 2 requires your security team or an external auditor.

Enforcement regime

Article 64 of Regulation (EU) 2024/2847.

🔴

Essential requirements + manufacturer obligations (Art. 64(2))

€15,000,000 / 2.5%

Non-compliance with Annex I cybersecurity requirements or Article 13/14 obligations. Fine: up to €15,000,000 or 2.5% of global annual turnover, whichever is higher.

🟠

Documentation and conformity obligations (Art. 64(3))

€10,000,000 / 2%

Non-compliance with Article 18-23, Article 28, Article 30-33 obligations (technical documentation, declaration of conformity, CE marking, conformity assessment). Fine: up to €10,000,000 or 2% of global annual turnover.

🟡

Misleading information (Art. 64(4))

€5,000,000 / 1%

Supplying incorrect, incomplete, or misleading information to notified bodies or market surveillance authorities. Fine: up to €5,000,000 or 1% of global annual turnover.

Alternatives

Criteria	EU law firm	US compliance consultant	DIY from EUR-Lex	CRACheck
Time to documentation	8-16 weeks	4-8 weeks	Weeks of legal reading	15-25 minutes
Cost per product	€12,000-€25,000	€5,000-€10,000	Staff hours at $150+/h	€149
Covers all 8 CRA documents	Partial (varies)	Partial (varies)	Depends on expertise	Yes — 8 PDFs
Data stays on your device	No (shared with firm)	No (shared with consultant)	Yes	Yes — 100% browser-side

Your portfolio has more than one product entering the EU market?

If your SaaS company ships multiple products or modules to European customers, volume pricing applies. Pack of 10 products: €99 per product. Pack of 30 products: €79 per product. Each product gets its own independent 8-document dossier.

Request Volume Pricing

We respond within 24 business hours. No commitment required.

What CRACheck guarantees and what it does not

CRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy, completeness, and truthfulness of that information is your responsibility as the manufacturer.

We guarantee that the document structure follows Article 31 + Annex VII and that the legal references cited are correct. We do not guarantee that a specific document will be accepted by a market surveillance authority in a particular case or by an EU enterprise customer in a procurement process.

CRACheck is not legal advice. For specific situations regarding your product's CRA scope or classification, consult a qualified regulatory attorney.

Frequently asked questions

Does the Cyber Resilience Act apply to SaaS products?

It depends on your product's architecture. Regulation (EU) 2024/2847 applies to "products with digital elements," defined in Article 3(1) as software and its remote data processing solutions. If your SaaS includes any downloadable component placed on the EU market — a mobile app, a desktop agent, an SDK, a browser extension — that component is a product with digital elements, and the cloud backend qualifies as remote data processing under Article 3(2). Recital 12 clarifies that pure cloud services with no associated downloadable product fall under Directive (EU) 2022/2555 (NIS2) instead. Most US SaaS companies have at least one downloadable component, which brings the full product into CRA scope.

Our SaaS product is browser-only with no downloadable component. Are we covered?

If users access your product exclusively through a web browser with no client-side installation, no mobile app, no browser extension, and no SDK, your product likely falls outside CRA scope and under NIS2 instead. However, if you distribute any code that runs on the user's device — including JavaScript libraries, embedded widgets, or progressive web apps with offline capability — the analysis changes. CRACheck helps you classify your product under Annex III to determine which regime applies.

We are a US company. Can the EU fine us?

Article 64 of Regulation (EU) 2024/2847 empowers EU Member State market surveillance authorities to impose fines on any economic operator placing products on the EU market, regardless of where the company is established. If your product is available to EU users, you are within enforcement reach. Additionally, your EU enterprise customers may refuse to procure your product without CRA documentation, creating commercial pressure independent of regulatory enforcement.

What is the difference between CRA and NIS2 for a US software company?

The Cyber Resilience Act (Regulation (EU) 2024/2847) regulates products with digital elements placed on the EU market. It requires technical documentation, risk assessment, vulnerability handling, and conformity declaration from the manufacturer. NIS2 (Directive (EU) 2022/2555) regulates essential and important entities providing services in the EU, including cloud computing services. A US SaaS company may be subject to both: CRA for the product itself (if it includes downloadable components) and NIS2 for the service it provides (if it meets the size thresholds in NIS2). CRACheck covers the CRA documentation obligations.

How does CRA interact with SOC 2 or ISO 27001 certifications we already have?

SOC 2 and ISO 27001 are voluntary certifications that address organizational security controls. The Cyber Resilience Act requires product-specific technical documentation under Article 31 + Annex VII, a cybersecurity risk assessment per Article 13, and a declaration of conformity per Article 28 + Annex V. These are distinct legal obligations. Your existing SOC 2 report does not substitute for CRA technical documentation, although the security controls documented in your SOC 2 may inform the content of your CRA risk assessment.

Is CRACheck a subscription?

No. One-time payment. The license includes 30 days of editing and 10 regenerations. The downloaded PDF is yours to keep.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, by activating the license you give express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only accepted for reproducible technical failures.

What if the regulation changes?

If the regulation is amended during your license validity period, you can regenerate the document with the updated version of the generator at no additional cost.

Official legal sources

Regulation (EU) 2024/2847 — Cyber Resilience Act (full text)
Directive (EU) 2022/2555 — NIS2 Directive (full text)

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.