Reg (EU) 2024/2847Generate dossier — €149
LIVE — Enforcement tracker · Deadline dashboard · Transposition status — Updated weekly from EUR-Lex, Safety Gate, OEIL & 12 official sourcesView regulatory intelligence →

Your SaaS startup in India sells to customers in the European Union. You market the product under your brand. Under Article 3(1) of Regulation (EU) 2024/2847, that makes you the manufacturer. Article 13 places the full set of obligations on you — including the technical documentation under Annex VII. CRACheck generates it.

Indian SaaS startups targeting EU enterprise clients face a new gate in the procurement process. Regulation (EU) 2024/2847 applies to products with digital elements made available on the EU market. Article 3(1) defines the manufacturer as the entity that markets the product under its name or trademark. If that is your startup, you hold the manufacturer obligations under Article 13 — cybersecurity risk assessment, technical documentation, vulnerability handling, ENISA notification. Your Series A budget does not include €15K for a European compliance consultant. CRACheck generates 8 PDF documents structured under Art. 31 + Annex VII in 15–25 minutes. €149 per product. 100% browser-side.

Generate Annex VII dossier — €149Free: check if your product is in scope

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Regulation (EU) 2024/2847 · Art. 31 + Annex VII · 8 documents · 100% browser-side — your data never leaves your device

Key numbers

Art. 3(1)
You market the product under your brand. You are the manufacturer. Full obligations under Art. 13.
Art. 14
Vulnerability notification to ENISA. 24h early warning. Applies from 11 September 2026.
€149
Per product. One procurement deal closed pays for the documentation 100x over.

How it works

1
Confirm you are in scope
Article 2(1): products with digital elements on the EU market. Article 3(1): if you market under your brand, you are the manufacturer. Use the free CRACheck classifier to check product classification.
2
Classify your product
Default (90% of SaaS), Important Class I (Annex III — e.g., identity management, VPN), or Class II. Classification determines which conformity assessment applies under Art. 32.
3
Map your existing security posture
You already have architecture docs, an SBOM in your CI/CD, vulnerability handling in your issue tracker. CRACheck structures what you already know.
4
Complete the CRACheck questionnaire
15–25 minutes. One founder or CTO with product knowledge.
5
Download the 8-PDF ZIP
Technical Documentation, Risk Assessment, Declaration of Conformity, CVD Policy, User Information, ENISA Notification Template, Product Classifier, Obligations Calendar.
6
Add to your procurement response
Attach the Annex VII dossier to your RFP response or security questionnaire. EU enterprise clients recognise the structure.
7
Set a calendar reminder for Art. 14
Vulnerability reporting to ENISA applies from 11 September 2026. The ENISA Notification Template in your ZIP covers the three-stage process.

Three mistakes to avoid

COMMON MISTAKE

"The CRA does not apply to SaaS — it is only for hardware"

Article 3(1) of Regulation (EU) 2024/2847 defines "product with digital elements" as "a software or hardware product and its remote data processing solutions." SaaS products that are marketed as products on the EU market fall within scope. The only exemption is pure processing services with no product component — and most SaaS products are marketed as products, not services.

COMMON MISTAKE

"We are based in India — EU regulations cannot reach us"

Article 2(1) of Regulation (EU) 2024/2847 applies to products made available on the EU market, regardless of where the manufacturer is established. If you sell to a single customer in Germany, France, or any EU Member State, the regulation applies. Article 18 allows you to appoint an authorised representative in the EU, but the obligations remain yours.

COMMON MISTAKE

"Our SOC 2 report covers CRA compliance"

SOC 2 audits your organisation's controls against the Trust Services Criteria. The CRA requires product-level documentation under Annex VII — including a product-specific cybersecurity risk assessment (Art. 13(2)), an SBOM (Annex VII §2(b)), and a coordinated vulnerability disclosure policy (Annex I Part II §5). SOC 2 addresses organisational controls. Annex VII addresses the product. They cover different dimensions.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

1

Product Classifier

Classification under Annex III/IV. SaaS products with identity management or security functions may fall under Important Class I.

2

Technical Documentation

Full Annex VII. The dossier EU enterprise procurement teams are starting to request.

3

Risk Assessment

Art. 13(2) + Annex I Part I. Cybersecurity risk assessment specific to your SaaS product's threat model.

4

User Information

Annex II. Includes support period end-date (Art. 13(8): minimum 5 years), vulnerability reporting contact, decommissioning instructions.

5

Declaration of Conformity

Art. 28 + Annex V. As the manufacturer, you sign this.

6

CVD Policy

Annex I Part II §5. Your coordinated vulnerability disclosure policy with response timelines.

7

Notification Template

Art. 14 ENISA notification. Applies from 11 September 2026.

8

Obligations Calendar

Sept 2026, Dec 2027, and your product-specific support period milestones.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 EUROPEAN CRA COMPLIANCE CONSULTANT
€10,000–€20,000
3–6 months. Burns your runway.
✓ CRACHECK
€149
8 documents. 15–25 minutes. Closes the procurement gate.

Two layers of responsibility

● WHAT CRACHECK DOES

Documentation generation

Generates your Annex VII dossier. 8 documents. 15–25 minutes. €149. The artefact your EU enterprise client expects in procurement.

∅ WHAT CRACHECK DOES NOT DO

What falls outside CRACheck

Does not determine if the CRA exempts your specific SaaS model (consult a lawyer). Does not appoint your authorised representative under Art. 18. Does not perform the conformity assessment under Art. 32.

We produce the documentation. You handle classification, representation, and conformity assessment.

Enforcement regime

Article 64 of Regulation (EU) 2024/2847.

🇪🇺
Non-compliance with Annex I + Art. 13, 14
€15M / 2.5%

Art. 64(2). As the manufacturer, the fine applies directly to you.

🇪🇺
Non-compliance with Art. 28, 31, 32 (documentation, conformity)
€10M / 2%

Art. 64(3).

🇪🇺
Incorrect or misleading information to authorities
€5M / 1%

Art. 64(4).

Alternatives

AlternativeCostWhat you get
European compliance consultant€10,000–€20,000Full audit + documentation. 3–6 months.
Build internallyFree + founder timeWeeks of non-product work. No regulatory validation.
Drop the EU market€0Lose 30-50% of enterprise pipeline.
CRACheck€1498 documents. 15–25 minutes. Procurement-ready.

Your startup has multiple products targeting EU enterprise?

Each CRACheck licence covers one product. If your SaaS portfolio includes 3, 5 or 10 products, each needs its own Annex VII dossier. Contact us for startup volume pricing.

Request Volume Pricing
One-business-day response

What CRACheck guarantees and what it does not

CRACheck generates a structured document under Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy, precision and completeness of that information is your responsibility as the manufacturer.

We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct. We do not guarantee that a specific document will be accepted by a market surveillance authority in a specific case or by a EU enterprise client in a specific procurement process.

CRACheck is not legal advice. For questions about whether the CRA applies to your specific SaaS model, consult a qualified lawyer or regulatory consultancy.

Frequently asked questions

Does the CRA apply to SaaS products sold from India to EU customers?
Article 2(1) of Regulation (EU) 2024/2847 applies to products with digital elements made available on the EU market. Article 3(1) defines "product with digital elements" as including software and its remote data processing solutions. If you market your SaaS as a product to EU customers, the CRA applies regardless of where you are established. The critical question is whether your offering is a "product" placed on the market or a pure service — most SaaS products marketed under a brand name qualify as products.
I am the manufacturer. What does that mean under the CRA?
Article 13 of Regulation (EU) 2024/2847 lists the manufacturer's obligations. Key ones: design and develop the product in accordance with Annex I cybersecurity requirements, perform a cybersecurity risk assessment (Art. 13(2)), prepare technical documentation (Art. 31 + Annex VII), carry out conformity assessment (Art. 32), draw up the EU declaration of conformity (Art. 28), handle vulnerabilities for a minimum 5-year support period (Art. 13(8)), and notify ENISA of actively exploited vulnerabilities within 24 hours (Art. 14).
Do I need an authorised representative in the EU?
Article 18 of Regulation (EU) 2024/2847 allows manufacturers to appoint an authorised representative in the EU by written mandate. The representative can keep the documentation at the disposal of market surveillance authorities, but the design and development obligations (Art. 13(1)-(11)) remain with you. Consult a lawyer to determine if an authorised representative is necessary for your specific situation.
When does this actually apply?
The regulation applies in full from 11 December 2027 (Art. 71(2)). However, Article 14 (vulnerability notification to ENISA) applies from 11 September 2026. And EU enterprise procurement teams are adding CRA clauses to contracts now.
Is it a subscription?
No. One-time payment. 30 days of editing, 10 regenerations. The PDF is yours to keep.
Can I request a refund?
Under Article 16(m) of Directive (EU) 2011/83, by activating the licence you consent to immediate digital content generation, waiving the 14-day withdrawal. Refunds only for reproducible technical failures.
What if the regulation changes?
Regenerate with the updated generator version at no additional cost during your licence period.

Official legal sources

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.

You are the manufacturer. The Annex VII documentation is your obligation. Generate it in 15 minutes.

Eight documents. Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.

€149 one-time
8 professional documents · 15–25 minutes · No subscription · 100% in your browser
Generate Annex VII dossier — €149

Related landings

💳 Fintech

CRA compliance for Indian fintech developer — EU market
🏢 IT company

CRA compliance for Indian IT company — EU client
🚀 Series A

CRA compliance for Indian startup — EU expansion Series A
✓ Last regulatory check: 28 April 2026 · No substantive changes detected · View history