The risk assessment is not a checkbox. It is the analytical engine that drives your entire CRA compliance strategy. Art. 13(3) requires it to indicate whether and how each security requirement under Annex I, Part I, point (2) applies to your product. Art. 13(4) requires it to be included in the technical documentation under Annex VII. Art. 13(3) also requires it to be "updated as appropriate" during the support period. Where a requirement does not apply, Art. 13(4) mandates a "clear justification" in the documentation. CRACheck generates the risk assessment structure mapped against every Annex I, Part I requirement. 15–25 minutes. €149.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
Art. 13(3) requires the assessment to be based on "the intended purpose and reasonably foreseeable use" of the specific product. A corporate risk register covering IT infrastructure does not satisfy the product-level requirement of Annex VII, point 3.
Art. 13(4) explicitly requires "a clear justification" in the technical documentation for any essential cybersecurity requirement that is not applicable to the product. Blank fields or unchecked boxes without explanation are non-compliant.
Art. 13(3) requires the assessment to be "documented and updated as appropriate during a support period." Art. 13(7) requires systematic documentation of "relevant cybersecurity aspects" including vulnerabilities and third-party information. A static assessment from launch day degrades as new threats emerge.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Category per Annex III/IV. The classification determines the conformity assessment route under Art. 32, which in turn determines the scrutiny applied to your risk assessment.
Annex VII structure. Point 3 integrates the risk assessment showing how Annex I Part I requirements apply.
The core deliverable. Structured per Art. 13(2)–(4): scope definition, threat identification, Annex I Part I(2) sub-point mapping (a–m), Annex I Part II mapping, risk treatment, justification for non-applicable requirements.
Per Annex II. The risk assessment informs what users need to know under Annex II, point 5: foreseeable circumstances that may lead to cybersecurity risks.
Per Art. 28 and Annex V.
Per Annex I, Part II, point (5). The CVD process handles vulnerabilities that the risk assessment identifies as residual risks.
Per Art. 14. Identified risks inform the severity classification for vulnerability notifications. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.
Maps risk assessment review triggers and update deadlines through the support period.
See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.
Generated from your data, in your browser. No data leaves your device.
Commissioning a cybersecurity consultancy to perform a CRA-specific risk assessment, map it against Annex I, and produce the Annex VII documentation.
CRACheck generates the risk assessment structure per Art. 13(2)–(4): scope, threat analysis framework, Annex I Part I(2) requirements mapping with applicability and justification fields, Part II vulnerability handling mapping, risk treatment documentation. It integrates the assessment into Annex VII point 3 and cross-references it with the SBOM, CVD policy, and user information documents.
CRACheck does not identify threats for you. It does not perform vulnerability scanning, penetration testing, or threat modelling. It does not evaluate the adequacy of your security controls. You must conduct the risk analysis. CRACheck provides the structured regulatory format to document it per Art. 13 and Annex VII.
The risk assessment is your analysis. The Annex VII structure is the regulatory format. CRACheck builds the format. You provide the analysis.
Art. 64(2).
Art. 64(3).
Art. 64(4).
| Criterion | No formal assessment | Cybersecurity consultancy | ISO 27005 assessment | CRACheck |
|---|---|---|---|---|
| Art. 13(2)–(4) structure | Non-compliant | Yes (if CRA-specific) | Partial — not CRA-mapped | Yes — Annex I mapped |
| Annex VII point 3 integration | Missing | Depends | Separate document | Automatic |
| Time to deliverable | — | 6–12 weeks | 4–8 weeks | 15–25 minutes |
| Cost | €0 (+ fine risk) | €12K–€25K | €8K–€15K | €149 one-time |
Each product requires its own risk assessment per Art. 13(2)–(3). A gateway and a sensor have different threat landscapes even if manufactured by the same company. Volume pricing: €99/product (10-pack) or €79/product (30-pack).
Request volume pricingCRACheck generates a structured risk assessment document according to Article 13(2)–(4) and Annex VII, point 3 of Regulation (EU) 2024/2847, based on the information you provide. The accuracy of your threat analysis and risk treatment descriptions is your responsibility as manufacturer.
We guarantee that the document structure follows Article 13 and Annex VII of Regulation (EU) 2024/2847 and that all legal references cited are correct. We do not guarantee that a specific risk assessment will be accepted by a notified body or market surveillance authority in a specific case.
CRACheck is not legal advice. For specific situations involving threat modelling methodology, risk acceptance criteria, or residual risk evaluation, consult with a qualified cybersecurity professional.