Data protection under the CRA is not just a GDPR concern. Annex I, Part I, point (2)(e) covers all data the product handles — personal, operational, telemetry, configuration — and requires confidentiality protection including encryption at rest and in transit. Point (2)(g) adds a data minimisation requirement that applies beyond personal data: the product must not collect or process data beyond what its intended purpose requires. Both requirements feed into the risk assessment under Art. 13(2)–(3) and must be documented in the technical file per Annex VII. CRACheck structures both into the 8-document package. 15–25 minutes. €149.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
GDPR Art. 5(1)(c) applies to personal data. CRA Annex I, Part I, point (2)(g) applies to all data the product processes — including operational telemetry, diagnostic logs, and device metadata that may not qualify as personal data under GDPR. A product compliant with GDPR data minimisation may still violate the CRA if it collects excessive non-personal data.
Annex I, Part I, point (2)(e) explicitly mentions "data at rest and in transit." TLS for network communication without encryption for stored data (credentials, logs, configuration files, cached user data) leaves a compliance gap. The risk assessment must address both states.
Point (2)(e) requires "state of the art mechanisms." SHA-1 for hashing, TLS 1.0/1.1 for transport, DES/3DES for symmetric encryption, and RSA-1024 for asymmetric encryption are not state of the art as of 2026. The technical documentation must specify current algorithms (AES-256, TLS 1.3, SHA-256/SHA-3, RSA-2048+ or ECDSA).
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Category per Annex III/IV. Products handling sensitive data (e.g., smart locks, health monitors) face higher scrutiny on encryption implementation.
Annex VII. Point 2(a) covers the design description including encryption architecture and data flow diagrams showing minimisation measures.
Per Art. 13(2)–(3). Maps points (2)(e) and (2)(g) against your product: which data requires encryption, which data flows have been minimised, residual risks.
Per Annex II. Informs users what data the product processes, how it is protected, and what encryption options are configurable.
Per Art. 28 and Annex V.
Per Annex I, Part II, point (5). Cryptographic vulnerabilities are among the most commonly reported through CVD channels.
Per Art. 14. A vulnerability in encryption implementation triggers the 24h/72h/14-day reporting pipeline.
Key dates including crypto algorithm review milestones through the support period.
See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.
Generated from your data, in your browser. No data leaves your device.
Hiring a data protection and cryptography consultant to audit data flows, assess encryption implementation, map against CRA Annex I, and produce the Annex VII documentation.
CRACheck generates the documentation mapping your encryption implementation and data minimisation measures against Annex I, Part I, points (2)(e) and (2)(g). It structures the mapping within the risk assessment, technical documentation, and user information documents. Cross-references ensure consistency across the 8-document package.
CRACheck does not audit your encryption implementation. It does not test cipher suites, key management, or certificate chains. It does not analyse your data flows for minimisation compliance. You must implement encryption and minimisation in your product. CRACheck documents what you implemented and maps it to the CRA requirements.
Implement the encryption. Minimise the data. Then document it with CRACheck.
Art. 64(2).
Art. 64(3).
Art. 64(4).
| Criterion | No documentation | Crypto consultant | GDPR-only assessment | CRACheck |
|---|---|---|---|---|
| CRA Annex I mapping | Missing | Yes (if CRA-specific) | Partial — personal data only | Yes — (e) + (g) |
| Annex VII integration | None | Separate report | Not CRA-structured | Automatic |
| Time to documentation | — | 4–8 weeks | 3–6 weeks | 15–25 minutes |
| Cost | €0 (+ fine risk) | €10K–€20K | €5K–€12K | €149 one-time |
Even products sharing the same encryption library require separate documentation per Art. 31 if they process different data types or have different attack surfaces. Volume pricing: €99/product (10-pack) or €79/product (30-pack).
Request volume pricingCRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847, documenting your encryption implementation and data minimisation measures per Annex I, Part I, points (2)(e) and (2)(g), based on the information you provide. The accuracy of your cryptographic and data flow descriptions is your responsibility as manufacturer.
We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that all legal references cited are correct. We do not guarantee that a specific encryption implementation will be deemed compliant by a market surveillance authority in a specific case.
CRACheck is not legal advice. For specific questions about cryptographic algorithm selection, key management, or data minimisation in your product category, consult with a qualified cybersecurity professional.