How do I know if my product is default or Important?

Check Annex III of Regulation (EU) 2024/2847. It lists 19 Class I categories and 4 Class II categories. If your product does not fall under any of these or the 3 Critical categories in Annex IV, it is default. CRACheck's Product Classifier performs this determination based on your product description.

Can my product be partially Important and partially default?

No. Classification is per product, not per feature. If your product integrates a function listed in Annex III (e.g., a VPN function), the entire product is classified as Important. Article 32(2) or (3) applies to the whole product.

What happens if I self-assess under Module A but my product is actually Important?

The conformity assessment procedure would be invalid. The EU declaration would not meet Article 32(2) or (3), and the CE marking would be improperly affixed. Article 64(3) subjects this to fines of up to €10,000,000 or 2% of global turnover.

Does Module A require me to apply harmonised standards?

No. Article 32(1)(a) allows Module A regardless of whether you apply harmonised standards. However, Annex VII, point 5 requires you to list applied standards or describe alternative solutions.

Is Module A a one-time process or ongoing?

Module A is the initial assessment. However, Article 13(14) requires products from series production to remain in conformity. Article 13(8) imposes ongoing vulnerability handling for at least five years. The technical documentation must be continuously updated per Article 31(2).

Is this a subscription?

No. One-time payment. 30 days editing, 10 regenerations. PDF yours permanently.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, licence activation constitutes express consent. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate with the updated version at no additional cost during licence validity.

Your product is not a firewall, not a smart lock, not a hypervisor, and not listed in Annex III or Annex IV of Regulation (EU) 2024/2847. It is a default-category product with digital elements. Article 32(1)(a) allows you to use internal control under Module A — Annex VIII, Part I. No notified body. No external audit. You assess, you document, you declare.

The European Commission estimated that approximately 90% of products with digital elements fall into the default category — they are not listed as Important (Annex III) or Critical (Annex IV). For these products, Article 32(1) offers four conformity assessment paths, including Module A: internal control. Module A means you, the manufacturer, take sole responsibility. You draw up technical documentation per Annex VII, perform the cybersecurity risk assessment per Article 13(2), issue the EU declaration of conformity per Article 28, and affix CE marking. CRACheck structures this entire process. Eight documents, 15–25 minutes, €149.

Generate Module A documentation — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

~90%

of products with digital elements are default category — not listed in Annex III or IV (EC estimate)

notified body involvement required for Module A internal control

€149

cost to generate the complete Module A documentation package

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Check Annex III

Review the 19 Class I categories and the 4 Class II categories. If your product is not listed, it is not Important.

Check Annex IV

Review the 3 Critical categories. If your product is not listed, it is not Critical.

Confirm default status

If your product does not appear in Annex III or Annex IV, it is a default-category product. Article 32(1) applies. You may use Module A.

Generate documentation

CRACheck produces the eight documents that Module A requires: Product Classifier, technical documentation, risk assessment, user information, declaration, CVD policy, ENISA template, obligations calendar.

Self-declare conformity

Under Annex VIII, Part I, point 4, you affix CE marking and issue the EU declaration of conformity on your sole responsibility.

Maintain compliance

Module A does not end at declaration. Article 13(14) requires monitoring for series production. Article 13(8) imposes a minimum five-year support period. Part II of Annex I requires ongoing vulnerability handling.

Common mistakes

❌

CLASSIFICATION

"Misclassifying an Important product as default to avoid a notified body"

Annex III is a closed list. If your product falls under any of the 19 Class I or 4 Class II categories, it is Important regardless of your risk assessment. Article 32(2) and (3) impose stricter conformity assessment. Misclassifying to use Module A is a violation that market surveillance authorities will identify.

❌

STANDARDS

"Assuming Module A means no requirements apply"

Module A under Annex VIII, Part I does not reduce the scope of essential cybersecurity requirements. All 13 requirements in Part I of Annex I and all 8 vulnerability handling requirements in Part II apply in full. Module A only means you verify compliance internally rather than through a notified body.

❌

DELEGATION

"Relying on a component supplier's declaration without your own assessment"

Article 13(5) requires manufacturers to exercise due diligence when integrating third-party components. Module A requires the manufacturer — not the component supplier — to declare conformity of the finished product.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Confirms whether your product is default, Important (Class I or II per Annex III), or Critical (Annex IV). For default products, this document is your classification rationale — keep it in the technical file.

Technical Documentation

Per Article 31 and Annex VII. For Module A, Annex VIII Part I, point 2 requires the manufacturer to draw up the documentation described in Annex VII. This is the core deliverable.

Risk Assessment

Per Article 13(2) and (3). Even for default products, the risk assessment must map against all applicable requirements in Part I of Annex I.

User Information

Per Annex II. Default products carry the same user information obligations as Important or Critical products.

Declaration of Conformity

Per Article 28 and Annex V. Under Module A, you draw up the declaration on your sole responsibility. No notified body identification number needed.

CVD Policy

Per Part II, point (5) of Annex I. Required for all categories, including default.

Notification Template

Article 14 structure for ENISA reporting. Required from 11 September 2026 regardless of product category. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Key dates and support period milestones specific to your default-category product.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 NOTIFIED BODY ASSESSMENT (NOT NEEDED FOR DEFAULT)

€5,000–€15,000

3–6 months. Only applicable to Important Class I/II or Critical products — unnecessary expense for default products.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history