Reg (EU) 2024/2847Generate dossier — €149
LIVE — Enforcement tracker · Deadline dashboard · Transposition status — Updated weekly from EUR-Lex, Safety Gate, OEIL & 12 official sourcesView regulatory intelligence →

Your product is not a firewall, not a smart lock, not a hypervisor, and not listed in Annex III or Annex IV of Regulation (EU) 2024/2847. It is a default-category product with digital elements. Article 32(1)(a) allows you to use internal control under Module A — Annex VIII, Part I. No notified body. No external audit. You assess, you document, you declare.

The European Commission estimated that approximately 90% of products with digital elements fall into the default category — they are not listed as Important (Annex III) or Critical (Annex IV). For these products, Article 32(1) offers four conformity assessment paths, including Module A: internal control. Module A means you, the manufacturer, take sole responsibility. You draw up technical documentation per Annex VII, perform the cybersecurity risk assessment per Article 13(2), issue the EU declaration of conformity per Article 28, and affix CE marking. CRACheck structures this entire process. Eight documents, 15–25 minutes, €149.

Generate Module A documentation — €149Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Regulation (EU) 2024/2847 · Art. 32(1)(a) + Annex VIII Part I · 8 documents · 100% browser-side

Key numbers

~90%
of products with digital elements are default category — not listed in Annex III or IV (EC estimate)
0
notified body involvement required for Module A internal control
€149
cost to generate the complete Module A documentation package

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

1
Check Annex III
Review the 19 Class I categories and the 4 Class II categories. If your product is not listed, it is not Important.
2
Check Annex IV
Review the 3 Critical categories. If your product is not listed, it is not Critical.
3
Confirm default status
If your product does not appear in Annex III or Annex IV, it is a default-category product. Article 32(1) applies. You may use Module A.
4
Generate documentation
CRACheck produces the eight documents that Module A requires: Product Classifier, technical documentation, risk assessment, user information, declaration, CVD policy, ENISA template, obligations calendar.
5
Self-declare conformity
Under Annex VIII, Part I, point 4, you affix CE marking and issue the EU declaration of conformity on your sole responsibility.
6
Maintain compliance
Module A does not end at declaration. Article 13(14) requires monitoring for series production. Article 13(8) imposes a minimum five-year support period. Part II of Annex I requires ongoing vulnerability handling.

Common mistakes

CLASSIFICATION

"Misclassifying an Important product as default to avoid a notified body"

Annex III is a closed list. If your product falls under any of the 19 Class I or 4 Class II categories, it is Important regardless of your risk assessment. Article 32(2) and (3) impose stricter conformity assessment. Misclassifying to use Module A is a violation that market surveillance authorities will identify.

STANDARDS

"Assuming Module A means no requirements apply"

Module A under Annex VIII, Part I does not reduce the scope of essential cybersecurity requirements. All 13 requirements in Part I of Annex I and all 8 vulnerability handling requirements in Part II apply in full. Module A only means you verify compliance internally rather than through a notified body.

DELEGATION

"Relying on a component supplier's declaration without your own assessment"

Article 13(5) requires manufacturers to exercise due diligence when integrating third-party components. Module A requires the manufacturer — not the component supplier — to declare conformity of the finished product.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

1

Product Classifier

Confirms whether your product is default, Important (Class I or II per Annex III), or Critical (Annex IV). For default products, this document is your classification rationale — keep it in the technical file.

2

Technical Documentation

Per Article 31 and Annex VII. For Module A, Annex VIII Part I, point 2 requires the manufacturer to draw up the documentation described in Annex VII. This is the core deliverable.

3

Risk Assessment

Per Article 13(2) and (3). Even for default products, the risk assessment must map against all applicable requirements in Part I of Annex I.

4

User Information

Per Annex II. Default products carry the same user information obligations as Important or Critical products.

5

Declaration of Conformity

Per Article 28 and Annex V. Under Module A, you draw up the declaration on your sole responsibility. No notified body identification number needed.

6

CVD Policy

Per Part II, point (5) of Annex I. Required for all categories, including default.

7

Notification Template

Article 14 structure for ENISA reporting. Required from 11 September 2026 regardless of product category. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

8

Obligations Calendar

Key dates and support period milestones specific to your default-category product.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 NOTIFIED BODY ASSESSMENT (NOT NEEDED FOR DEFAULT)
€5,000–€15,000
3–6 months. Only applicable to Important Class I/II or Critical products — unnecessary expense for default products.
✓ CRACHECK
€149
€149 one-time. 15–25 min. All documentation for internal control procedure. No notified body cost. No external dependency. Pack 10: €99/product.

Two layers

● LAYER 1

Internal control = full documentation responsibility

Module A means you declare conformity on your sole responsibility. That responsibility is backed by the technical documentation per Annex VII, the risk assessment per Article 13(2)–(3), and the declaration per Article 28. CRACheck generates these documents.

∅ LAYER 2

Same requirements, different verification path

All essential cybersecurity requirements in Annex I apply to default products. Module A only changes who verifies: you, not a notified body. Security updates, vulnerability handling, SBOM, ENISA reporting — all are mandatory regardless of the assessment path.

Module A is the most efficient path. It is not the easiest path in terms of obligations. The documentation must be robust because you are the sole verifier.

Enforcement regime

Article 64 of Regulation (EU) 2024/2847.

🔴
Essential requirements + manufacturer obligations (Art. 64(2))
€15,000,000 / 2.5%

Non-compliance with Annex I or Articles 13/14.

🟠
Documentation and conformity obligations (Art. 64(3))
€10,000,000 / 2%

Non-compliance with Art. 31, Art. 28, Art. 32.

🟡
Misleading information (Art. 64(4))
€5,000,000 / 1%

Misleading information to authorities.

Alternatives

CriterionModule A (internal)Module B+C (EU-type + production)Module H (full quality)EU cybersecurity certification
Applicable toDefault products (Art. 32(1)(a))Important Class I/II (Art. 32(2)–(3))Class I/II (Art. 32(2)–(3))Where available (Art. 32(1)(d))
Notified body requiredNoYes (Module B)Yes (Module H)Yes (certification body)
Cost€149 (CRACheck documentation)€5K–€15K (notified body fees)€8K–€20K (notified body fees)Variable
Timeline15–25 minutes for documentation3–6 months3–6 monthsVariable

Multiple default products to document?

Each product needs its own Module A documentation set. Pack of 10: €99 per product. Pack of 30: €79 per product.

Request Volume Pricing
The Product Classifier confirms default status for each product individually.

What CRACheck guarantees and what it does not

CRACheck generates a structured document based on Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you input. The accuracy of that information is your responsibility as the manufacturer, particularly under Module A where you bear sole verification responsibility.

We guarantee that the document structure follows Article 31 and Annex VII and that all cited legal references are correct. We do not guarantee acceptance by any market surveillance authority in a specific case.

CRACheck is not legal advice. For questions about your product's classification or applicable conformity assessment procedure, consult a qualified regulatory professional.

Frequently asked questions

How do I know if my product is default or Important?
Check Annex III of Regulation (EU) 2024/2847. It lists 19 Class I categories and 4 Class II categories. If your product does not fall under any of these or the 3 Critical categories in Annex IV, it is default. CRACheck's Product Classifier performs this determination based on your product description.
Can my product be partially Important and partially default?
No. Classification is per product, not per feature. If your product integrates a function listed in Annex III (e.g., a VPN function), the entire product is classified as Important. Article 32(2) or (3) applies to the whole product.
What happens if I self-assess under Module A but my product is actually Important?
The conformity assessment procedure would be invalid. The EU declaration would not meet Article 32(2) or (3), and the CE marking would be improperly affixed. Article 64(3) subjects this to fines of up to €10,000,000 or 2% of global turnover.
Does Module A require me to apply harmonised standards?
No. Article 32(1)(a) allows Module A regardless of whether you apply harmonised standards. However, Annex VII, point 5 requires you to list applied standards or describe alternative solutions.
Is Module A a one-time process or ongoing?
Module A is the initial assessment. However, Article 13(14) requires products from series production to remain in conformity. Article 13(8) imposes ongoing vulnerability handling for at least five years. The technical documentation must be continuously updated per Article 31(2).
Is this a subscription?
No. One-time payment. 30 days editing, 10 regenerations. PDF yours permanently.
Can I request a refund?
Per Article 16(m) of Directive (EU) 2011/83, licence activation constitutes express consent. Refunds only for reproducible technical failures.
What if the regulation changes?
Regenerate with the updated version at no additional cost during licence validity.

Official legal sources

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.

Default product, Module A, no notified body. Generate the documentation that backs your self-assessment.

Eight documents. Article 31 + Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.

€149 one-time
8-document professional dossier · 15–25 minutes · No subscription · Browser-side
Generate Module A documentation — €149

Related landings

SME

CRA compliance for European SME IoT manufacturers under Module A
CLASS I & II

Class I and Class II products: when you need a notified body
CONFORMITY ASSESSMENT

Which CRA conformity assessment procedure applies to your product?
✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history