We have a browser-only SaaS with no downloads. Is CRA completely irrelevant to us?

If your product is accessed exclusively through a web browser with no client-side installation — no mobile app, no browser extension, no desktop agent, no SDK, no progressive web app with offline mode — your product likely falls outside CRA scope per Recital 12 of Regulation (EU) 2024/2847. However, Directive (EU) 2022/2555 (NIS2) may apply to your cloud service if you meet the size thresholds. Additionally, if you later add any downloadable component, CRA scope triggers. CRACheck's Product Classifier helps you document this determination.

We distribute a JavaScript SDK via npm for EU developers to integrate. Does that trigger CRA?

An SDK distributed via npm is software placed on the EU market. If it is distributed in the course of a commercial activity (including as part of a freemium platform), it is a product with digital elements under Article 3(1). The cloud backend that the SDK connects to becomes remote data processing under Article 3(2). Both the SDK and the supporting cloud infrastructure fall within CRA scope.

Our mobile app is free. Does CRA still apply?

Yes. Article 3(22) defines "making available on the market" as supply in the course of a commercial activity, whether or not for payment. A free mobile app distributed as part of your commercial SaaS offering is placed on the market in the course of commercial activity. The free-to-download nature does not create an exemption.

What is the difference between CRA scope and NIS2 scope for our company?

CRA (Regulation (EU) 2024/2847) regulates products with digital elements. NIS2 (Directive (EU) 2022/2555) regulates entities providing essential and important services, including cloud computing services above certain size thresholds. A US SaaS company may be subject to CRA for its product (if it has downloadable components) and to NIS2 for its service (if it meets size thresholds). The two regulations have different obligations and different documentation requirements. CRACheck addresses CRA product documentation.

If CRA does not apply to our product, do we still need documentation for EU customers?

EU enterprise customers increasingly request cybersecurity documentation regardless of specific regulatory obligations. Even if your product falls outside CRA scope, having a structured security documentation package — risk assessment, security architecture description, vulnerability handling policy — strengthens your competitive position. CRACheck can generate this documentation regardless of formal CRA applicability.

Is CRACheck a subscription?

No. One-time payment. 30 days of editing, 10 regenerations. The PDF is yours to keep.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, activating the license constitutes express consent for immediate digital content generation, waiving the 14-day withdrawal right. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate with the updated generator version at no additional cost during your license period.

An EU enterprise customer just asked whether your SaaS product complies with the Cyber Resilience Act. The answer depends on one technical question: does your product include any component that runs on the user's device? If it does — a mobile app, a browser extension, an SDK, a desktop agent — Regulation (EU) 2024/2847 applies to the entire product, including the cloud backend.

Article 3(1) of the Cyber Resilience Act defines "product with digital elements" as software and its remote data processing solutions. Article 3(2) defines remote data processing as cloud processing without which the product cannot function. Recital 12 explicitly states that pure SaaS with no associated downloadable product falls under NIS2, not CRA. But if your SaaS has any client-side component placed on the EU market, the entire product — client and cloud — is within CRA scope. CRACheck helps you classify your product and, if CRA applies, generates the 8-document dossier under Article 31 + Annex VII in 15-25 minutes. €149 per product. Browser-side processing only.

Classify your product — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

Art. 3(1)-(2)

The two definitions that determine whether your SaaS falls within CRA scope

Recital 12

The recital that draws the line between CRA products and NIS2 services

€149

Cost to generate the full 8-document CRA dossier if your product is in scope

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Answer the threshold question

Does your product include any downloadable component that runs on the user's device? CRACheck's Product Classifier guides you through this determination.

If yes: define the product boundary

Identify the client-side component and map the remote data processing functions that support it. This defines what the CRA regulates.

Classify under Annex III

Determine if your product is Default, Important Class I/II, or Critical. Most SaaS products without privileged system access classify as Default.

Describe your architecture

Enter technical details: client-server communication, APIs, authentication, third-party components, data handling.

Generate CRA documentation

8 PDFs covering Article 31 + Annex VII, Article 28 + Annex V, Annex II, Article 14 obligations.

If no: document the determination

If your product is purely browser-based with no client-side component, CRACheck helps you document that determination for your EU customer, noting that NIS2 may apply instead.

Present to your EU customer

Either the full CRA dossier or a reasoned scope determination. Both are better than "we are looking into it."

Common mistakes

❌

DEFINITIONAL ERROR

"SaaS is a service, not a product. CRA only applies to products."

Article 3(1) defines "product with digital elements" as "a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately." Software is explicitly a product. The word "service" does not create an exemption. If your SaaS distributes any code to the user's device, that code is a software product under CRA.

❌

MARKET PLACEMENT

"We are not placing anything on the EU market — users just visit our website"

If your product is available for download or installation by EU users — through app stores, package managers, CDN distribution, or direct download — it is "made available on the market" per Article 3(22). A user accessing a web interface is different from a user installing your mobile app. The installation creates market placement.

❌

PRODUCT IDENTITY

"Only the European version of our product needs to comply"

If you distribute the same software globally, the product placed on the EU market is the product you manufactured. You cannot create a "European version" that differs only in documentation — the underlying product must meet the essential cybersecurity requirements in Annex I. CRA compliance is about the product, not the market label.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

The critical first document: determines whether your SaaS product falls within CRA scope and, if so, its Annex III classification. This is the answer to "does CRA apply to us."

Technical Documentation

Article 31 + Annex VII structured dossier covering your product's architecture, security design, components, and conformity assessment path.

Risk Assessment

Cybersecurity risk analysis per Article 13(2)-(3) adapted to your product's specific architecture and deployment model.

User Information

Annex II document with the 9 information items required for EU users of your product.

Declaration of Conformity

Article 28 + Annex V formal declaration.

CVD Policy

Vulnerability disclosure policy per Annex I, Part II.

Notification Template

ENISA notification structure per Article 14. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Timeline of CRA milestones relevant to your product.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 LEGAL OPINION ON SCOPE

$2,000–$5,000

2-4 weeks. Result: a memo that says "it depends" with caveats. You still need the documentation if the answer is yes.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history