Article 3(1) of the Cyber Resilience Act defines "product with digital elements" as software and its remote data processing solutions. Article 3(2) defines remote data processing as cloud processing without which the product cannot function. Recital 12 explicitly states that pure SaaS with no associated downloadable product falls under NIS2, not CRA. But if your SaaS has any client-side component placed on the EU market, the entire product — client and cloud — is within CRA scope. CRACheck helps you classify your product and, if CRA applies, generates the 8-document dossier under Article 31 + Annex VII in 15-25 minutes. €149 per product. Browser-side processing only.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.
Article 3(1) defines "product with digital elements" as "a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately." Software is explicitly a product. The word "service" does not create an exemption. If your SaaS distributes any code to the user's device, that code is a software product under CRA.
If your product is available for download or installation by EU users — through app stores, package managers, CDN distribution, or direct download — it is "made available on the market" per Article 3(22). A user accessing a web interface is different from a user installing your mobile app. The installation creates market placement.
If you distribute the same software globally, the product placed on the EU market is the product you manufactured. You cannot create a "European version" that differs only in documentation — the underlying product must meet the essential cybersecurity requirements in Annex I. CRA compliance is about the product, not the market label.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
The critical first document: determines whether your SaaS product falls within CRA scope and, if so, its Annex III classification. This is the answer to "does CRA apply to us."
Article 31 + Annex VII structured dossier covering your product's architecture, security design, components, and conformity assessment path.
Cybersecurity risk analysis per Article 13(2)-(3) adapted to your product's specific architecture and deployment model.
Annex II document with the 9 information items required for EU users of your product.
Article 28 + Annex V formal declaration.
Vulnerability disclosure policy per Annex I, Part II.
ENISA notification structure per Article 14. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.
Timeline of CRA milestones relevant to your product.
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated from your data, in your browser. No data leaves your device.
Answers the scope question through the Product Classifier and, if CRA applies, generates the full technical documentation dossier. This is what your EU customer needs to see — not a verbal assurance, but structured documentation per Article 31.
Does not provide a binding legal opinion on your product's CRA scope. Does not audit your product's actual cybersecurity posture. Does not replace a regulatory attorney's analysis for edge cases. If your product sits exactly on the CRA/NIS2 boundary, consult a qualified attorney.
CRACheck gives you the documentation framework. A regulatory attorney gives you the legal opinion. For most products, the classification is straightforward. For edge cases, use both.
Article 64 of Regulation (EU) 2024/2847.
Non-compliance with essential requirements or manufacturer obligations.
Missing documentation or conformity assessment.
Misleading information to authorities.
| Criteria | Legal opinion (scope only) | Full regulatory engagement | Self-research from EUR-Lex | CRACheck |
|---|---|---|---|---|
| Answers "does CRA apply?" | Yes (memo) | Yes + documentation | Maybe (after weeks) | Yes (Product Classifier) |
| Produces documentation if yes | No (separate engagement) | Yes (8-16 weeks) | DIY | Yes — 15-25 min |
| Cost | $2,000-$5,000 (scope only) | €12,000-€25,000 | Staff time | €149 (scope + docs) |
| Turnaround | 2-4 weeks | 8-16 weeks | Weeks | Same day |
Each product with digital elements needs its own scope determination and, if applicable, its own Article 31 dossier. Volume pricing: 10 products at €99 each, 30 at €79 each.
Request Volume PricingCRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy of your input is your responsibility as the manufacturer.
We guarantee that the document structure follows Article 31 + Annex VII and that legal references cited are correct. We do not guarantee acceptance by a market surveillance authority in a specific case.
CRACheck is not legal advice. The Product Classifier provides a structured framework for product classification, not a binding legal determination. For borderline cases, consult a qualified attorney.
Eight documents. Article 31 + Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.