CRA for EdTech — E-Learning Platform Compliance

Key figures

Art. 3(1)

LMS, classroom software and educational hardware with data connections are in scope

Annex I Part I (2)(e)

Data confidentiality through encryption — directly relevant to student data

€15M

Maximum fine under Art. 64(2) — separate from any GDPR penalty

How to proceed

Identify products with digital elements in your portfolio

LMS platforms (SaaS with client-side components), classroom management apps, interactive whiteboards, student devices, coding kits with network connectivity, assessment platforms with cloud sync. Each product placed on the EU market separately is within CRA scope.

Classify against Annex III

Standard edtech platforms and devices: Default. If your product includes identity management for school users (student SSO, teacher access control): Important Class I (Annex III item 1). If it includes password management: Important Class I (item 3).

Conduct the cybersecurity risk assessment

Art. 13(2)-(3): education-specific risks include student data exposure (including minors' data), classroom session hijacking, grade manipulation, school network lateral movement from compromised edtech devices, and cloud platform compromise affecting multiple schools.

Address Annex I requirements with student data sensitivity

Annex I Part I point (2)(e): encryption of student data at rest and in transit. Point (2)(g): data minimisation — collect only what the educational purpose requires. Point (2)(d): access control preventing unauthorised access to student records. These overlap with GDPR but are enforced through the CRA's product cybersecurity framework.

Compile Art. 31 technical documentation

Annex VII: system architecture, authentication mechanisms, data flow diagrams, component inventory, vulnerability handling, SBOM.

Prepare ENISA reporting

Art. 14 from September 2026. A vulnerability in an LMS deployed across 500 EU schools, processing data of minors, is simultaneously a CRA notification event and a GDPR data breach risk. Both channels must be prepared.

Common mistakes

❌

REGULATORY CONFLATION

Assuming GDPR compliance covers product cybersecurity

GDPR (Regulation (EU) 2016/679) regulates data processing. The CRA (Regulation (EU) 2024/2847) regulates product cybersecurity. Art. 32 of GDPR requires appropriate security measures for data processing. Art. 13 of the CRA requires the product itself to be secure. These are complementary obligations on overlapping but distinct aspects — GDPR compliance does not exempt you from CRA documentation.

❌

MINOR DATA SENSITIVITY

Not elevating the risk assessment for products processing minors' data

Annex I Part I point (2)(e) of Regulation (EU) 2024/2847 requires confidentiality protection for stored and transmitted data. When that data belongs to minors — student records, assessment results, behavioural data — the sensitivity context elevates the required level of protection. A risk assessment under Art. 13(2) that does not specifically address the minor data context is inadequate.

❌

SCHOOL PROCUREMENT BLINDNESS

Not anticipating CRA documentation requirements in education procurement

EU member state education ministries and school districts are increasingly including cybersecurity evidence in procurement. NIS2 may classify certain education infrastructure as essential. The CRA's Art. 31 documentation provides a standardised evidence format that education procurement can reference — not having it will become a competitive disadvantage.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Identifies Default (standard LMS, assessment tools) or Important Class I (platforms with identity management per Annex III item 1, password management per item 3).

Technical Documentation

Art. 31 and Annex VII documentation: platform architecture, authentication flows, data storage and transmission, cloud infrastructure, API specifications, mobile client components.

Risk Assessment

Cybersecurity risk assessment covering education vectors: student data exposure (minors), classroom session hijacking, grade manipulation, school network lateral movement, multi-school cloud platform compromise.

User Information

Annex II information for school IT administrators: secure deployment, user provisioning, data handling disclosures, update mechanisms, vulnerability reporting, support period.

Declaration of Conformity

EU Declaration per Art. 28 and Annex V.

CVD Policy

Coordinated vulnerability disclosure policy for edtech security research community.

Notification Template

ENISA notification template per Art. 14 with education sector context.

Obligations Calendar

Key dates mapped to education procurement: Art. 14 from September 2026, full enforcement December 2027, school year procurement windows.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 EDTECH SECURITY ASSESSMENT

Product security review for e-learning platforms

€10,000-25,000 per platform

8-16 weeks

Requires sharing platform architecture with auditor

Report-based — no Art. 31 documentation produced

Re-engagement per major version

✓ CRACHECK — ART. 31 DOCUMENTATION

8-document technical file for your edtech product

€149 per product

15-25 minutes

Platform architecture stays in your browser

Feeds education procurement reviews

30-day edit window, 10 regenerations

Permanent PDF

Two layers

● LAYER 1 — DOCUMENTATION · CRACHECK

CRA documentation for edtech products

CRACheck generates Art. 31 and Annex VII technical documentation for your e-learning platform or educational device. Coverage includes cybersecurity risk assessment with education-specific context, vulnerability handling, SBOM, coordinated disclosure, ENISA template and support period. The documentation serves both CRA compliance and education procurement evidence requirements.

∅ LAYER 2 — NOT INCLUDED

What CRACheck does not address

CRACheck does not produce GDPR data protection impact assessments. It does not perform penetration testing on your platform. It does not audit student data handling practices. It does not certify age-appropriate design compliance. It does not manage your vulnerability handling process or ENISA submissions.

GDPR covers the data. The CRA covers the product. CRACheck documents the product layer.

Enforcement regime

📅

11 September 2026 — Art. 14 reporting

A vulnerability in an LMS processing student data of minors triggers 24h ENISA notification. Simultaneously, GDPR Art. 33 may require 72h notification to the data protection authority.

⚖️

11 December 2027 — Full CRA enforcement

Edtech products on the EU market must carry CE marking and Art. 31 documentation. School procurement will integrate CRA requirements.

🔒

Art. 64(2) — €15M or 2.5% of global turnover

Separate from any GDPR fine. A student data breach caused by a product cybersecurity failure may trigger both CRA and GDPR penalties simultaneously.

Alternatives

Criterio	Security assessment firm	Internal security team	GDPR-only approach	CRACheck
Price	€10K-25K	Staff time	Does not cover CRA	€149 per product
CRA Art. 31 coverage	No — assessment report	Variable	None	8-document file
Education procurement evidence	Audit report	Internal docs	DPIA only	Standardised Art. 31 file
Student data stays with you	Shared with auditor	Internal	Internal	100% browser-side
CRACheck	€149	8-doc	Art. 31	Browser-side

EdTech suite with LMS, assessment tools and classroom devices? Document each product.

Pack 10: €99 per product. Pack 30: €79 per product. For edtech companies with multi-product platforms deployed across EU education systems, contact us.

Request volume pricing

Commercial enquiries via hello@solidwaretools.com

What CRACheck guarantees and what it does not

CRACheck generates a structured document set according to Art. 31 and Annex VII of Regulation (EU) 2024/2847 based on the information you provide. The accuracy of platform architecture, data flow descriptions and security mechanism data is your responsibility as manufacturer.

We guarantee that the document structure follows Art. 31 and Annex VII and that the legal references cited are correct. We do not guarantee acceptance by a school district procurement process, education ministry or market surveillance authority.

CRACheck is not legal advice. For the CRA/GDPR interaction regarding student data and age-appropriate design requirements, consult a qualified data protection and product compliance lawyer.

Frequently asked questions

Our LMS is pure SaaS — no downloadable software. Is it in scope?

Art. 3(1) of Regulation (EU) 2024/2847 covers products with digital elements, including software components. Art. 3(2) defines remote data processing as in scope when it is designed by the manufacturer and the absence of it would prevent the product from performing its function. If your LMS has a client-side component (web app, mobile app) that constitutes the product placed on the market, the CRA may apply. A purely server-side service with no client-side product is outside CRA product scope, though it may fall under NIS2 as a digital service.

Does processing data of minors change the CRA requirements?

The CRA itself does not create specific obligations for products processing minors' data. However, Art. 13(2) requires the risk assessment to cover the product's intended purpose and foreseeable use. For edtech products designed for use by children, the risk assessment must reflect the heightened sensitivity of minors' data and the vulnerability of the user population. Annex I Part I requirements for confidentiality, integrity and access control must be implemented with this context.

Will EU schools require CRA documentation in procurement tenders?

Several EU member states are already strengthening cybersecurity requirements in education procurement. As CRA enforcement approaches, Art. 31 documentation will become a standard procurement evidence requirement — similar to how GDPR DPIAs became standard. Edtech companies without CRA documentation will face a procurement disadvantage.

Our interactive whiteboard has a web browser. Does that affect classification?

Annex III Class I item 2 of Regulation (EU) 2024/2847 lists "standalone and embedded browsers." If your whiteboard includes an embedded browser as a core component, the browser component may classify as Important Class I. The whiteboard as a product is classified based on its overall primary function and the classification of its most critical component.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.

What if the regulation changes?

If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

Official legal sources

Regulation (EU) 2024/2847 — Cyber Resilience Act — full text

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.