Our LMS is pure SaaS — no downloadable software. Is it in scope?

Art. 3(1) of Regulation (EU) 2024/2847 covers products with digital elements, including software components. Art. 3(2) defines remote data processing as in scope when it is designed by the manufacturer and the absence of it would prevent the product from performing its function. If your LMS has a client-side component (web app, mobile app) that constitutes the product placed on the market, the CRA may apply. A purely server-side service with no client-side product is outside CRA product scope, though it may fall under NIS2 as a digital service.

Does processing data of minors change the CRA requirements?

The CRA itself does not create specific obligations for products processing minors' data. However, Art. 13(2) requires the risk assessment to cover the product's intended purpose and foreseeable use. For edtech products designed for use by children, the risk assessment must reflect the heightened sensitivity of minors' data and the vulnerability of the user population. Annex I Part I requirements for confidentiality, integrity and access control must be implemented with this context.

Will EU schools require CRA documentation in procurement tenders?

Several EU member states are already strengthening cybersecurity requirements in education procurement. As CRA enforcement approaches, Art. 31 documentation will become a standard procurement evidence requirement — similar to how GDPR DPIAs became standard. Edtech companies without CRA documentation will face a procurement disadvantage.

Our interactive whiteboard has a web browser. Does that affect classification?

Annex III Class I item 2 of Regulation (EU) 2024/2847 lists "standalone and embedded browsers." If your whiteboard includes an embedded browser as a core component, the browser component may classify as Important Class I. The whiteboard as a product is classified based on its overall primary function and the classification of its most critical component.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.

What if the regulation changes?

If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

You develop an e-learning platform, a learning management system or connected classroom hardware deployed in schools and universities across the EU. GDPR governs how you process student data. The Cyber Resilience Act governs the cybersecurity of the product you sell to the school. Article 13 of Regulation (EU) 2024/2847 applies to you as the manufacturer of a product with digital elements — and a breach of student data starts with a breach of product security.

Edtech companies have operated under GDPR's data protection framework. The CRA adds a horizontal product cybersecurity layer. Art. 3(1) covers any product with a data connection — LMS platforms, classroom management software, interactive whiteboards, student tablets with school-managed MDM profiles, assessment tools with cloud backends. If you market these products in the EU under your name, Art. 13 manufacturer obligations apply. Annex I Part I point (2)(e) requires data confidentiality through encryption — directly relevant to student data. Point (2)(g) requires data minimisation. Point (2)(h) requires availability even after incidents. For edtech products that include identity management or access control for school users, Annex III Class I item 1 may apply. CRACheck generates the 8-document technical file under Art. 31 and Annex VII. €149 per product. 15-25 minutes. Student-adjacent architecture stays in your browser.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key figures

Art. 3(1)

LMS, classroom software and educational hardware with data connections are in scope

Annex I Part I (2)(e)

Data confidentiality through encryption — directly relevant to student data

€15M

Maximum fine under Art. 64(2) — separate from any GDPR penalty

How to proceed

Identify products with digital elements in your portfolio

LMS platforms (SaaS with client-side components), classroom management apps, interactive whiteboards, student devices, coding kits with network connectivity, assessment platforms with cloud sync. Each product placed on the EU market separately is within CRA scope.

Classify against Annex III

Standard edtech platforms and devices: Default. If your product includes identity management for school users (student SSO, teacher access control): Important Class I (Annex III item 1). If it includes password management: Important Class I (item 3).

Conduct the cybersecurity risk assessment

Art. 13(2)-(3): education-specific risks include student data exposure (including minors' data), classroom session hijacking, grade manipulation, school network lateral movement from compromised edtech devices, and cloud platform compromise affecting multiple schools.

Address Annex I requirements with student data sensitivity

Annex I Part I point (2)(e): encryption of student data at rest and in transit. Point (2)(g): data minimisation — collect only what the educational purpose requires. Point (2)(d): access control preventing unauthorised access to student records. These overlap with GDPR but are enforced through the CRA's product cybersecurity framework.

Compile Art. 31 technical documentation

Annex VII: system architecture, authentication mechanisms, data flow diagrams, component inventory, vulnerability handling, SBOM.

Prepare ENISA reporting

Art. 14 from September 2026. A vulnerability in an LMS deployed across 500 EU schools, processing data of minors, is simultaneously a CRA notification event and a GDPR data breach risk. Both channels must be prepared.

Common mistakes

❌

REGULATORY CONFLATION

Assuming GDPR compliance covers product cybersecurity

GDPR (Regulation (EU) 2016/679) regulates data processing. The CRA (Regulation (EU) 2024/2847) regulates product cybersecurity. Art. 32 of GDPR requires appropriate security measures for data processing. Art. 13 of the CRA requires the product itself to be secure. These are complementary obligations on overlapping but distinct aspects — GDPR compliance does not exempt you from CRA documentation.

❌

MINOR DATA SENSITIVITY

Not elevating the risk assessment for products processing minors' data

Annex I Part I point (2)(e) of Regulation (EU) 2024/2847 requires confidentiality protection for stored and transmitted data. When that data belongs to minors — student records, assessment results, behavioural data — the sensitivity context elevates the required level of protection. A risk assessment under Art. 13(2) that does not specifically address the minor data context is inadequate.

❌

SCHOOL PROCUREMENT BLINDNESS

Not anticipating CRA documentation requirements in education procurement

EU member state education ministries and school districts are increasingly including cybersecurity evidence in procurement. NIS2 may classify certain education infrastructure as essential. The CRA's Art. 31 documentation provides a standardised evidence format that education procurement can reference — not having it will become a competitive disadvantage.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Identifies Default (standard LMS, assessment tools) or Important Class I (platforms with identity management per Annex III item 1, password management per item 3).

Technical Documentation

Art. 31 and Annex VII documentation: platform architecture, authentication flows, data storage and transmission, cloud infrastructure, API specifications, mobile client components.

Risk Assessment

Cybersecurity risk assessment covering education vectors: student data exposure (minors), classroom session hijacking, grade manipulation, school network lateral movement, multi-school cloud platform compromise.

User Information

Annex II information for school IT administrators: secure deployment, user provisioning, data handling disclosures, update mechanisms, vulnerability reporting, support period.

Declaration of Conformity

EU Declaration per Art. 28 and Annex V.

CVD Policy

Coordinated vulnerability disclosure policy for edtech security research community.

Notification Template

ENISA notification template per Art. 14 with education sector context.

Obligations Calendar

Key dates mapped to education procurement: Art. 14 from September 2026, full enforcement December 2027, school year procurement windows.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 EDTECH SECURITY ASSESSMENT

Product security review for e-learning platforms

€10,000-25,000 per platform

8-16 weeks

Requires sharing platform architecture with auditor

Report-based — no Art. 31 documentation produced

Re-engagement per major version

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history