Global electronics brands with manufacturing operations in Vietnam are preparing for CRA compliance. Under Article 13(5), they must document due diligence on every third-party component integrated into their products. That documentation chain starts at your factory. If you produce PCBAs, firmware-loaded modules, sensor assemblies, or any subassembly with digital elements, your customer will request cybersecurity documentation aligned with Annex VII. Factories that can deliver it retain contracts. Those that cannot get replaced. CRACheck generates an 8-document dossier for your component or subassembly in 15–25 minutes. €149. Your production data never leaves your browser.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.
If you manufacture under your customer's brand and specification, your customer is indeed the manufacturer under Article 3(13). However, Article 13(5) requires them to exercise due diligence on components — including those you produce. They will demand cybersecurity documentation from you as part of their due diligence. The obligation may not be yours directly, but the commercial requirement is: no documentation, no contract.
If the hardware you deliver includes any digital element — a microcontroller, a memory chip with pre-loaded bootloader, a communication interface — it may qualify as a product with digital elements under Article 3(1). Even if firmware is loaded downstream, the hardware's security architecture (debug ports, secure boot support, physical tamper resistance) is part of the cybersecurity documentation your customer needs.
The enforcement deadline is 11 December 2027. Art. 14 reporting obligations begin 11 September 2026. Global brands are building their compliance programmes now. When procurement teams send the first CRA clause, factories without documentation will face emergency timelines or contract loss. Preparing documentation proactively positions your factory as a compliant supplier.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Determines whether your component or subassembly is a standalone product with digital elements or supporting documentation for your customer's final product. Identifies applicable Annex III category if relevant.
Art. 31 + Annex VII dossier at the component level: hardware design, firmware elements, production security controls, quality assurance measures.
Annex I Part I analysis for the component: attack surfaces at the subassembly level, firmware integrity risks, production line security, supply chain tampering vectors.
Annex II information for the downstream manufacturer (your customer): integration guidelines, security configuration requirements, handling procedures, known limitations.
Art. 28 + Annex V for the component (if marketed separately) or supporting conformity evidence (if part of customer's product).
Factory-level vulnerability coordination: how your facility communicates security findings to your customer, response procedures, escalation paths.
Art. 14 notification readiness: your factory's process for alerting your customer to vulnerabilities that may affect their product and require ENISA notification. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.
Aligned with your customer's enforcement deadlines: Art. 14 from September 2026, full compliance December 2027.
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated from your data, in your browser. No data leaves your device.