Global electronics brands with manufacturing operations in Vietnam are preparing for CRA compliance. Under Article 13(5), they must document due diligence on every third-party component integrated into their products. That documentation chain starts at your factory. If you produce PCBAs, firmware-loaded modules, sensor assemblies, or any subassembly with digital elements, your customer will request cybersecurity documentation aligned with Annex VII. Factories that can deliver it retain contracts. Those that cannot get replaced. CRACheck generates an 8-document dossier for your component or subassembly in 15–25 minutes. €149. Your production data never leaves your browser.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.
If you manufacture under your customer's brand and specification, your customer is indeed the manufacturer under Article 3(13). However, Article 13(5) requires them to exercise due diligence on components — including those you produce. They will demand cybersecurity documentation from you as part of their due diligence. The obligation may not be yours directly, but the commercial requirement is: no documentation, no contract.
If the hardware you deliver includes any digital element — a microcontroller, a memory chip with pre-loaded bootloader, a communication interface — it may qualify as a product with digital elements under Article 3(1). Even if firmware is loaded downstream, the hardware's security architecture (debug ports, secure boot support, physical tamper resistance) is part of the cybersecurity documentation your customer needs.
The enforcement deadline is 11 December 2027. Art. 14 reporting obligations begin 11 September 2026. Global brands are building their compliance programmes now. When procurement teams send the first CRA clause, factories without documentation will face emergency timelines or contract loss. Preparing documentation proactively positions your factory as a compliant supplier.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Determines whether your component or subassembly is a standalone product with digital elements or supporting documentation for your customer's final product. Identifies applicable Annex III category if relevant.
Art. 31 + Annex VII dossier at the component level: hardware design, firmware elements, production security controls, quality assurance measures.
Annex I Part I analysis for the component: attack surfaces at the subassembly level, firmware integrity risks, production line security, supply chain tampering vectors.
Annex II information for the downstream manufacturer (your customer): integration guidelines, security configuration requirements, handling procedures, known limitations.
Art. 28 + Annex V for the component (if marketed separately) or supporting conformity evidence (if part of customer's product).
Factory-level vulnerability coordination: how your facility communicates security findings to your customer, response procedures, escalation paths.
Art. 14 notification readiness: your factory's process for alerting your customer to vulnerabilities that may affect their product and require ENISA notification. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.
Aligned with your customer's enforcement deadlines: Art. 14 from September 2026, full compliance December 2027.
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated from your data, in your browser. No data leaves your device.
CRACheck generates documentation that your global customer needs for their Art. 13(5) due diligence. It structures your component's cybersecurity data per Annex VII and produces 8 PDFs that integrate into the customer's technical file. This is the documentation that keeps your factory in the supply chain.
CRACheck does not audit your production line security, implement firmware signing at the factory level, or redesign your manufacturing processes. If your customer requires specific security controls during production (secure provisioning, key injection, tamper-evident packaging), those are implementation tasks separate from documentation.
Global brands are building their CRA compliance now. Your documentation readiness is a competitive differentiator. Factories that deliver Annex VII-aligned component documentation retain preferred supplier status.
Article 64 of Regulation (EU) 2024/2847.
Annex I + Art. 13/14.
Art. 28, 31, 32.
Misleading information.
| Criterion | Supply Chain Auditor | Customer-Provided Template | Internal Documentation | CRACheck |
|---|---|---|---|---|
| Time per component | 8–16 weeks | 2–4 weeks (if template exists) | 4–8 weeks | 15–25 minutes |
| Cost | $15,000–$30,000 | Template cost + staff | Staff allocation | €149 |
| Output format | Audit report (not Annex VII) | Varies by customer | Ad hoc | 8 PDFs per Annex VII |
| Reusable across customers | No (customer-specific) | No (customer format) | Partially | Yes — standard Annex VII structure |
Factories producing multiple distinct components or subassemblies need a dossier for each. Volume pricing: €99/product (pack 10), €79/product (pack 30). A single factory documenting 30 component types pays €79 each.
Request Volume PricingCRACheck generates a structured document aligned with Article 31 and Annex VII of Regulation (EU) 2024/2847 based on your component data. The accuracy of that data is your responsibility as the manufacturing entity.
We guarantee the structure follows Art. 31 + Annex VII and legal references are correct. We do not guarantee that your customer's compliance team or a market surveillance authority will accept a specific document in a specific context.
CRACheck is not legal advice. For questions about your factory's CRA obligations versus your customer's obligations, supply chain contractual allocation, or authorised representative requirements, consult a regulatory attorney.
Eight documents. Article 31 + Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.