Cybersecurity companies exist to protect others. Regulation (EU) 2024/2847 requires them to protect themselves — or at least to document how they do it. If your Indian cybersecurity company sells a SIEM (Annex III Class I §7), a firewall or IDS/IPS (Annex III Class II §2), a VPN (Class I §5), or a password manager (Class I §3), the product is classified as Important under the CRA. That means Module A self-assessment alone may not suffice — if you have not applied harmonised standards or certification schemes, Article 32(2) requires notified body involvement (Module B+C or H). The Annex VII technical documentation is mandatory for all paths. CRACheck generates 8 structured PDFs in 15–25 minutes. €149 per product. 100% browser-side.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
Knowing cybersecurity and documenting cybersecurity under Annex VII of Regulation (EU) 2024/2847 are different activities. Your product may have excellent security engineering. The regulation requires that engineering to be documented in a specific format — product description, architecture, risk assessment, SBOM, vulnerability handling, test reports, standards applied, declaration of conformity. CRACheck structures what you already know.
Module A is available for Default products and for Important Class I products where harmonised standards have been fully applied (Art. 32(2)). If your product is Class I and harmonised standards do not yet exist or you have not applied them, you need Module B+C or H — involving a notified body. Class II products always require notified body involvement (Art. 32(3)). Classification matters.
SOC 2 and ISO 27001 certify your organisational security posture. The CRA requires product-level documentation: Annex VII describes the specific product, not the organisation. The regulation requires an SBOM (Annex VII §2(b)), a product-specific cybersecurity risk assessment (Art. 13(2)), and evidence of Annex I compliance. Organisational certifications are referenced in Annex VII §5 but do not replace the product documentation.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Annex III classification with specific category identification (Class I §7 for SIEM, Class II §2 for firewalls, etc.).
Annex VII. Security product architecture: detection engines, encryption modules, threat intelligence feeds, API surface.
Art. 13(2). Cybersecurity product risk assessment: the product's own attack surface, not the threats it protects against.
Annex II. Deployment instructions, security configuration, integration with customer environments, support period.
Art. 28 + Annex V.
Annex I Part II §5. For a cybersecurity company, this policy is business-critical — your customers expect mature vulnerability handling.
Art. 14. 24h notification for vulnerabilities in your own product.
Sept 2026 (Art. 14), Dec 2027 (full), harmonised standards publication dates.
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated from your data, in your browser. No data leaves your device.
Generates Annex VII documentation for your cybersecurity product. 8 PDFs. 15–25 minutes. €149. Required for all conformity assessment paths — Module A, B+C, or H.
Does not perform the notified body assessment required for Class I without harmonised standards or Class II (Art. 32(2)-(3)). Does not determine which harmonised standards apply. Does not replace your internal security testing.
We produce the documentation. You handle the conformity assessment path.
Article 64 of Regulation (EU) 2024/2847.
Art. 64(2). A cybersecurity company failing CRA compliance is a reputational catastrophe.
Art. 64(3). Using Module A when the product requires Module B+C is an infringement.
Art. 64(4).
| Alternative | Cost | What you get |
|---|---|---|
| EU CRA + notified body consultant | €15,000–€30,000 | Full conformity pathway. 4–8 months. |
| Self-assess without checking Annex III classification | Free + risk | Wrong conformity path. Potential Art. 64(3) infringement. |
| Exit the EU market | €0 | Lose a major revenue channel. |
| CRACheck | €149 | 8 documents. 15–25 min. Foundation for any conformity path. |
SIEM, firewall, VPN, endpoint — each product needs its own Annex VII dossier and its own classification under Annex III. Contact us for security vendor volume pricing.
Request Volume PricingCRACheck generates a structured document under Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy is your responsibility as the manufacturer.
We guarantee structure and legal references. We do not guarantee acceptance by a notified body or market surveillance authority.
CRACheck is not legal advice. For conformity assessment pathway decisions — especially for Annex III Class I/II products — consult a qualified regulatory consultant.
Eight documents. Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.