Japanese industrial manufacturers operate within rigorous quality frameworks — ISO 9001, IEC 62443, and the EU Machinery Regulation 2023/1230. The Cyber Resilience Act is not a replacement for any of these. It is a horizontal regulation that adds cybersecurity documentation requirements on top. Article 2(5) acknowledges overlap with sectoral rules but does not automatically exempt industrial products. Your EU subsidiary's compliance team needs an Annex VII dossier that stands on its own. CRACheck produces it in 15–25 minutes. €149 per product line. All processing stays in your browser.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.
Article 2(5) of Regulation (EU) 2024/2847 allows limitation or exclusion for products covered by other EU rules achieving the same cybersecurity protection level — but only through a delegated act by the European Commission. No such delegated act exists for the Machinery Regulation. Until one is adopted, CRA obligations apply in parallel.
IEC 62443 is an international standard for industrial cybersecurity, not a harmonised standard under the CRA. The CRA's essential cybersecurity requirements (Annex I) and documentation structure (Annex VII) have their own scope. An IEC 62443 certificate demonstrates security maturity but does not automatically fulfil Art. 31 documentation obligations. You need a separate Annex VII dossier — which can reference your IEC 62443 work.
If your EU subsidiary is the importer under Article 3(16), their obligations under Article 19 are to verify that you — the manufacturer — have completed the conformity assessment and prepared technical documentation. The subsidiary verifies; the manufacturer produces. CRA documentation obligations under Article 13 remain with the entity that designs, develops, and manufactures the product.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Determines classification. Network management systems (Annex III Class I, item 6), firewalls and IDS/IPS (Class II, item 2) carry stricter assessment obligations. Default industrial products use Module A.
Art. 31 + Annex VII dossier structured for industrial products: design lifecycle, security architecture (zones, conduits), production processes, firmware management.
Annex I Part I analysis adapted for industrial environments. OT-specific threats: lateral movement, protocol exploitation, physical access, supply chain attacks on components.
Annex II documentation for industrial integrators and operators: secure commissioning, network segmentation requirements, update management, end-of-support communication.
Art. 28 + Annex V. Complements Declarations under Machinery Regulation, RED, or LVD as applicable.
Industrial-grade coordinated vulnerability disclosure: ICS-CERT coordination, responsible disclosure timelines, customer notification procedures.
Art. 14 ENISA notification for OT vulnerabilities. 24h early warning, 72h notification, 14-day final report.
Enforcement dates, support period milestones, patch cycle schedule aligned with industrial maintenance windows.
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated from your data, in your browser. No data leaves your device.
CRACheck generates the Art. 31 + Annex VII dossier that the CRA requires independently of your IEC 62443 certification. Classifies your industrial product, maps cybersecurity measures to Annex I, produces structured PDFs. This is the CRA-specific documentation layer.
CRACheck does not implement security features, conduct SCADA penetration testing, or manage IEC 62443 certification. It does not interact with notified bodies. If your product is Important under Annex III, third-party assessment may be required under Article 32 — CRACheck documents, but does not perform, that assessment.
Japanese manufacturers with mature IEC 62443 programmes already have most of the cybersecurity substance. Layer 1 structures that substance into the CRA's required format.
Article 64 of Regulation (EU) 2024/2847.
Annex I + Art. 13/14.
Art. 28, 31, 32.
Misleading information.
| Criterion | EU Industrial Consultant | Extend IEC 62443 Scope | In-House Compliance Team | CRACheck |
|---|---|---|---|---|
| Time per product | 8–16 weeks | 12–20 weeks (re-cert) | 6–12 weeks | 15–25 minutes |
| Cost | €15,000–€35,000 | €20,000–€40,000 | Staff + training | €149 |
| CRA specificity | May bundle with 62443 | Not CRA-specific | Learning curve | Annex VII-structured from the start |
| Data privacy | Shared with consultant | Shared with cert body | Internal | 100% browser-side |
Japanese manufacturers often export several product families to Europe. Each product line with distinct firmware and connectivity requires its own CRA dossier. Volume pricing: €99/product (pack 10), €79/product (pack 30).
Request Volume PricingCRACheck generates a structured document aligned with Article 31 and Annex VII of Regulation (EU) 2024/2847 based on your product data. The accuracy of that data is your responsibility as manufacturer.
We guarantee the document structure follows Art. 31 + Annex VII and legal references are correct. We do not guarantee acceptance by a market surveillance authority or notified body in a particular case.
CRACheck is not legal advice. For questions about the CRA's interaction with the Machinery Regulation, IEC 62443 mapping, or delegated act exclusions, consult a regulatory attorney.
Eight documents. Article 31 + Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.