The manufacturer bears the primary compliance burden under the CRA. Art. 13(1) requires you to ensure the product was "designed, developed and produced in accordance with the essential cybersecurity requirements" of Annex I. Art. 13(2)–(3) requires a risk assessment. Art. 13(4) requires its inclusion in the technical documentation. Art. 13(6) requires vulnerability handling per Annex I Part II and reporting per Art. 14. Art. 13(8)–(9) requires a support period of at least 5 years with free security updates. Art. 13(12) requires conformity assessment and CE marking. Art. 13(13) requires 10-year documentation retention. Art. 13(19)–(21) requires user information per Annex II. CRACheck generates the 8-document package that covers all documentable obligations. 15–25 minutes. €149.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
Article 3(13) defines the manufacturer as whoever develops or has the product developed and markets it under their name or trademark. If you brand the product, you are the manufacturer under the CRA regardless of who wrote the firmware. White-label brands cannot shift Art. 13 obligations to OEM suppliers through contract terms alone.
Art. 13(8) sets a minimum of 5 years from market placement. A shorter period is only permissible if "the expected product lifetime is shorter than 5 years," in which case the support period must match the expected lifetime. A manufacturer that arbitrarily sets a 2-year support period for a product with a 10-year expected lifetime violates Art. 13(8).
Art. 18 allows appointment of an authorised representative for non-EU manufacturers, but Art. 18(2) explicitly excludes key obligations from delegation: product design per Art. 13(1), risk assessment per Art. 13(2)–(3), and vulnerability handling per Art. 13(6). The manufacturer retains direct responsibility for these regardless of representative appointment.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Category per Annex III/IV. Determines the conformity assessment module under Art. 32.
Full Annex VII. All 8 points. The backbone of the manufacturer's compliance file per Art. 31.
Per Art. 13(2)–(3). Maps all Annex I Part I(2) requirements to your product.
Per Annex II and Art. 13(19)–(21). All 11 mandatory information categories.
Per Art. 28 and Annex V. Required by Art. 13(12) before CE marking.
Per Annex I, Part II, point (5). Required by Art. 13(6) as part of vulnerability handling.
Per Art. 14. Required by Art. 13(6) for reporting to ENISA.
Maps all Art. 13 deadlines: Art. 14 reporting from 11 September 2026, full CRA from 11 December 2027, support period, 10-year retention.
See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.
Generated from your data, in your browser. No data leaves your device.
Hiring a CRA compliance consultancy to map all manufacturer obligations, conduct the risk assessment, produce the Annex VII file, draft the CVD policy, and prepare the conformity assessment documentation.
CRACheck generates all 8 documents covering the documentable manufacturer obligations: technical documentation (Art. 31), risk assessment (Art. 13(2)–(3)), user information (Art. 13(19)), declaration of conformity (Art. 13(12)), CVD policy (Art. 13(6)), notification template (Art. 14), product classification (Art. 32), and obligations calendar mapping all Art. 13 deadlines.
CRACheck does not design your product per Annex I. It does not implement security features. It does not handle vulnerability reports. It does not submit notifications to ENISA. It does not deliver security updates to users. It does not act as an authorised representative per Art. 18. CRACheck documents your compliance. You must achieve it.
The CRA requires both: a compliant product and the documentation proving it. CRACheck handles the documentation.
Art. 64(2).
Art. 64(3).
Art. 64(4).
| Criterion | No compliance | Full consultancy | Piecemeal approach | CRACheck |
|---|---|---|---|---|
| All Art. 13 obligations covered | None | Yes | Gaps likely | All documentable ones |
| Cross-referenced documentation | None | Manual | Inconsistent | Automatic |
| Time to documentation | — | 3–6 months | 2–4 months | 15–25 minutes |
| Cost | €0 (+ market ban) | €20K–€50K | €10K–€25K | €149 one-time |
Each product with digital elements requires its own complete documentation set per Art. 31. A manufacturer with 50 products needs 50 technical files. Volume pricing: €99/product (10-pack) or €79/product (30-pack).
Request volume pricingCRACheck generates a structured documentation package according to Article 13, Article 31, and Annex VII of Regulation (EU) 2024/2847, based on the information you provide. The accuracy and completeness of your product data, risk assessment inputs, and compliance declarations is your responsibility as manufacturer.
We guarantee that the document structure follows the cited articles and annexes of Regulation (EU) 2024/2847 and that all legal references are correct. We do not guarantee that a specific documentation set will be accepted by a market surveillance authority or notified body in a specific case.
CRACheck is not legal advice. For specific situations involving manufacturer role determination, authorised representative obligations, or market surveillance proceedings, consult with a qualified regulatory professional.