Reg (EU) 2024/2847Generate dossier — €149
LIVE — Enforcement tracker · Deadline dashboard · Transposition status — Updated weekly from EUR-Lex, Safety Gate, OEIL & 12 official sourcesView regulatory intelligence →

Your company operates in an OEM or ODM arrangement. One party designs, another produces, a third markets the product under its brand. Article 3(13) of Regulation (EU) 2024/2847 does not care who built the circuit board. It cares who markets the product under their name or trademark. That party is the manufacturer — and that party bears twenty-one obligations under Article 13.

OEM and ODM arrangements distribute engineering responsibility across multiple entities. The CRA cuts through that distribution with a single test under Art. 3(13): the manufacturer is whoever develops or has developed a product with digital elements and markets it under their name or trademark. In a pure OEM model — where the brand owner specifies the design and the factory produces to specification — the brand owner is the manufacturer. In a pure ODM model — where the factory designs and the brand owner rebrands — the brand owner is still the manufacturer because they market it under their trademark. The factory, unless it also sells the same product under its own brand, is a contract producer outside the CRA's manufacturer definition. Art. 22 adds one more trigger: a substantial modification by any party makes that party the manufacturer for the affected part of the product. CRACheck generates the 8-document Art. 31 technical file. €149 per product. 15-25 minutes. Design data stays in your browser.

Generate CRA dossier — €149Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Built on Regulation (EU) 2024/2847 · Art. 31 + Annex VII · 8 PDF documents · 100% browser-side

Key figures

Art. 3(13)
Manufacturer = who markets under their name or trademark, regardless of who designed or produced
Art. 22
Substantial modification by any party creates manufacturer status for the modified part
€15M
Maximum fine for the party classified as manufacturer under Art. 64(2)

How to proceed

1
Map your arrangement to the CRA's definitions
In OEM: brand owner specifies, factory produces. Brand owner markets under its name → brand owner is manufacturer. In ODM: factory designs, brand owner rebrands. Brand owner markets under its name → brand owner is manufacturer. Factory selling the same product under its own brand separately → factory is also a manufacturer for that separate placement.
2
Identify substantial modification triggers
Art. 22: if any party (integrator, reseller, customiser) carries out a substantial modification and makes the product available on the market, that party becomes the manufacturer for the affected part — or the entire product if the modification impacts overall cybersecurity.
3
Allocate documentation responsibility contractually
The manufacturer under Art. 3(13) must produce Art. 31 documentation. If the brand owner lacks engineering data, the OEM/ODM contract must require the factory to provide cybersecurity risk data, component inventories, SBOM, vulnerability handling procedures and support period commitments.
4
Complete the Art. 31 technical file
Annex VII applies regardless of which party has the engineering capability. The manufacturer of record is responsible for the file's existence and accuracy.
5
Establish joint vulnerability handling
Art. 13(6) requires the manufacturer to report upstream when a vulnerability is found in an integrated component. In OEM/ODM arrangements, this means a defined communication channel between brand owner and factory, operational by September 2026.
6
Prepare ENISA reporting under the correct entity
Art. 14 notifications are submitted by the manufacturer. In OEM/ODM, identify which entity will submit — the brand owner as manufacturer or, if the factory is also a manufacturer for its own branded version, both.

Common mistakes

MANUFACTURER MISIDENTIFICATION

Assuming the factory is the manufacturer because it builds the product

Art. 3(13) of Regulation (EU) 2024/2847 does not test who built the product. It tests who markets it under their name. In ODM arrangements, the factory designs and produces, but if the brand owner markets the finished product under its own trademark, the brand owner is the manufacturer. The factory is a contract producer with no CRA manufacturer obligations for that branded product.

DUAL MANUFACTURER BLIND SPOT

Not recognising that both factory and brand owner can be manufacturers simultaneously

If the factory sells the same product under its own brand AND the brand owner sells it under a different brand, both are manufacturers under Art. 3(13) — each for their own market placement. Each must produce independent Art. 31 documentation and each faces Art. 64(2) penalties independently.

MODIFICATION LIABILITY

Making firmware changes after import and not recognising Art. 22

Art. 22 of Regulation (EU) 2024/2847 states that any person who carries out a substantial modification and makes the product available on the market becomes the manufacturer. Customising firmware, changing security configurations, or altering the product's intended purpose can trigger this — even if the original product was CRA-compliant.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

1

Product Classifier

Identifies the CRA category for the product as placed on the market by the manufacturer of record.

2

Technical Documentation

Art. 31 and Annex VII documentation produced by the manufacturer (brand owner). Engineering data sourced from the OEM/ODM factory, structured into the regulatory format.

3

Risk Assessment

Cybersecurity risk assessment per Art. 13(2)-(3) covering the product as marketed, including factory-provided component data.

4

User Information

Annex II information under the brand owner's identity, with vulnerability reporting contact and support period.

5

Declaration of Conformity

EU Declaration per Art. 28 and Annex V issued by the brand owner as manufacturer.

6

CVD Policy

Coordinated vulnerability disclosure policy under the brand owner's coordination, with factory involvement documented.

7

Notification Template

ENISA notification template for the entity classified as manufacturer. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

8

Obligations Calendar

Key dates accounting for OEM/ODM contract milestones, support period alignment with factory agreements, Art. 14 from September 2026.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 OEM/ODM COMPLIANCE LEGAL MAPPING
Legal opinion on manufacturer status + documentation
€8,000-25,000 per product family
8-16 weeks
Factory involvement required
Legal opinion only — does not produce Art. 31 file
Re-engagement per product revision
✓ CRACHECK — ART. 31 DOCUMENTATION
8-document technical file for the manufacturer of record
€149 per product
15-25 minutes
Factory data structured into regulatory format
100% browser-side
30-day edit window, 10 regenerations
Permanent PDF

Two layers

● LAYER 1 — DOCUMENTATION · CRACHECK

The documentation layer

CRACheck generates the Art. 31 and Annex VII documentation for the entity classified as manufacturer under Art. 3(13). Whether you are the brand owner in an ODM arrangement or the factory selling under its own brand, CRACheck structures the technical file from your input. Eight documents per product.

∅ LAYER 2 — NOT INCLUDED

What CRACheck does not determine

CRACheck does not determine which party in your OEM/ODM arrangement is the manufacturer — Art. 3(13), Art. 21 and Art. 22 of Regulation (EU) 2024/2847 make that determination based on your commercial arrangements. CRACheck does not draft OEM/ODM contracts. It does not negotiate data-sharing agreements with factories. It does not assess whether a firmware modification constitutes a "substantial modification" under Art. 22.

The regulation decides who is the manufacturer. CRACheck helps the manufacturer produce the documentation.

Enforcement regime

📅
11 September 2026 — Art. 14 reporting starts

The entity classified as manufacturer must have ENISA reporting capability. In dual-manufacturer scenarios (factory + brand owner), each must report independently for products marketed under their respective brands.

⚖️
11 December 2027 — Full CRA enforcement

Every branded product on the EU market must have a documented manufacturer with Art. 31 documentation. OEM/ODM arrangements without clear manufacturer identification will face enforcement gaps.

🔒
Art. 64(2) — €15M or 2.5% of global turnover

Applied to the entity classified as manufacturer. In OEM/ODM, this typically means the brand owner. Contractual indemnification from the factory is a commercial arrangement — it does not change the CRA's enforcement target.

Alternatives

CriterioOEM/ODM legal opinionFactory-provided compliance packageNo CRA preparationCRACheck
Price€8K-25KVaries, often opaque€0€149 per product
Determines manufacturer?YesNoNoNo — the law does
Produces Art. 31 file?NoSometimes, factory formatNoYes — 8 documents
Data stays with you?Shared with counselFactory holdsN/A100% browser-side
CRACheck€149Yes8-doc ZIPBrowser-side

OEM/ODM portfolio with multiple brand placements? Document each one.

Pack 10: €99 per product. Pack 30: €79 per product. For OEM/ODM arrangements covering multiple product lines and brand placements, contact us.

Request volume pricing
Commercial enquiries via hello@solidwaretools.com

What CRACheck guarantees and what it does not

CRACheck generates a structured document set according to Art. 31 and Annex VII of Regulation (EU) 2024/2847 based on the information provided by the entity identified as manufacturer. The accuracy of engineering data — whether sourced from your own development or from an OEM/ODM partner — is the manufacturer's responsibility.

We guarantee that the document structure follows Art. 31 and Annex VII and that the legal references cited are correct. We do not determine which party in an OEM/ODM arrangement is the manufacturer, nor do we guarantee acceptance by a specific authority.

CRACheck is not legal advice. For manufacturer identification in complex multi-party arrangements, consult a qualified EU product compliance lawyer.

Frequently asked questions

In an ODM arrangement, who signs the Declaration of Conformity?
The manufacturer under Art. 3(13) of Regulation (EU) 2024/2847 — the entity that markets the product under its name or trademark. In a typical ODM arrangement, this is the brand owner. The factory does not sign unless it also independently places the product on the EU market under its own brand.
Can the factory and brand owner share a single Art. 31 technical file?
If only one entity is the manufacturer (typically the brand owner), only one Art. 31 file is required. If both entities market the product under different brands (dual manufacturer scenario), each needs independent documentation. The engineering data may overlap, but the CRA identifies obligations per manufacturer, not per product design.
Does customising the software UI constitute a substantial modification?
Art. 22 of Regulation (EU) 2024/2847 does not define "substantial modification" with a bright-line test. Recital 38 refers to modifications that affect the product's conformity or change its intended purpose. A cosmetic UI change likely does not qualify. Modifying security-relevant firmware, changing authentication mechanisms, or altering the product's network connectivity behaviour likely does. The Commission may publish guidance under Art. 26(2)(d).
Our factory is in China. Does the CRA apply to them?
If the factory does not place the product on the EU market under its own name, the CRA's manufacturer obligations do not apply to the factory directly. The brand owner who markets the product in the EU is the manufacturer. However, the factory's engineering data is essential for the brand owner to fulfil Art. 13 — hence the contractual need for cybersecurity data sharing.
Is this a subscription?
No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.
Can I request a refund?
Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.
What if the regulation changes?
If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

Official legal sources

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.

Art. 3(13) does not ask who designed it. It asks whose name is on it.

If your brand is on the product, you are the manufacturer. Generate the Art. 31 documentation. Eight documents. €149 per product. Browser-side.

€149 one-time
8-document ZIP · 15-25 min · Art. 31 + Annex VII · 100% browser-side · Permanent PDF
Generate Technical Documentation

Related landings

🔗 White label

CRA white-label — who is the manufacturer when you rebrand?
🔗 Manufacturers

CRA manufacturer obligations — complete Art. 13 breakdown
🔗 Importers

CRA importer obligations — what Art. 19 requires
✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history