The open-source community raised concerns during the CRA legislative process, and the final text reflects them. Recital 18 of Regulation (EU) 2024/2847 explicitly excludes free and open-source software when it is not supplied in the course of a commercial activity. But the same recital defines commercial activity broadly: providing paid support, offering a commercial version, or integrating the software into a commercial product all qualify. If your OSS project has a foundation, a company, or a revenue stream, the software you distribute to EU users is within scope. CRACheck generates the 8-document dossier under Article 31 + Annex VII for €149 in 15-25 minutes. The documentation distinguishes you from uncommercial projects — and from competitors without CRA readiness.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.
Recital 18 of Regulation (EU) 2024/2847 bases the CRA exemption on commercial activity, not license type. MIT, Apache, GPL, and BSD are all license types that say nothing about commercial context. If your company distributes the software commercially — through paid support, enterprise features, managed hosting, or company-backed development — the license does not create an exemption.
Recital 18 states that the "mere circumstances" of a product's development — such as being open-source — do not exclude it from scope if supplied in the course of commercial activity. If the community edition is distributed by the same company that sells the enterprise edition, and the community edition serves as a gateway to commercial conversion, it may be within scope. The determination depends on whether the supply constitutes commercial activity, not on the edition label.
The manufacturer under Article 3(13) is the legal entity that places the product on the market. If your company publishes releases, maintains the download page, and distributes the software to EU users, your company is the manufacturer — regardless of who contributed the code. Contributor volunteer status does not affect the company's regulatory obligations.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Determines CRA scope for your OSS product. Documents the commercial activity analysis per Recital 18 and the Annex III classification.
Art. 31 + Annex VII for commercial OSS: project architecture, build system, dependency tree, release process, contributor model, and security controls.
OSS-specific analysis: supply chain attacks, dependency vulnerabilities, compromised contributor accounts, package registry attacks, and build system integrity.
Annex II adapted for OSS users: supported versions, security update channels, known vulnerabilities, contribution guidelines for security issues, and developer contact.
Art. 28 + Annex V for your commercial OSS product.
Vulnerability disclosure policy for OSS projects: SECURITY.md, security advisory process, coordinated disclosure with downstream users, and embargo policy.
ENISA template per Article 14 for OSS incidents: compromised releases, supply chain attacks, zero-day discoveries in production deployments. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.
Timeline for commercial OSS: Art. 14 reporting from September 2026, enforcement December 2027, support period for maintained versions.
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated from your data, in your browser. No data leaves your device.
Generates CRA documentation for your commercial OSS product: scope determination (Recital 18 analysis), product classification, technical documentation, risk assessment, declaration of conformity, and vulnerability handling policies.
Does not audit your codebase. Does not verify your build pipeline integrity. Does not scan your dependency tree for vulnerabilities. Does not assess your contributor trust model. Those are engineering and DevSecOps responsibilities.
CRACheck produces the regulatory documentation. Your DevSecOps practices produce the security substance. EU enterprise customers need evidence of both.
Article 64 of Regulation (EU) 2024/2847.
Non-compliance with essential requirements or manufacturer obligations.
Missing documentation or conformity assessment.
Misleading information to authorities.
| Criteria | OSS-specialized attorney | Generic regulatory consultant | Linux Foundation guidance | CRACheck |
|---|---|---|---|---|
| Time | 6-12 weeks | 8-16 weeks | Self-guided (weeks) | 15-25 minutes |
| Cost | $10,000-$25,000 | €10,000-€20,000 | Free but no documentation | €149 |
| Understands open-core models | Rare | Unlikely | Yes but no docs | Architecture-agnostic |
| Produces CRA documentation | Legal memo | Custom report | No | 8 structured PDFs |
If your company commercially distributes a database, a message queue, and a monitoring tool — each is a separate product needing its own Article 31 dossier. Volume pricing: 10 products at €99, 30 at €79.
Request Volume PricingCRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy of that information is your responsibility as the manufacturer.
We guarantee the document structure follows Article 31 + Annex VII and legal references are correct. We do not guarantee that a Recital 18 commercial activity determination will be accepted in a specific case.
CRACheck is not legal advice. For borderline cases on the commercial/non-commercial OSS boundary, consult a qualified attorney.
Eight documents. Article 31 + Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.