The Cyber Resilience Act classifies every product with digital elements into one of four tiers: Default, Important Class I, Important Class II, or Critical. The classification is not a choice — it is determined by the core functionality of your product against the categories in Annex III and Annex IV of Regulation (EU) 2024/2847. The tier determines which conformity assessment procedure under Article 32 you must use, whether you need a notified body, and the practical cost and timeline of your compliance project. CRACheck classifies your product automatically.

Most products with digital elements are Default. Default products can use Module A self-assessment under Article 32(1) — no notified body, no certification body, no external engagement. The manufacturer prepares the technical documentation under Article 31, performs the conformity assessment internally, affixes the CE marking, and draws up the Declaration of Conformity. Important Class I products can also use Module A if they apply harmonised standards in full — otherwise Module B+C or Module H with a notified body. Class II and Critical products always need third-party assessment. The classification decision hinges on Annex III (23 categories) and Annex IV (3 categories). CRACheck runs this cross-reference and documents the result. €149. 15–25 minutes. 8 PDFs.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key figures

Classification tiers (Default, Important I, Important II, Critical)

Product categories checked (23 Annex III + 3 Annex IV)

Art. 32

Conformity assessment procedure linked to classification

The CRA classification decision tree

Does your product have digital elements and a data connection?

Article 2(1) defines scope: products with a direct or indirect logical or physical data connection. If yes, the CRA applies.

Is your product excluded under Article 2(2)–(7)?

Medical devices (Reg. 2017/745, 2017/746), motor vehicles (Reg. 2019/2144), aviation (Reg. 2018/1139), and marine equipment (Dir. 2014/90/EU) are excluded.

Does the core functionality match an Annex IV category?

3 categories: hardware security boxes, smart meter gateways, smartcards/secure elements. If yes → Critical.

Does the core functionality match an Annex III Class II category?

4 categories: hypervisors/container runtimes, firewalls/IDS/IPS, tamper-resistant microprocessors, tamper-resistant microcontrollers. If yes → Important Class II.

Does the core functionality match an Annex III Class I category?

19 categories including identity management, browsers, password managers, VPNs, routers, OS, smart home devices, IoT toys, health wearables. If yes → Important Class I.

None of the above → Default

CRACheck documents the classification with category matched, rationale, and conformity assessment path under Article 32.

Common mistakes

❌

ART. 7(1)

Classifying by product name instead of core functionality

Article 7(1) uses "core functionality" as the classification criterion, not the product's marketing name. A "smart speaker" could be an Important Class I product if its core functionality matches category 16 (smart home general purpose virtual assistants).

❌

ART. 32(1)

Assuming all products need a notified body

Default products and Class I products applying harmonised standards in full can use Module A self-assessment under Article 32(1). No notified body is required. The majority of products with digital elements will fall into the Default tier.

❌

ANNEX III

Ignoring the distinction between Class I and Class II consequences

Class I without harmonised standards → notified body needed. Class II → notified body always needed. The cost difference between Module A and Module B+C can be tens of thousands of euros. Misclassification in either direction has financial and legal consequences.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Automated cross-reference against 26 categories. Output: Default, Important Class I, Important Class II, or Critical, with matched category and rationale.

Technical Documentation

Annex VII file with the classification and conformity assessment path embedded.

Risk Assessment

Cybersecurity risk assessment per Article 13(2)–(3). Assessment depth reflects classification level.

User Information

Annex II information sheet with support period and vulnerability reporting contact.

Declaration of Conformity

EU Declaration per Article 28 and Annex V, citing the applicable conformity assessment module.

CVD Policy

Coordinated vulnerability disclosure policy per Annex I Part II point (5).

Notification Template

ENISA/CSIRT notification template per Article 14. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Key dates with conformity assessment deadlines.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 THE ALTERNATIVE

Regulatory classification consultancy

€3,000–8,000

Review of product portfolio against Annex III/IV

4–8 weeks

Deliverable: classification memo

✓ CRACHECK

€149 per product

Automated classification against 26 categories

Result documented in the first PDF

Full dossier generated in the same session

30-day edit window. 10 regenerations

Two layers

● LAYER 1 — DOCUMENTATION · CRACHECK

Classification + full documentation

CRACheck classifies your product, identifies the conformity assessment path, and generates the full Article 31 + Annex VII documentation with the classification embedded.

∅ LAYER 2 — NOT INCLUDED

What CRACheck does not determine

CRACheck does not determine whether your product falls within the scope of the CRA (Article 2). If you are unsure whether your product has "digital elements" with a "data connection" as defined in Article 3(1) and Article 2(1), this is a legal determination that CRACheck does not make.

CRACheck classifies within the CRA framework. Whether the CRA applies to your product at all is a prior question.

Enforcement regime

⚖️

€15M / 2.5% — Art. 64(2)

Non-compliance with Annex I essential requirements.

⚖️

€10M / 2% — Art. 64(3)

Wrong conformity assessment procedure under Art. 32.

⚖️

€5M / 1% — Art. 64(4)

Misleading classification information to authorities.

Alternatives

Criterio	DIY from regulation	Consultancy	CRACheck
Price	Free	€3,000–8,000	€149
Method	Manual cross-ref	Expert review	Automated against 26 categories
Delivery	Hours of reading	4–8 weeks	15–25 minutes
Output	No documentation output	Classification memo only	Full 8-PDF dossier with classification
CRACheck	€149	Automated	8-PDF dossier

Product portfolio spanning multiple classification tiers?

Volume pricing for product families. Pack of 10: €99. Pack of 30: €79.

Request volume pricing

Commercial enquiries via hello@solidwaretools.com

What CRACheck guarantees and what it does not

CRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847, based on the information you enter. The accuracy, completeness, and truthfulness of that information is your responsibility as manufacturer.

We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct. We do not guarantee that a specific document will be accepted by a market surveillance authority in a specific case.

CRACheck is not legal advice. For situations specific to your product or market, consult a qualified lawyer or specialised regulatory consultancy.

Frequently asked questions

What percentage of products are expected to be Default?

The European Commission's impact assessment estimates that approximately 90% of products with digital elements will fall into the Default category and can use Module A self-assessment. The Important and Critical tiers capture products with specific cybersecurity-critical functions as defined in Annex III and Annex IV.

My product has multiple functions — one matches Annex III, others do not. How is it classified?

Article 7(1) classifies based on the "core functionality" of the product. If the function matching an Annex III category is the core functionality, the product is Important. If it is a secondary feature, the classification depends on the primary function. CRACheck asks you to identify the core functionality and classifies accordingly.

Can the classification change after the product is placed on the market?

Article 7(3) empowers the Commission to amend Annex III by delegated act — adding, moving, or withdrawing product categories. If your product's category is added or moved (e.g., from Class I to Class II), a minimum 12-month transitional period applies before the new conformity assessment procedure takes effect.

Is software-only considered a "product with digital elements"?

Yes. Article 3(1) of Regulation (EU) 2024/2847 defines "product with digital elements" as "a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately." Standalone software with a data connection is within scope.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.

What if the regulation changes?

If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

Official legal sources

Regulation (EU) 2024/2847 — Cyber Resilience Act — full text

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.