Do we need separate CRA documentation for the German and French markets?

No. CRA is an EU Regulation, directly applicable in all 27 Member States. One Article 31 dossier per product covers Germany, France, and every other EU country. Language of the documentation is English by default; market surveillance authorities may request a translation.

German clients are asking for BSI-certified documentation. Is CRACheck output BSI-compatible?

CRACheck generates documentation structured per Article 31 + Annex VII of Regulation (EU) 2024/2847, which is the EU-wide standard. BSI may develop additional national guidance, but the CRA documentation structure is uniform across the EU. CRACheck output covers the regulation's requirements.

Our Outlook plugin accesses email content. Does that affect CRA classification?

An Outlook plugin is software installed on the user's device — a product with digital elements under Article 3(1). If it accesses email content, the risk assessment must address data confidentiality and the plugin's permission scope. Classification under Annex III depends on the plugin's functions, not the data it accesses.

We have a marketplace of third-party integrations. Who is responsible for CRA compliance of those integrations?

Each integration developer is the manufacturer of their product. Your marketplace is a distribution channel. You may have obligations to verify compliance of products distributed through your marketplace depending on your role in the supply chain. Document your marketplace's approach to third-party compliance in your technical documentation.

French enterprises require documentation in French. Does CRACheck generate French output?

CRACheck generates documentation in English. Article 31 does not mandate documentation in any specific language, but market surveillance authorities may request documentation in a language they can easily understand. For French enterprise clients, you may need to translate key documents. CRACheck output provides the structured content for translation.

Is CRACheck a subscription?

No. One-time payment. 30 days of editing, 10 regenerations. The PDF is yours to keep.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, activating the license constitutes express consent for immediate generation. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate at no additional cost during your license period.

You sell CRM software to enterprises in Germany and France. Your product includes a mobile app, an Outlook plugin, and an API connector that your clients install on their infrastructure. Each installable component is a product with digital elements under Article 3(1) of Regulation (EU) 2024/2847. German and French enterprise buyers — among the most compliance-conscious in Europe — are adding CRA requirements to vendor evaluations. CRACheck generates the documentation before the next Quartalsreview or comité de pilotage.

Germany and France represent approximately 40% of EU enterprise software spending. Enterprises in both markets have well-established compliance cultures: German Mittelstand companies conduct rigorous vendor assessments, and French enterprises follow strict procurement procedures. When these buyers add CRA compliance to their evaluation criteria, they expect structured documentation — not assurances. Article 13 of Regulation (EU) 2024/2847 requires you to produce technical documentation (Art. 31 + Annex VII), a cybersecurity risk assessment (Art. 13(2)-(3)), and a declaration of conformity (Art. 28 + Annex V). CRACheck generates the 8-document dossier in 15-25 minutes for €149.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

40%

Germany + France share of EU enterprise software spending — your key CRA compliance market

Art. 13

Manufacturer obligations applicable to CRM software with installable components

€149

One-time cost per CRM product for the full CRA dossier

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Define your CRM product boundary

Core cloud platform + mobile app + Outlook/Gmail plugins + API connectors. CRACheck documents all installable components as part of one product.

Classify under Annex III

CRM software typically classifies as Default. CRM with identity management or SSO functions may trigger Important Class I review.

Describe CRM architecture

Contact database, sales pipeline, communication channels, email integration, reporting engine, and third-party marketplace connectors.

Map data handling

Customer personal data (B2B contact info, communication logs, deal amounts), API integrations with email providers, and telephony systems.

Generate risk assessment

CRM-specific threats: customer data exfiltration, sales pipeline manipulation, email integration credential theft, plugin-based attack vectors, and API connector abuse.

Produce 8 documents

Complete dossier covering cloud platform, mobile app, plugins, and connectors.

Present to German/French clients

The Einkaufsabteilung or direction des achats receives structured CRA documentation alongside your existing security certifications.

Common mistakes

❌

COMPONENT CHECK

"Our CRM is cloud-only — no CRA obligations"

Most CRM platforms include downloadable components: mobile apps, browser extensions, Outlook/Gmail plugins, desktop agents, or API client libraries. Any one of these makes the product a product with digital elements under Article 3(1). The cloud CRM platform behind it becomes remote data processing under Article 3(2).

❌

MARKET EVOLUTION

"German clients only care about DSGVO (German GDPR). CRA is not on their radar"

German enterprise procurement teams are among the first in the EU to incorporate CRA requirements into vendor assessments. The BSI (Bundesamt für Sicherheit in der Informationstechnik) actively promotes cybersecurity regulation awareness. German Mittelstand companies are already requesting CRA documentation from technology vendors.

❌

CERTIFICATION MISMATCH

"We have ISO 27001 certification — that satisfies German enterprise compliance requirements"

ISO 27001 certifies your organizational information security management system. CRA requires product-specific technical documentation per Article 31, product-specific risk assessment per Article 13, and a product-specific declaration of conformity per Article 28. German procurement teams understand the difference and expect both.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Annex III classification for your CRM product.

Technical Documentation

Art. 31 + Annex VII covering CRM architecture, plugins, mobile app, API connectors, and cloud engine.

Risk Assessment

CRM-specific analysis: customer data breach, pipeline manipulation, plugin attack vectors, API credential exposure, and integration vulnerabilities.

User Information

Annex II for CRM administrators: security settings, access control configuration, plugin permissions, and update policy.

Declaration of Conformity

Art. 28 + Annex V.

CVD Policy

Vulnerability disclosure policy for CRM products.

Notification Template

ENISA template per Article 14 for CRM incidents. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

CRA milestones relevant to CRM deployment cycles.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 GERMAN/FRENCH REGULATORY CONSULTANT

€15,000–€30,000

8-16 weeks. Requires briefing in the local compliance culture and procurement expectations of Mittelstand and CAC 40 companies.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history