Reg (EU) 2024/2847Generate dossier — €149
LIVE — Enforcement tracker · Deadline dashboard · Transposition status — Updated weekly from EUR-Lex, Safety Gate, OEIL & 12 official sourcesView regulatory intelligence →

You sell CRM software to enterprises in Germany and France. Your product includes a mobile app, an Outlook plugin, and an API connector that your clients install on their infrastructure. Each installable component is a product with digital elements under Article 3(1) of Regulation (EU) 2024/2847. German and French enterprise buyers — among the most compliance-conscious in Europe — are adding CRA requirements to vendor evaluations. CRACheck generates the documentation before the next Quartalsreview or comité de pilotage.

Germany and France represent approximately 40% of EU enterprise software spending. Enterprises in both markets have well-established compliance cultures: German Mittelstand companies conduct rigorous vendor assessments, and French enterprises follow strict procurement procedures. When these buyers add CRA compliance to their evaluation criteria, they expect structured documentation — not assurances. Article 13 of Regulation (EU) 2024/2847 requires you to produce technical documentation (Art. 31 + Annex VII), a cybersecurity risk assessment (Art. 13(2)-(3)), and a declaration of conformity (Art. 28 + Annex V). CRACheck generates the 8-document dossier in 15-25 minutes for €149.

Generate CRA dossier — €149Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Regulation (EU) 2024/2847 · Art. 31 + Annex VII · 8 documents · 100% browser-side — your data never leaves your device

Key numbers

40%
Germany + France share of EU enterprise software spending — your key CRA compliance market
Art. 13
Manufacturer obligations applicable to CRM software with installable components
€149
One-time cost per CRM product for the full CRA dossier

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

1
Define your CRM product boundary
Core cloud platform + mobile app + Outlook/Gmail plugins + API connectors. CRACheck documents all installable components as part of one product.
2
Classify under Annex III
CRM software typically classifies as Default. CRM with identity management or SSO functions may trigger Important Class I review.
3
Describe CRM architecture
Contact database, sales pipeline, communication channels, email integration, reporting engine, and third-party marketplace connectors.
4
Map data handling
Customer personal data (B2B contact info, communication logs, deal amounts), API integrations with email providers, and telephony systems.
5
Generate risk assessment
CRM-specific threats: customer data exfiltration, sales pipeline manipulation, email integration credential theft, plugin-based attack vectors, and API connector abuse.
6
Produce 8 documents
Complete dossier covering cloud platform, mobile app, plugins, and connectors.
7
Present to German/French clients
The Einkaufsabteilung or direction des achats receives structured CRA documentation alongside your existing security certifications.

Common mistakes

COMPONENT CHECK

"Our CRM is cloud-only — no CRA obligations"

Most CRM platforms include downloadable components: mobile apps, browser extensions, Outlook/Gmail plugins, desktop agents, or API client libraries. Any one of these makes the product a product with digital elements under Article 3(1). The cloud CRM platform behind it becomes remote data processing under Article 3(2).

MARKET EVOLUTION

"German clients only care about DSGVO (German GDPR). CRA is not on their radar"

German enterprise procurement teams are among the first in the EU to incorporate CRA requirements into vendor assessments. The BSI (Bundesamt für Sicherheit in der Informationstechnik) actively promotes cybersecurity regulation awareness. German Mittelstand companies are already requesting CRA documentation from technology vendors.

CERTIFICATION MISMATCH

"We have ISO 27001 certification — that satisfies German enterprise compliance requirements"

ISO 27001 certifies your organizational information security management system. CRA requires product-specific technical documentation per Article 31, product-specific risk assessment per Article 13, and a product-specific declaration of conformity per Article 28. German procurement teams understand the difference and expect both.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

1

Product Classifier

Annex III classification for your CRM product.

2

Technical Documentation

Art. 31 + Annex VII covering CRM architecture, plugins, mobile app, API connectors, and cloud engine.

3

Risk Assessment

CRM-specific analysis: customer data breach, pipeline manipulation, plugin attack vectors, API credential exposure, and integration vulnerabilities.

4

User Information

Annex II for CRM administrators: security settings, access control configuration, plugin permissions, and update policy.

5

Declaration of Conformity

Art. 28 + Annex V.

6

CVD Policy

Vulnerability disclosure policy for CRM products.

7

Notification Template

ENISA template per Article 14 for CRM incidents. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

8

Obligations Calendar

CRA milestones relevant to CRM deployment cycles.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 GERMAN/FRENCH REGULATORY CONSULTANT
€15,000–€30,000
8-16 weeks. Requires briefing in the local compliance culture and procurement expectations of Mittelstand and CAC 40 companies.
✓ CRACHECK
€149
€149. 15–25 min. Documentation ready for the next Einkauf meeting or comité de pilotage.

Two layers

● LAYER 1

Documentation (CRACheck)

CRA documentation covering your CRM product's complete architecture: cloud, mobile, plugins, and connectors.

∅ LAYER 2

What CRACheck does NOT do

Does not audit your CRM data handling. Does not verify Outlook plugin security. Does not test API connector authentication. Those are engineering tasks.

CRACheck documents. Your engineering validates. German and French procurement teams evaluate both.

Enforcement regime

Article 64 of Regulation (EU) 2024/2847.

🔴
Essential requirements + manufacturer obligations (Art. 64(2))
€15,000,000 / 2.5%

Non-compliance with essential requirements or manufacturer obligations.

🟠
Documentation and conformity obligations (Art. 64(3))
€10,000,000 / 2%

Missing documentation or conformity assessment.

🟡
Misleading information (Art. 64(4))
€5,000,000 / 1%

Misleading information to authorities.

Alternatives

CriteriaGerman regulatory firmFrench regulatory firmInternal complianceCRACheck
Time8-16 weeks8-16 weeks4-8 weeks15-25 minutes
Cost€15,000-€30,000€15,000-€30,000Staff hours€149
Procurement-ready formatCustomCustomInternal8 standardized PDFs
Valid across all EUYesYesVariesYes

Your CRM suite includes multiple products?

Sales CRM, marketing automation, customer service platform — each separately sold product needs its own dossier. Volume: 10 at €99, 30 at €79.

Request Volume Pricing
Response within 24 business hours.

What CRACheck guarantees and what it does not

CRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy of that information is your responsibility as the manufacturer.

We guarantee document structure follows Article 31 + Annex VII and legal references are correct.

CRACheck is not legal advice.

Frequently asked questions

Do we need separate CRA documentation for the German and French markets?
No. CRA is an EU Regulation, directly applicable in all 27 Member States. One Article 31 dossier per product covers Germany, France, and every other EU country. Language of the documentation is English by default; market surveillance authorities may request a translation.
German clients are asking for BSI-certified documentation. Is CRACheck output BSI-compatible?
CRACheck generates documentation structured per Article 31 + Annex VII of Regulation (EU) 2024/2847, which is the EU-wide standard. BSI may develop additional national guidance, but the CRA documentation structure is uniform across the EU. CRACheck output covers the regulation's requirements.
Our Outlook plugin accesses email content. Does that affect CRA classification?
An Outlook plugin is software installed on the user's device — a product with digital elements under Article 3(1). If it accesses email content, the risk assessment must address data confidentiality and the plugin's permission scope. Classification under Annex III depends on the plugin's functions, not the data it accesses.
We have a marketplace of third-party integrations. Who is responsible for CRA compliance of those integrations?
Each integration developer is the manufacturer of their product. Your marketplace is a distribution channel. You may have obligations to verify compliance of products distributed through your marketplace depending on your role in the supply chain. Document your marketplace's approach to third-party compliance in your technical documentation.
French enterprises require documentation in French. Does CRACheck generate French output?
CRACheck generates documentation in English. Article 31 does not mandate documentation in any specific language, but market surveillance authorities may request documentation in a language they can easily understand. For French enterprise clients, you may need to translate key documents. CRACheck output provides the structured content for translation.
Is CRACheck a subscription?
No. One-time payment. 30 days of editing, 10 regenerations. The PDF is yours to keep.
Can I request a refund?
Per Article 16(m) of Directive (EU) 2011/83, activating the license constitutes express consent for immediate generation. Refunds only for reproducible technical failures.
What if the regulation changes?
Regenerate at no additional cost during your license period.

Official legal sources

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.

German Einkauf. French direction des achats. Both want CRA documentation. Generate it before the next vendor review.

Eight documents. Article 31 + Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.

€149 one-time
8-document professional dossier · 15–25 minutes · No subscription · Browser-side
Generate CRA dossier — €149

Related landings

ENTERPRISE RFP

Cyber Resilience Act in EU Enterprise SaaS Procurement RFPs
US SaaS

CRA Compliance for US SaaS Companies Selling to European Customers
PROJECT MANAGEMENT

CRA Compliance for US Project Management SaaS with EU Customers
✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history