Reg (EU) 2024/2847Generate dossier — €149
LIVE — Enforcement tracker · Deadline dashboard · Transposition status — Updated weekly from EUR-Lex, Safety Gate, OEIL & 12 official sourcesView regulatory intelligence →

Your outsourcing agency in India just received a Statement of Work with Cyber Resilience Act requirements. Your European client needs Annex VII technical documentation for the software you deliver. Article 13(5) of Regulation (EU) 2024/2847 makes them responsible for due diligence on your code. If you delay, the project stalls. CRACheck generates the documentation.

European procurement teams are adding CRA clauses to outsourcing contracts. The pattern is the same: the SOW now includes a section on Regulation (EU) 2024/2847 compliance, requiring the delivery partner to provide technical documentation under Annex VII, a software bill of materials, and evidence of vulnerability handling processes. Your agency has 15-day sprint cycles, not 3-month compliance audits. CRACheck produces 8 structured PDF documents in 15–25 minutes. €149 per product. 100% browser-side processing — client data never leaves your machine.

Generate Annex VII dossier — €149Free: check if your product is in scope

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Regulation (EU) 2024/2847 · Art. 31 + Annex VII · 8 documents · 100% browser-side — your data never leaves your device

Key numbers

Annex VII
8-section technical documentation. Required by your EU client's conformity assessment.
15–25 min
Per product. Fits inside a single sprint — no project delays.
€149
Per product. Below a single day rate of a European compliance consultant.

How it works

1
Extract CRA requirements from the SOW
Identify which Annex VII sections your client expects. Typically: product description, design documentation, SBOM, cybersecurity risk assessment, vulnerability handling process.
2
Classify the product with the free checker
Default products (90% of cases) use self-assessment Module A under Art. 32(1)(a). Important Class I or II products require notified body involvement.
3
Assign an engineer to complete CRACheck
One developer who knows the architecture. 15–25 minutes per product.
4
Generate the 8-PDF dossier
CRACheck maps engineering inputs to the 8 sections of Annex VII. No legal expertise required.
5
Attach to project deliverables
Include the ZIP in the sprint delivery alongside the code. Your PM sends it with the release notes.
6
Client integrates into their conformity file
Your EU client uses your documentation in their Art. 32 conformity assessment. You have fulfilled the contractual obligation.

Three mistakes to avoid

COMMON MISTAKE

"We will handle CRA compliance at the end of the project"

Annex VII §2(a) of Regulation (EU) 2024/2847 requires documentation of the design and development process, including architecture and component integration. If you wait until delivery, you will need to reconstruct decisions made months earlier. Document as you build.

COMMON MISTAKE

"Our client did not mention the CRA — so it does not apply to us"

Regulation (EU) 2024/2847 applies from 11 December 2027 regardless of whether your client's current SOW mentions it. If you deliver software that your client places on the EU market, Article 13(5) requires them to verify your component. Agencies that prepare documentation now will win contracts in 2027. Agencies that wait will scramble.

COMMON MISTAKE

"A penetration test report is the same as Annex VII documentation"

A penetration test is one input to Annex VII §6 (test reports). The technical documentation under Annex VII requires 8 sections: product description, design and development documentation, cybersecurity risk assessment, support period rationale, standards applied, test reports, declaration of conformity, and SBOM. A pentest covers one section partially.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

1

Product Classifier

Classification under Annex III / Annex IV. Determines if Module A self-assessment suffices or if a notified body is required (Art. 32).

2

Technical Documentation

Full Annex VII structure. Designed to be delivered as a project artefact alongside code.

3

Risk Assessment

Art. 13(2) + Annex I Part I cybersecurity risk assessment. Maps threats to mitigation measures implemented in your code.

4

User Information

Annex II requirements. 9 mandatory information points your client needs for end-user documentation.

5

Declaration of Conformity

Art. 28 + Annex V structure. Ready for your EU client to sign as the manufacturer.

6

CVD Policy

Annex I Part II §5 coordinated vulnerability disclosure policy. Includes reporting address and response timelines.

7

Notification Template

Art. 14 ENISA notification template. Three-stage process: 24h, 72h, 14 days.

8

Obligations Calendar

Timeline: Sept 2026 (Art. 14), Dec 2027 (full enforcement), product-specific deadlines.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 EUROPEAN COMPLIANCE CONSULTANT
€8,000–€15,000
3–6 months. Your project budget cannot absorb this.
✓ CRACHECK
€149
8 documents. 15–25 minutes. Fits in the project budget.

Two layers of responsibility

● WHAT CRACHECK DOES

Documentation generation

Generates the 8-document Annex VII dossier from engineering inputs. Ready to deliver as a project artefact. 15–25 minutes. €149.

∅ WHAT CRACHECK DOES NOT DO

What falls outside CRACheck

Does not perform the conformity assessment (Art. 32) — that is your client's responsibility as the manufacturer. Does not allocate contractual liability between you and your client. Does not replace legal advice on your SOW terms.

We generate the documentation. Your client performs the conformity assessment.

Enforcement regime

Article 64 of Regulation (EU) 2024/2847.

🇪🇺
Non-compliance with Annex I and Art. 13, 14
€15M / 2.5%

Art. 64(2). The fine applies to the manufacturer — your EU client. But contractual liability clauses can flow back to you.

🇪🇺
Non-compliance with Art. 31 (technical documentation)
€10M / 2%

Art. 64(3). Missing documentation is the easiest infringement to detect.

🇪🇺
Incorrect or misleading information to authorities
€5M / 1%

Art. 64(4). Accuracy of the data you provide matters.

Alternatives

AlternativeCostWhat you get
Hire a European compliance firm€8,000–€15,000Full audit + documentation. 3–6 months. Exceeds your project budget.
Write Annex VII docs from scratchFree + 40-80 engineer hoursWeeks of non-billable time. No validation against the regulation structure.
Tell the client "we don't do compliance"€0Client finds an agency that does. You lose the contract.
CRACheck€1498 documents. 15–25 minutes. Structured under Art. 31 + Annex VII.

Your agency delivers multiple EU projects per quarter?

Each CRACheck licence covers one product. If your agency delivers 10 or 30 products for EU clients annually, each requires its own Annex VII dossier. Write to us for volume pricing.

Request Volume Pricing
One-business-day response

What CRACheck guarantees and what it does not

CRACheck generates a structured document under Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy of the information is your responsibility as the entity providing engineering inputs.

We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references are correct. We do not guarantee acceptance by a specific market surveillance authority or by your EU client.

CRACheck is not legal advice. For contract-specific questions — including liability allocation in your SOW — consult a qualified lawyer.

Frequently asked questions

Does Regulation (EU) 2024/2847 apply to outsourcing agencies outside the EU?
The CRA applies to products with digital elements made available on the EU market (Art. 2(1)). If your EU client places the product on the market, they are the manufacturer (Art. 3(1)). Article 13(5) requires them to exercise due diligence on third-party components. Your agency is a third-party component supplier. The CRA obligation falls on the manufacturer, but the contractual requirement falls on you.
What documentation does our EU client typically require from us?
EU clients following Regulation (EU) 2024/2847 will typically require: Annex VII technical documentation covering the software you develop, a software bill of materials (Annex VII §2(b)), evidence of vulnerability handling processes (Annex I Part II), and a cybersecurity risk assessment (Art. 13(2)). CRACheck generates all of these.
Can one CRACheck licence cover multiple modules of the same project?
Each licence covers one product with digital elements. If your project delivers one integrated product, one licence suffices. If you deliver separate software components that your client markets independently, each component needs its own documentation.
Our agency has ISO 27001. Does that satisfy the CRA?
ISO 27001 covers organisational information security management. Regulation (EU) 2024/2847 requires product-level documentation under Annex VII. They address different things. ISO 27001 can be referenced in Annex VII §5 as a relevant standard applied, but it does not replace the product-specific documentation.
Is it a subscription?
No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours to keep.
Can I request a refund?
Under Article 16(m) of Directive (EU) 2011/83 on consumer rights, by activating the licence you give express consent for the immediate generation of the digital content, waiving the 14-day withdrawal period. Refunds are accepted only for a reproducible technical failure.
What if the regulation changes?
If the regulation changes during your licence period, you can regenerate the document with the updated version of the generator at no additional cost.

Official legal sources

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.

Your EU client added CRA requirements to the SOW. Generate the Annex VII dossier in 15 minutes.

Eight documents. Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.

€149 one-time
8 professional documents · 15–25 minutes · No subscription · 100% in your browser
Generate Annex VII dossier — €149

Related landings

🏢 Indian IT

CRA compliance for Indian IT company — EU client
📋 Contract clause

CRA clause in European RFP — Indian IT services
📄 Tech docs

CRA technical documentation — outsourced software India EU
✓ Last regulatory check: 28 April 2026 · No substantive changes detected · View history