The SBOM is not a standalone deliverable under the CRA — it is part of the technical documentation required by Article 31 and Annex VII. Point 2(b) of Annex VII requires "the software bill of materials" as part of the vulnerability handling processes documentation. Point 8 adds that market surveillance authorities may request the SBOM separately. If you do not know what software runs in your product, you cannot produce the SBOM. If you cannot produce the SBOM, your Annex VII documentation is incomplete. CRACheck structures the SBOM section within the Technical Documentation. 15-25 minutes. €149. Browser-side.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.
Article 13.5 requires manufacturers to exercise due diligence when integrating third-party components. If you integrate a WiFi SDK and do not know its software dependencies, your due diligence is incomplete. Request the SBOM from your SDK vendor. If they cannot provide it, that is a supply chain risk you must document.
Annex VII point 8 states that the SBOM must be provided "further to a reasoned request from a market surveillance authority." It is not published publicly. Your trade secrets are protected under Directive (EU) 2016/943. The SBOM can use component names and versions without disclosing source code.
Annex VII point 2(b) requires the SBOM as part of vulnerability handling documentation. The purpose is to enable identification of known vulnerabilities. A high-level list of "WiFi module" and "RTOS" does not enable CVE matching. Include component names, versions and suppliers at a level that enables vulnerability tracking.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Annex III classification. Reporting obligations apply to all products regardless of classification.
Art. 31 + Annex VII. Contains the SBOM section per Annex VII point 2(b). The core document.
Art. 13.2-13.3. References known vulnerabilities in SBOM components.
Annex II. Includes the vulnerability reporting contact address for external reporters.
Art. 28 + Annex V.
Coordinated Vulnerability Disclosure. Covers vulnerability handling for third-party components identified in the SBOM.
Art. 14 ENISA notification. Pre-structured for the 24h/72h/14d timeline.
CRA dates and support period milestones.
See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.
Generated from your data, in your browser. No data leaves your device.
Structures your software component inventory into an Annex VII-compliant SBOM section. Generates the complete 8-document dossier including SBOM references in the Risk Assessment and CVD Policy.
CRACheck does not scan your firmware binary, extract components automatically or run SCA (Software Composition Analysis) tools. You provide the component list from your engineering records. If you do not know what software runs in your product, you need to find out first.
We structure. You inventory.
Article 64 of Regulation (EU) 2024/2847.
Art. 64.2.
Art. 64.3.
Art. 64.4.
| Criterion | SBOM extraction tool + consultant | Provide a product datasheet instead | List only main components | CRACheck |
|---|---|---|---|---|
| Cost | €5,000–€15,000 | €0 | €0 | €149 |
| Result | Binary analysis + docs. 2-4 months. | Datasheet is not an SBOM. Annex VII point 2(b) is explicit. | Insufficient for CVE matching. Risk of incomplete documentation. | 8 docs including structured SBOM. 15 min. You provide the component data. |
If multiple products share the same firmware base but have different hardware, each product needs its own Annex VII dossier — but the SBOM sections may overlap. Volume pricing: €99/product (10-pack), €79/product (30-pack).
Request Volume PricingCRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy, completeness and truthfulness of that information is your responsibility as the manufacturer.
We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct. We do not guarantee that a specific document will be accepted by a market surveillance authority in a specific case or by a commercial buyer in a procurement process.
CRACheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.
Eight documents. Article 31 + Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.