Reg (EU) 2024/2847Generate dossier — €149
LIVE — Enforcement tracker · Deadline dashboard · Transposition status — Updated weekly from EUR-Lex, Safety Gate, OEIL & 12 official sourcesView regulatory intelligence →

You have a product catalogue with 40 SKUs — routers, firmware modules, a desktop application, a sensor gateway. You need to know which of them fall under Regulation (EU) 2024/2847 and which do not. Article 2(1) defines the scope. Annex III classifies the important ones. CRACheck's Product Classifier answers the question per product in under two minutes.

The Cyber Resilience Act applies to products with digital elements whose intended purpose or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network (Article 2(1) of Regulation (EU) 2024/2847). That definition covers standalone software, firmware, embedded systems, IoT devices, networking equipment, industrial controllers, consumer electronics, and connected hardware components placed on the market separately. The regulation further classifies products as Default, Important Class I (Annex III, 19 categories), Important Class II (Annex III, 4 categories), or Critical (Annex IV) — each with different conformity assessment requirements under Article 32. CRACheck classifies your product and generates the 8-document Art. 31 dossier in 15–25 minutes. €149 per product.

Generate CRA Dossier — €149Free: check your product classification

€149 one-time payment per product · 8 PDF documents in ZIP · 15–25 minutes · 100% in your browser

Regulation (EU) 2024/2847 · Art. 31 + Annex VII · 8 documents · 100% browser-side

CRA scope at a glance

23+
Product categories explicitly listed in Annex III + Annex IV
Art. 2(1)
Scope article — any product with digital elements and a data connection
4
Product classifications: Default, Important I, Important II, Critical

How to determine if your product is in scope

1
Identify whether your product has digital elements
Article 3(1) defines "product with digital elements" as any software or hardware product and its remote data processing solutions. If your product contains or is software, firmware, or connects to a network, it likely qualifies.
2
Check for exclusions
Article 2(2)–(5) excludes medical devices (Reg. 2017/745, 2017/746), motor vehicles (Reg. 2019/2144), aviation products certified under Reg. 2018/1139, and products for national security or military purposes. If your product falls under one of these, the CRA does not apply.
3
Run the Product Classifier
CRACheck maps your product against the 19 Class I categories, 4 Class II categories, and the Critical product list. If your product is not listed, it defaults to the Default category.
4
Understand the conformity assessment implications
Default and Class I (with harmonised standards): Module A internal control. Class I (without harmonised standards): Module A or Module B+C or H. Class II and Critical: Module B+C or H through a notified body (Art. 32(2)–(3)).
5
Generate the technical documentation
Regardless of classification, every in-scope product needs Art. 31 + Annex VII documentation. CRACheck produces the 8-document dossier.
6
Download and file per product
Each product in your catalogue requires its own dossier. Download, sign the declaration, store for 10 years (Art. 13(18)).

Common scope mistakes

SCOPE CONFUSION

Assuming "no internet connection" means no CRA obligation

Article 2(1) covers not only internet-connected products but any product with a direct or indirect logical or physical data connection to a device or network. A Bluetooth sensor, a USB-connected module, or a device communicating via LAN is in scope even without internet access.

CLASSIFICATION ERROR

Treating all in-scope products as Default category

Annex III of Regulation (EU) 2024/2847 lists 19 Important Class I categories (identity management, browsers, password managers, VPNs, routers, operating systems, smart home devices, etc.) and 4 Class II categories (hypervisors, firewalls, tamper-resistant microprocessors). A router manufacturer cannot claim Default classification.

COMPONENT OVERSIGHT

Ignoring software components placed on the market separately

Article 3(1) explicitly includes "software or hardware components being placed on the market separately". If you sell a firmware module, an SDK, or a security library as a standalone product, it is an independent product with digital elements under the CRA — requiring its own documentation.

8 CRA documents per product

CRACheck classifies your product and generates the complete Art. 31 + Annex VII dossier.

1

Product Classifier

Annex III / Annex IV classification. Conformity assessment module.

2

Technical Documentation

Art. 31 + Annex VII. Complete dossier.

3

Risk Assessment

Art. 13(2)–(3). Cybersecurity risk assessment against Annex I.

4

User Information

Annex II. 9 required information points.

5

Declaration of Conformity

Art. 28 + Annex V. Ready for signature.

6

CVD Policy

Annex I Part II point (5). Coordinated vulnerability disclosure.

7

Notification Template

Art. 14. ENISA 24h/72h/14d notification.

8

Obligations Calendar

Key dates and milestones.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated in your browser. No data leaves your device.

Scope analysis: consultancy vs CRACheck

🧾 SCOPE ANALYSIS BY A CONSULTANCY
€3,000–€8,000
For a product portfolio scope review. 2–4 weeks turnaround. Product data shared with external consultants.
✓ CRACHECK
€149
Product Classifier + 8-document dossier. 15–25 minutes per product. 100% browser-side — your data stays in your device.

Two layers of compliance

● LAYER 1

Classification + documentation — CRACheck does this

CRACheck classifies your product against Annex III and Annex IV, determines the applicable conformity assessment module, and generates the 8-document dossier required by Article 31 and Annex VII. Every in-scope product — Default, Class I, Class II, or Critical — needs this documentation.

∅ LAYER 2

Conformity assessment execution — Your responsibility

For Default and Class I products applying harmonised standards, the conformity assessment is an internal procedure (Module A). CRACheck's documentation supports this. For Class II and Critical products, the conformity assessment requires involvement of a notified body under Modules B+C or H (Article 32(2)–(3)). CRACheck produces the documentation; the notified body conducts the assessment.

Classification and documentation are the starting point. CRACheck handles both. What follows depends on your product's category.

Enforcement regime

⚖️
CRA: Annex I cybersecurity non-compliance
€15M / 2.5%

Art. 64(2) of Regulation (EU) 2024/2847.

⚖️
CRA: Documentation and conformity assessment failures
€10M / 2%

Art. 64(3) of Regulation (EU) 2024/2847.

⚖️
CRA: Misleading information to authorities
€5M / 1%

Art. 64(4) of Regulation (EU) 2024/2847.

Alternatives compared

CriterionExternal scope studyInternal legal teamGeneric checklist toolCRACheck
ClassificationManual per productManual researchNone or superficialAutomated against Annex III + IV
Price€3,000–€8,000Internal hours€0–€500€149 per product (classification + dossier)
Documentation outputReport, no structured filesUnstructuredTemplate-based8 PDFs per Art. 31 + Annex VII
Per-product granularityYes, at €3K+ eachVariesNoYes, one dossier per product

40 SKUs in your catalogue? Each one needs its own dossier.

CRACheck generates independent documentation per product. Volume pricing: €99/product (pack 10), €79/product (pack 30). Every dossier includes the Product Classifier output.

Request Volume Pricing
Commercial enquiries via hello@solidwaretools.com

What CRACheck guarantees and what it does not

CRACheck generates a structured document set according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy, completeness, and truthfulness of that information is your responsibility as the manufacturer.

We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct. We do not guarantee that a specific document will be accepted by a market surveillance authority in a particular case.

CRACheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.

Frequently asked questions — CRA scope

Does the CRA apply to components sold separately?
Yes. Article 3(1) of Regulation (EU) 2024/2847 defines "product with digital elements" as including software or hardware components placed on the market separately. If you sell a firmware module, a security chipset, or a software library as a standalone product, it requires its own Art. 31 documentation.
My product connects only via Bluetooth, not the internet. Is it in scope?
Yes. Article 2(1) covers any product whose intended purpose includes a direct or indirect logical or physical data connection to a device or network. Bluetooth, Zigbee, Z-Wave, LoRa, USB, and LAN connections all qualify as data connections under this definition.
How do I know if my product is Class I, Class II, or Critical?
Annex III of Regulation (EU) 2024/2847 lists 19 Important Class I categories (including routers, operating systems, VPNs, password managers, smart home devices) and 4 Class II categories (firewalls, hypervisors, intrusion detection systems, tamper-resistant microprocessors/microcontrollers). Annex IV lists Critical products. If your product does not match any listed category, it is Default. CRACheck's Product Classifier automates this determination.
What if my product is both under the CRA and under a sector-specific directive?
Article 12 of Regulation (EU) 2024/2847 addresses overlap with other Union harmonisation legislation. For products subject to both the CRA and sector-specific requirements (e.g., RED 2014/53/EU, Machinery Regulation 2023/1230), a single set of technical documentation may be drawn up per Article 31(3), combining the CRA requirements with those of the sector-specific act.
Are purely mechanical products excluded?
Products without software, firmware, or any digital element are not products with digital elements as defined in Article 3(1) and are therefore outside the scope of Article 2(1). A purely mechanical lock, a hand tool without connectivity, or a passive cable is not covered.
Is this a subscription?
No. One-time payment. The licence includes a 30-day editing window and 10 regenerations. The downloaded PDF is yours permanently.
Can I request a refund?
Under Article 16(m) of Directive (EU) 2011/83, by activating the licence you give express consent for the immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are accepted only for reproducible technical defects.
What if the regulation changes?
If the regulation is amended during the validity of your licence, you can regenerate the document with the updated version of the generator at no additional cost.

Official legal sources

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.

Classify your product. Generate the documentation. 15 minutes per SKU.

€149 one-time
Product Classifier + 8 PDFs · Art. 31 + Annex VII · 100% browser-side
Generate CRA Dossier — €149

Related landings

EXCLUDED

Cyber Resilience Act excluded products — what is not covered
SAAS

Does the Cyber Resilience Act apply to software, SaaS, and cloud?
WHO COMPLIES

Who needs to comply with the Cyber Resilience Act
✓ Last regulatory check: 2 May 2026 · No substantive changes detected · View history