Items 13 and 14 of Annex III explicitly list microprocessors and microcontrollers with security-related functionalities as Important Class I products. That classification changes your conformity assessment path under Article 32 — you cannot rely on self-assessment alone unless you follow harmonised standards or hold an EU cybersecurity certification at assurance level "substantial." Your EU customers' compliance teams already know this. CRACheck generates the 8-document technical dossier in 15–25 minutes. €149 per chip family. Your design data stays on your machine.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.
If your chip contains embedded firmware, implements security functions (authentication, encryption, secure boot), or processes data, it is a product with digital elements under Article 3(1). Items 13 and 14 of Annex III specifically target microprocessors and microcontrollers with security-related functionalities. A chip with a crypto engine is not a passive component.
Important Class I products can use Module A (internal control, Annex VIII Part I) only if the manufacturer applies harmonised standards covering all essential cybersecurity requirements, or holds an EU cybersecurity certification at assurance level "substantial." Without either, Article 32(2) requires third-party assessment under Module B+C or Module H.
Article 13 assigns obligations to the manufacturer — defined in Article 3(13) as whoever develops or manufactures the product and markets it under their name. If you sell your chip under your own brand to integrators, you are the manufacturer of that component. Your customer's conformity assessment for the final product does not relieve your own obligations for the chip.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Confirms classification under Annex III. Documents whether it qualifies as Default, Important Class I (items 13–14), or Class II (tamper-resistant variants, items 3–4). Determines conformity assessment obligations under Art. 32.
Art. 31 + Annex VII dossier covering silicon design, firmware architecture, security functions, production processes, and supply chain controls.
Annex I Part I cybersecurity risk analysis. Evaluates threats at the silicon level: side-channel attacks, firmware injection, key extraction, supply chain tampering.
Annex II-compliant package for integrators: secure integration guidelines, firmware update procedures, known limitations, end-of-support timeline.
Art. 28 + Annex V, pre-structured with semiconductor-specific fields: chip family identifier, firmware version matrix, applicable Annex III category.
Coordinated vulnerability disclosure framework. Documents your PSIRT contact, acknowledgement timelines, and coordination protocol with downstream manufacturers.
ENISA notification structure for actively exploited vulnerabilities: 24h early warning, 72h notification, 14-day final report per Art. 14.
Milestones: Art. 14 reporting from 11 September 2026, full enforcement 11 December 2027, firmware support commitment, patch cycle cadence.
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated from your data, in your browser. No data leaves your device.
The documentation layer. Classifies your semiconductor, maps security functions against Annex I essential requirements, structures vulnerability handling procedures, outputs 8 PDFs per Art. 31 + Annex VII. This is the documentation your EU customer needs in their technical file.
CRACheck does not perform silicon-level penetration testing, submit applications to notified bodies, or evaluate your secure boot implementation against Common Criteria profiles. If your chip is Important Class I without harmonised standard coverage, Article 32(2) requires third-party assessment — CRACheck produces the documentation that feeds into that assessment, but the assessment itself is separate.
Start with Layer 1. The documentation is what procurement contracts are demanding right now. Layer 2 actions become mandatory as the December 2027 deadline approaches.
Article 64 of Regulation (EU) 2024/2847.
Non-compliance with Annex I + Arts. 13–14.
Non-compliance with Art. 18, Art. 28, Art. 31, Art. 32.
Supplying incorrect or misleading information to authorities.
| Criterion | Specialised Consultant | In-house Legal Team | Industry Consortium Template | CRACheck |
|---|---|---|---|---|
| Time per chip family | 6–12 weeks | 8–16 weeks (no CRA expertise) | 2–4 weeks adaptation | 15–25 minutes |
| Cost | €12,000–€25,000 | Senior hire + training | Consortium fee + staff time | €149 |
| IP exposure | NDA required, files shared | Internal | Shared framework data | Zero — 100% browser-side |
| Annex III-aware | Depends on consultant's CRA depth | Learning curve | Generic templates | Built-in Annex III classification |
Semiconductor companies typically need documentation for each distinct chip family marketed in the EU. Volume pricing: €99 per product (pack of 10), €79 per product (pack of 30). Each family gets its own classified, Annex VII-aligned dossier.
Request Volume PricingCRACheck generates a structured document aligned with Article 31 and Annex VII of Regulation (EU) 2024/2847 based on the information you input about your semiconductor product. The accuracy and completeness of the data — including your chip's security functions, firmware architecture, and vulnerability handling processes — is your responsibility as manufacturer.
We guarantee that the output structure follows Art. 31 + Annex VII and that all legal references are correct. We do not guarantee that a specific document will satisfy a notified body during a conformity assessment procedure or be accepted by a market surveillance authority in a particular case.
CRACheck is not legal advice. For questions about your chip's Annex III classification, conformity assessment path under Article 32, or obligations related to harmonised standards, consult a regulatory attorney specialised in EU product compliance.
Eight documents. Article 31 + Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.