The Cyber Resilience Act does not scale its documentation requirements by company size. A manufacturer with 10 employees must produce the same Annex VII technical file as a manufacturer with 10,000. Article 33 acknowledges this asymmetry and requires Member States to support SMEs, but the obligation remains. CRACheck lets you meet that obligation at a cost proportionate to your revenue. Eight documents, 15–25 minutes, €149 one-time. No subscription, no consultant dependency, no data leaving your device.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.
Article 64(2) sets fines at up to €15,000,000 or 2.5% of global annual turnover for non-compliance with Articles 13 and 14. For a company with €2M annual revenue, that is a potential €50,000 fine. The €149 documentation cost is a rounding error compared to the enforcement risk after 11 December 2027.
Regulation (EU) 2024/2847 applies to all manufacturers who place products with digital elements on the EU market, regardless of company size (Article 2(1)). Article 33 provides support measures for SMEs but does not exempt them from any obligation. The only relief is Article 64(10), which exempts micro and small enterprises from the 24-hour early warning penalty under Article 14(2)(a).
Article 13(12) requires manufacturers to first draw up the technical documentation under Article 31, then carry out the conformity assessment under Article 32, and only then draw up the EU declaration of conformity and affix CE marking. The declaration without the technical file is a compliance gap that Article 64(3) penalises at up to €10M or 2%.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Identifies where your product sits in the CRA classification: default (Module A self-assessment), Important Class I or II (Annex III, may need notified body), or Critical (Annex IV). Determines cost implications for the next steps.
The core deliverable. Structured per Article 31 and Annex VII's eight mandatory elements. This is the document a market surveillance authority will request first.
Maps your product's cybersecurity risks per Article 13(2) and (3) against the 13 requirements in Part I of Annex I. Without this, the technical documentation is incomplete.
The nine-point information sheet per Annex II that must accompany your product.
Per Article 28 and the Annex V model structure. The formal statement that your product meets the essential cybersecurity requirements.
Coordinated vulnerability disclosure policy required by Part II, point (5) of Annex I. Establishes your contact address and response process.
Pre-structured for ENISA notifications per Article 14. Three tiers: 24-hour early warning, 72-hour notification, 14-day final report. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.
Timeline with Article 14 reporting (from 11 September 2026), full application (11 December 2027), and your product's support period milestones.
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated from your data, in your browser. No data leaves your device.