My component is an SDK with no hardware. Does the CRA apply?

Yes. Art. 3(4) of Regulation (EU) 2024/2847 defines software as the part of an electronic information system consisting of computer code. Art. 3(1) covers products with digital elements including software components placed on the market separately. If you sell the SDK independently and it has a logical data connection, it is a product with digital elements.

Does my customer's CE marking cover my component?

Not necessarily. If your component is already placed on the market separately with its own CE marking, that CE marking covers CRA conformity for the component itself. Recital 34 notes that downstream manufacturers can check for your CE marking as part of their due diligence. If your component is integrated before CRA enforcement, Recital 35 acknowledges that the downstream manufacturer must exercise due diligence through other means.

How should I set the support period for a component?

Art. 13(8) of Regulation (EU) 2024/2847 requires the support period to reflect the expected time of use, user expectations and product nature. For components, consider the downstream integration lifecycle: an embedded controller deployed in industrial equipment may be in service for 15 years. Your support period must be proportionate to that reality. The minimum is five years unless the expected lifetime is shorter.

What is the SBOM requirement for components?

Annex VII point 2(b) of Regulation (EU) 2024/2847 references the software bill of materials. Art. 13(19) requires manufacturers to identify and document components. For a component manufacturer, this means documenting your own sub-components and making the SBOM available to market surveillance authorities upon request (Annex VII point 8).

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.

What if the regulation changes?

If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

You manufacture a component — a chipset, a firmware module, an embedded library, an SDK — and sell it to other manufacturers who integrate it into their end products. Article 3(6) of Regulation (EU) 2024/2847 defines a component as software or hardware intended for integration into an electronic information system. If you place that component on the EU market independently, you are its manufacturer under Art. 3(13). Your buyer's Art. 13(5) due diligence will start with your documentation.

The CRA does not exempt components from manufacturer obligations. Art. 3(1) defines a product with digital elements as any product including software or hardware components placed on the market separately. If your component has a logical or physical data connection and you market it under your name, Art. 13 applies to you — all twenty-one paragraphs. Your downstream customer — the manufacturer of the end product — has a due diligence obligation under Art. 13(5) to verify the cybersecurity of every third-party component they integrate. Recital 34 specifies what that due diligence includes: checking for CE marking, verifying security update history, checking the European vulnerability database, or conducting additional security tests. The first question your customer will ask is whether you have Art. 31 documentation. CRACheck generates the 8-document technical file. €149 per product. 15-25 minutes. Browser-side.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key figures

Art. 3(6)

Definition: component = software or hardware intended for integration

Art. 13(5)

Downstream integrators must exercise due diligence on your component

Art. 13(6)

If you find a vulnerability in an integrated component, you must report upstream

How to proceed

Confirm your component is a product with digital elements

Art. 3(1) includes components placed on the market separately. If your chipset, firmware or SDK is sold independently and has a data connection, it falls within scope. Recital 12 reinforces: components placed on the market separately are covered.

Classify the component

Determine whether it falls under Default, Important Class I (Annex III — e.g., microprocessors with security functionalities, microcontrollers with security functionalities), Important Class II (e.g., tamper-resistant microprocessors), or Critical (Annex IV). Classification drives your conformity assessment under Art. 32.

Complete the cybersecurity risk assessment

Art. 13(2)-(3) apply to you as component manufacturer. The risk assessment must account for how the component will be integrated — its intended purpose and reasonably foreseeable use in downstream products.

Produce Art. 31 technical documentation

Your downstream customers need this. Annex VII applies in full: product description, design and development, vulnerability handling, SBOM, risk assessment, test reports, declaration of conformity.

Implement vulnerability handling for the component

Art. 13(6): if you identify a vulnerability in a sub-component you integrated, you must inform the upstream developer and remediate it. Art. 13(8): your support period must cover the expected lifecycle of the component in downstream products.

Prepare for downstream due diligence requests

Recital 34 lists what your customers will check: CE marking, security update history, vulnerability database entries, and potential additional testing. Having CRACheck documentation ready converts due diligence requests into a one-step handover.

Common mistakes

❌

SCOPE DENIAL

Assuming components are exempt because they are not end products

Art. 3(1) of Regulation (EU) 2024/2847 explicitly includes components placed on the market separately. Recital 12 reinforces this. If you sell a firmware module, SDK, or chipset independently on the EU market, you are its manufacturer and Art. 13 applies. Your customer's compliance depends on yours.

❌

SUPPORT PERIOD MISMATCH

Setting a 2-year support period for a component with a 10-year integration lifecycle

Art. 13(8) requires the support period to reflect the expected time of use. For industrial chipsets or embedded firmware deployed in infrastructure with 10-15 year lifecycles, a 2-year support window will not withstand scrutiny — and it forces your downstream customer to carry the vulnerability handling burden you should own.

❌

VULNERABILITY CHAIN BREAK

Not reporting upstream when you find a vulnerability in an integrated sub-component

Art. 13(6) of Regulation (EU) 2024/2847 creates a bidirectional vulnerability chain: if you find a vulnerability in a component you integrated into your own component, you must inform the upstream developer and share the fix. Breaking this chain leaves the entire downstream integration tree exposed.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Identifies whether your component falls under Default, Important Class I (Annex III items 13-15: microprocessors and microcontrollers with security functionalities, ASICs/FPGAs with security functionalities), Important Class II (item 3-4: tamper-resistant microprocessors/microcontrollers), or Critical (Annex IV).

Technical Documentation

Art. 31 and Annex VII documentation for your component. This is the document your downstream customer's due diligence process (Art. 13(5)) will request first.

Risk Assessment

Cybersecurity risk assessment per Art. 13(2)-(3) scoped to the component's intended integration contexts. Covers intended purpose, foreseeable downstream use, and integration risks.

User Information

Annex II information adapted for B2B: integration guidelines, secure configuration defaults, vulnerability reporting contact, support period end date.

Declaration of Conformity

EU Declaration per Art. 28 and Annex V for the component specifically.

CVD Policy

Coordinated vulnerability disclosure policy. Your downstream customers will verify this exists as part of Recital 34 due diligence.

Notification Template

ENISA notification template per Art. 14. Components with actively exploited vulnerabilities require the same 24h/72h/14-day notification cycle.

Obligations Calendar

Key dates for component manufacturers: Art. 14 from September 2026, full enforcement December 2027, support period milestones aligned with downstream product lifecycles.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 COMPONENT CERTIFICATION CONSULTANCY

Third-party compliance mapping for your component

€10,000-30,000 per component family

12-20 weeks

Requires sharing design documentation with consultancy

Result: compliance report — not the actual Art. 31 file

Re-engagement for each silicon revision or firmware update

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history