The CRA does not exempt components from manufacturer obligations. Art. 3(1) defines a product with digital elements as any product including software or hardware components placed on the market separately. If your component has a logical or physical data connection and you market it under your name, Art. 13 applies to you — all twenty-one paragraphs. Your downstream customer — the manufacturer of the end product — has a due diligence obligation under Art. 13(5) to verify the cybersecurity of every third-party component they integrate. Recital 34 specifies what that due diligence includes: checking for CE marking, verifying security update history, checking the European vulnerability database, or conducting additional security tests. The first question your customer will ask is whether you have Art. 31 documentation. CRACheck generates the 8-document technical file. €149 per product. 15-25 minutes. Browser-side.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
Art. 3(1) of Regulation (EU) 2024/2847 explicitly includes components placed on the market separately. Recital 12 reinforces this. If you sell a firmware module, SDK, or chipset independently on the EU market, you are its manufacturer and Art. 13 applies. Your customer's compliance depends on yours.
Art. 13(8) requires the support period to reflect the expected time of use. For industrial chipsets or embedded firmware deployed in infrastructure with 10-15 year lifecycles, a 2-year support window will not withstand scrutiny — and it forces your downstream customer to carry the vulnerability handling burden you should own.
Art. 13(6) of Regulation (EU) 2024/2847 creates a bidirectional vulnerability chain: if you find a vulnerability in a component you integrated into your own component, you must inform the upstream developer and share the fix. Breaking this chain leaves the entire downstream integration tree exposed.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Identifies whether your component falls under Default, Important Class I (Annex III items 13-15: microprocessors and microcontrollers with security functionalities, ASICs/FPGAs with security functionalities), Important Class II (item 3-4: tamper-resistant microprocessors/microcontrollers), or Critical (Annex IV).
Art. 31 and Annex VII documentation for your component. This is the document your downstream customer's due diligence process (Art. 13(5)) will request first.
Cybersecurity risk assessment per Art. 13(2)-(3) scoped to the component's intended integration contexts. Covers intended purpose, foreseeable downstream use, and integration risks.
Annex II information adapted for B2B: integration guidelines, secure configuration defaults, vulnerability reporting contact, support period end date.
EU Declaration per Art. 28 and Annex V for the component specifically.
Coordinated vulnerability disclosure policy. Your downstream customers will verify this exists as part of Recital 34 due diligence.
ENISA notification template per Art. 14. Components with actively exploited vulnerabilities require the same 24h/72h/14-day notification cycle.
Key dates for component manufacturers: Art. 14 from September 2026, full enforcement December 2027, support period milestones aligned with downstream product lifecycles.
See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.
Generated from your data, in your browser. No data leaves your device.
CRACheck generates the Art. 31 and Annex VII technical documentation for your component. This is the package your downstream customer receives when they perform Art. 13(5) due diligence. Eight documents: classification, technical file, risk assessment, user information, declaration of conformity, CVD policy, ENISA template, obligations calendar. One licence per component. The output is yours to distribute to any customer.
CRACheck does not perform penetration testing on your component. It does not conduct hardware security analysis. It does not verify your SBOM against the European vulnerability database. It does not manage your vulnerability handling process throughout the support period. The documentation is structured from your input — the technical accuracy of that input is your engineering team's responsibility.
CRACheck documents what you built. Your engineering team verifies what you documented. Your customer integrates what you verified.
If an actively exploited vulnerability is found in your component, the 24h early warning to ENISA applies. Every downstream product integrating your component is affected — the reporting urgency is multiplicative.
Components placed on the EU market from this date must carry CE marking and be accompanied by Art. 31 documentation. Downstream customers will not integrate undocumented components.
For non-compliance with Art. 13 and Art. 14 essential requirements. A component manufacturer faces the same penalty tier as any other manufacturer.
| Criterio | Component certification lab | Manual documentation | Wait for customer demand | CRACheck |
|---|---|---|---|---|
| Price per component | €10K-30K | Staff time | €0 now | €149 per component |
| Time to documentation | 12-20 weeks | 3-6 months | N/A | 15-25 minutes |
| Customer-handover ready | Report, not Art. 31 file | Depends on format | Nothing to hand over | 8-document ZIP |
| Design data privacy | Shared with lab | Internal | N/A | 100% browser-side |
| CRACheck | €149 | 15-25 min | 8-doc ZIP | Browser-side |
Pack 10: €99 per component. Pack 30: €79 per component. For silicon vendors and embedded software houses with large portfolios, contact us for enterprise pricing.
Request volume pricingCRACheck generates a structured document set according to Art. 31 and Annex VII of Regulation (EU) 2024/2847 based on the information you provide about your component. The accuracy of that information — including integration contexts, security functionalities and vulnerability data — is your responsibility as manufacturer.
We guarantee that the document structure follows Art. 31 and Annex VII and that the legal references cited are correct. We do not guarantee that a specific downstream customer or market surveillance authority will accept the documentation in a specific context.
CRACheck is not legal advice. For questions about component classification under Annex III, conformity assessment routes for Important or Critical components, or supply chain liability, consult a qualified cybersecurity regulatory lawyer.
Product classifier, technical documentation, risk assessment, declaration of conformity, CVD policy, ENISA template, SBOM structure, obligations calendar. Eight documents. €149 per component. Browser-side.