Component integration is where CRA compliance gets complex. You are the manufacturer of the final product under Article 3(13). The cybersecurity of your product depends on every component in the stack — the wireless module from Taiwan, the microcontroller firmware from a fabless vendor, the cloud connector library from an open-source project. Article 13(5) requires you to exercise due diligence on each. Your Annex VII documentation must describe the product as a whole, including how third-party components interact with your security architecture. CRACheck generates the 8-document dossier from your specifications. €149 per integrated product. 15–25 minutes. Your bill of materials never leaves your browser.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.
Article 13(5) requires the manufacturer of the final product to exercise due diligence when integrating components. A supplier's CE marking on an individual component does not constitute due diligence on your part. You must verify that third-party components do not compromise the cybersecurity of your product as a whole. Your Annex VII dossier must document this verification.
Annex VII point 2 requires description of the design, development, and production processes, including component integration. The SBOM should cover all software components in the final product — your code, third-party libraries, open-source dependencies, and firmware from component suppliers. An incomplete SBOM is a documentation gap.
Article 2 of Regulation (EU) 2024/2847 exempts non-commercial open-source software from manufacturer obligations. However, when you integrate open-source components into a commercial product, you — as the manufacturer of that product — assume responsibility for the cybersecurity of the integrated system. The open-source exemption applies to the upstream developer, not to you as integrator.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Classifies your integrated product based on its primary function. The classification considers the highest-risk component in the stack — if you integrate an Annex III component, it may affect your product's classification.
Art. 31 + Annex VII dossier covering the integrated product: system architecture, component inventory, security boundaries, integration validation, due diligence records.
Annex I Part I analysis at the integrated product level. Evaluates system-level risks: component interaction vulnerabilities, interface attack surfaces, supply chain risks, cascading failure scenarios.
Annex II information for the end user: secure setup covering the integrated product's full functionality, component-level configuration where relevant, update procedures.
Art. 28 + Annex V for the integrated product. References the product's classification and conformity assessment procedure.
Supply chain-wide vulnerability disclosure: how you receive reports from component suppliers, coordinate patches across the stack, and communicate to downstream users.
Art. 14 ENISA notification. Adapted for vulnerabilities that may originate in a component but affect your integrated product. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.
Enforcement dates, support period for the integrated product, component supplier support alignment.
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated from your data, in your browser. No data leaves your device.