Component integration is where CRA compliance gets complex. You are the manufacturer of the final product under Article 3(13). The cybersecurity of your product depends on every component in the stack — the wireless module from Taiwan, the microcontroller firmware from a fabless vendor, the cloud connector library from an open-source project. Article 13(5) requires you to exercise due diligence on each. Your Annex VII documentation must describe the product as a whole, including how third-party components interact with your security architecture. CRACheck generates the 8-document dossier from your specifications. €149 per integrated product. 15–25 minutes. Your bill of materials never leaves your browser.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.
Article 13(5) requires the manufacturer of the final product to exercise due diligence when integrating components. A supplier's CE marking on an individual component does not constitute due diligence on your part. You must verify that third-party components do not compromise the cybersecurity of your product as a whole. Your Annex VII dossier must document this verification.
Annex VII point 2 requires description of the design, development, and production processes, including component integration. The SBOM should cover all software components in the final product — your code, third-party libraries, open-source dependencies, and firmware from component suppliers. An incomplete SBOM is a documentation gap.
Article 2 of Regulation (EU) 2024/2847 exempts non-commercial open-source software from manufacturer obligations. However, when you integrate open-source components into a commercial product, you — as the manufacturer of that product — assume responsibility for the cybersecurity of the integrated system. The open-source exemption applies to the upstream developer, not to you as integrator.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Classifies your integrated product based on its primary function. The classification considers the highest-risk component in the stack — if you integrate an Annex III component, it may affect your product's classification.
Art. 31 + Annex VII dossier covering the integrated product: system architecture, component inventory, security boundaries, integration validation, due diligence records.
Annex I Part I analysis at the integrated product level. Evaluates system-level risks: component interaction vulnerabilities, interface attack surfaces, supply chain risks, cascading failure scenarios.
Annex II information for the end user: secure setup covering the integrated product's full functionality, component-level configuration where relevant, update procedures.
Art. 28 + Annex V for the integrated product. References the product's classification and conformity assessment procedure.
Supply chain-wide vulnerability disclosure: how you receive reports from component suppliers, coordinate patches across the stack, and communicate to downstream users.
Art. 14 ENISA notification. Adapted for vulnerabilities that may originate in a component but affect your integrated product. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.
Enforcement dates, support period for the integrated product, component supplier support alignment.
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated from your data, in your browser. No data leaves your device.
CRACheck generates the Art. 31 + Annex VII dossier that covers your product as a whole — including the component integration due diligence required by Art. 13(5). This is the documentation that demonstrates your product-level compliance to market surveillance authorities.
CRACheck does not audit your component suppliers, negotiate cybersecurity clauses in your procurement contracts, or perform integration testing on your assembled product. If a component supplier cannot provide adequate cybersecurity documentation, that is a procurement decision. CRACheck documents what you have verified — it does not verify for you.
Start by documenting what you know. The process of completing CRACheck's questionnaire will reveal which component suppliers have cybersecurity gaps — that information is as valuable as the dossier itself.
Article 64 of Regulation (EU) 2024/2847.
Annex I + Art. 13/14.
Art. 28, 31, 32.
Misleading information.
| Criterion | Supply Chain Auditor | In-House Engineering Team | Generic Template | CRACheck |
|---|---|---|---|---|
| Time per product | 10–20 weeks | 6–14 weeks | 2–4 weeks adaptation | 15–25 minutes |
| Cost | €20,000–€40,000 | Staff + coordination | Template + staff | €149 |
| Component due diligence | Audit-based | Ad hoc | Not covered | Structured per Art. 13(5) |
| Output format | Audit report | Internal doc | Variable | 8 PDFs per Annex VII |
Each integrated product with a distinct component configuration requires its own CRA dossier. Volume pricing: €99/product (pack 10), €79/product (pack 30).
Request Volume PricingCRACheck generates a structured document aligned with Article 31 and Annex VII of Regulation (EU) 2024/2847 based on the information you input about your integrated product and its components. The accuracy of that data — including your due diligence records — is your responsibility as manufacturer.
We guarantee the document structure follows Art. 31 + Annex VII and that all legal references are correct. We do not guarantee acceptance by a market surveillance authority in a particular case.
CRACheck is not legal advice. For questions about component liability allocation, supply chain contractual clauses, or conformity assessment strategy for complex integrated products, consult a regulatory attorney.
Eight documents. Article 31 + Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.