Does CRACheck cover all eight points of Annex VII?

Yes. The output addresses each mandatory element: general product description (point 1), design, development, and vulnerability handling (point 2), cybersecurity risk assessment (point 3), support period rationale (point 4), applied standards or alternative solutions (point 5), test report references (point 6), EU declaration of conformity (point 7), and SBOM provision note (point 8).

Is the generated documentation sufficient for a notified body examination?

For Important Class I products where harmonised standards have not been fully applied, Article 32(2) requires EU-type examination (Module B) or full quality assurance (Module H) by a notified body. CRACheck generates the technical documentation that you submit to the notified body — it is the input to the examination, not a substitute for it.

Can I edit the generated documents before submitting them?

Yes. You have 30 days from activation to edit and regenerate. Up to 10 regenerations are included. The output PDFs contain your data structured per Annex VII; you can supplement them with additional annexes, test reports, or supporting evidence.

Does the generator handle multiple product variants?

Each run generates documentation for one product. If your product has multiple variants with different software versions or hardware configurations affecting cybersecurity compliance, each variant should be documented separately per Article 13(14).

What format is the SBOM in?

CRACheck includes an SBOM provision section as required by Annex VII, point 2(b) and Part II, point (1) of Annex I. The regulation requires a commonly used and machine-readable format. CRACheck documents the SBOM metadata and scope; you are responsible for maintaining the actual SBOM file in a format such as SPDX or CycloneDX.

Is this a subscription?

No. One-time payment. 30 days editing, 10 regenerations. PDF yours permanently.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, licence activation constitutes express consent. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate with the updated version at no additional cost during licence validity.

Annex VII of Regulation (EU) 2024/2847 lists eight elements that your technical documentation must contain. Article 31 makes that documentation mandatory before placing your product on the market. CRACheck generates it from your input data in one session.

You are looking for a way to produce the technical documentation that Article 31 requires without hiring a consultant or building the structure from scratch. CRACheck is an online generator that takes your product data and maps it to each of the eight points in Annex VII. The output is a set of eight PDF documents covering product classification, technical documentation, cybersecurity risk assessment, user information, EU declaration of conformity, CVD policy, ENISA notification template, and obligations calendar. Processing happens entirely in your browser — no data leaves your device. Cost: €149, one-time.

Generate Annex VII documentation — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

mandatory elements in Annex VII — all eight covered by CRACheck

15 min

average generation time from data input to PDF download

10 years

minimum period to keep technical documentation at the disposal of authorities (Art. 13(13))

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Product classification

CRACheck identifies your product category (default / Important Class I or II / Critical) per Annex III and Annex IV.

General description (Annex VII, point 1)

You input product purpose, software versions, photographs or diagrams if hardware, and user information per Annex II.

Design, development, and vulnerability handling (Annex VII, point 2)

You describe system architecture, SBOM data, CVD policy, and update distribution mechanisms.

Risk assessment (Annex VII, point 3)

CRACheck maps your product's risk profile against the 13 requirements in Part I of Annex I, following Article 13(2) and (3).

Support period rationale (Annex VII, point 4)

You provide the factors informing your support period determination. CRACheck documents the rationale per Article 13(8).

Standards, test reports, and declaration (Annex VII, points 5–7)

CRACheck lists applied standards or alternative solutions, structures test report references, and drafts the declaration per Article 28 and Annex V.

Download

Eight PDFs in ZIP. SBOM provision note per Annex VII, point 8. 30 days of editing, 10 regenerations.

Common mistakes

❌

ANNEX VII GAPS

"Omitting the SBOM from the technical documentation"

Annex VII, point 2(b) explicitly requires the software bill of materials as part of the technical documentation's vulnerability handling section. Part II, point (1) of Annex I requires the SBOM to cover at least top-level dependencies in a machine-readable format. Market surveillance authorities can also request the full SBOM under Annex VII, point 8.

❌

RETENTION

"Discarding documentation after product launch"

Article 13(13) requires manufacturers to keep the technical documentation and EU declaration of conformity at the disposal of market surveillance authorities for at least 10 years after the product has been placed on the market, or for the support period, whichever is longer. Deleting the files after launch creates an enforcement gap.

❌

LANGUAGE

"Producing the technical documentation only in your native language"

Article 31(4) requires the technical documentation and all correspondence relating to conformity assessment procedures to be drawn up in an official language of the Member State where the notified body is established, or in a language acceptable to that body. For market access across multiple EU Member States, preparing at least an English version is a practical baseline.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Maps your product against Annex III (Important Class I and II) and Annex IV (Critical). Determines the conformity assessment procedure under Article 32. This classification is the entry point for the entire documentation chain.

Technical Documentation

The central document. Covers all eight mandatory elements of Annex VII: general description, design and vulnerability handling, risk assessment, support period rationale, standards applied, test reports, declaration of conformity, and SBOM provision.

Risk Assessment

Standalone document expanding Annex VII, point 3. Detailed mapping of your product against Part I of Annex I requirements.

User Information

Annex II compliance document with all nine mandatory information items. Ready to ship with your product or publish online as Article 13(18) allows.

Declaration of Conformity

Per Article 28 and Annex V model. Covers all eight elements: product identification, manufacturer address, conformity statement, applicable legislation, standards, notified body (if applicable), additional information, and signature.

CVD Policy

Coordinated vulnerability disclosure policy per Part II, point (5) of Annex I and Annex VII, point 2(b). Includes contact address per Part II, point (6).

Notification Template

Article 14 ENISA notification structure. Three-stage format: early warning within 24 hours, notification within 72 hours, final report within 14 days.

Obligations Calendar

Key regulatory dates and your product-specific milestones: support period start and end, Art. 14 reporting activation, full CRA enforcement.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 BUILD ANNEX VII DOCUMENTATION FROM SCRATCH

€5,000–€15,000

Weeks of legal research. No structured template. Risk of missing mandatory elements. No automated Annex I mapping. Staff hours at €50–€100/hr. Every regulation update requires manual rework.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history