CRA Technical Documentation Shenzhen IoT

Key numbers

8 sections

Annex VII mandatory content. Product description, design, vulnerabilities, risk, standards, tests, DoC, SBOM.

Art. 19.2

EU importer must verify documentation exists before placing the product on the market.

15 min

Per product. Your engineering team provides the data. CRACheck structures the documentation.

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Read the contract clause

Your EU buyer's clause references Art. 31 and Annex VII of Regulation (EU) 2024/2847. They want proof that technical documentation exists before the next shipment.

Collect engineering data

Product architecture, firmware versioning, update mechanism (OTA or manual), network interfaces, known vulnerability list, third-party component inventory, intended support period.

Run the CRACheck classifier

Determine whether your product is Default, Class I or Class II. This defines the conformity assessment route under Art. 32.

Generate the dossier

Enter the data into CRACheck. The generator maps your inputs to the 8 sections of Annex VII. 15-25 minutes per product.

Engineering review

Your R&D team validates that the documented specifications match the product. 10 regenerations available per licence.

Deliver to your EU buyer

Send the 8-document ZIP alongside your existing CE technical file. The importer's Art. 19 obligation is met.

Archive for market surveillance

Art. 13(13) requires documentation to be kept at the disposal of market surveillance authorities for at least 10 years or the support period, whichever is longer.

Common mistakes

❌

ANNEX VII

"We sent our product datasheet — that should be enough"

A product datasheet is a commercial document. Annex VII of Regulation (EU) 2024/2847 requires technical documentation that includes vulnerability handling processes (point 2(b)), cybersecurity risk assessment (point 3), applicable harmonised standards or alternative solutions (point 5), and test reports (point 6). A datasheet covers none of these.

❌

ART. 13.5

"We integrate third-party modules — the module vendor is responsible"

Article 13.5 of Regulation (EU) 2024/2847 requires manufacturers to exercise due diligence when integrating third-party components. If you integrate a WiFi module from another Shenzhen manufacturer, you must document how that component does not compromise the cybersecurity of your product. The obligation is on you as the final product manufacturer.

❌

ART. 31.2

"We write the documentation once and we are done"

Article 31.2 of Regulation (EU) 2024/2847 states that technical documentation shall be continuously updated during the support period. If you release a firmware update that changes security properties, the documentation must reflect it. CRACheck allows 10 regenerations per licence for this purpose.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Annex III classification. Defines the conformity assessment route your EU buyer needs to verify.

Technical Documentation

Art. 31 + Annex VII. All 8 sections structured per the Regulation. The document your EU buyer's contract clause is requesting.

Risk Assessment

Art. 13.2-13.3. Systematic cybersecurity risk analysis mapped against each requirement of Annex I Part I.

User Information

Annex II. End-user cybersecurity instructions your EU buyer will include with the product.

Declaration of Conformity

Art. 28 + Annex V. Formal statement of CRA conformity.

CVD Policy

Coordinated Vulnerability Disclosure. Your public-facing vulnerability reporting channel.

Notification Template

Art. 14. Ready for the 24h/72h/14d reporting timeline.

Obligations Calendar

Maps all CRA deadlines to your product lifecycle.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 EUROPEAN REGULATORY CONSULTANCY

€15,000–€25,000

Per product family. 4-6 months. Requires on-site audit in Shenzhen.

✓ CRACHECK

€149

8 documents. 15 min. Your engineering team provides the data. Pack 10: €99/product. Pack 30: €79/product.

Two layers

● LAYER 1

What CRACheck does

Generates the Annex VII technical documentation from your engineering data. 8 structured PDFs. Meets the contract clause your EU buyer added.

∅ LAYER 2

What CRACheck does NOT do

CRACheck does not perform penetration testing, firmware analysis or code review. If your product's vulnerability handling process is incomplete, the documentation will reflect that. Fix the process, then document it.

We structure the documentation. You own the engineering.

Enforcement regime

Article 64 of Regulation (EU) 2024/2847.

🔴

Non-compliance with Annex I + Art. 13/14 (Art. 64(2))

€15,000,000 / 2.5%

Art. 64.2.

🟠

Non-compliance with Art. 31, Art. 28, Art. 32 (Art. 64(3))

€10,000,000 / 2%

Art. 64.3.

🟡

Incorrect or misleading information (Art. 64(4))

€5,000,000 / 1%

Art. 64.4.

Alternatives

Criterion	European regulatory consultancy	Ask your CE lab to add CRA	Draft in-house using Annex VII text	CRACheck
Cost	€15,000–€25,000	€3,000–€8,000	Free + engineering weeks	€149
Result	Full audit. 4-6 months. On-site in Shenzhen.	If they offer CRA. Most EMC/RED labs do not yet.	High risk of structural gaps. EU buyer may reject.	8 docs. 15 min. Structured per Annex VII. Ready for the next PO.

Your product catalogue spans dozens of IoT devices?

Each product with digital elements needs its own Annex VII dossier. A gateway, a sensor and a controller are three products. Volume pricing: €99/product (10-pack), €79/product (30-pack).

Request Volume Pricing

Response within one business day.

What CRACheck guarantees and what it does not

CRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy, completeness and truthfulness of that information is your responsibility as the manufacturer.

We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct. We do not guarantee that a specific document will be accepted by a market surveillance authority in a specific case or by a commercial buyer in a procurement process.

CRACheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.

Frequently asked questions

What exactly does Annex VII require?

Annex VII of Regulation (EU) 2024/2847 requires 8 categories of content: (1) general product description including intended purpose and software versions, (2) design, development, production and vulnerability handling information including SBOM and CVD policy, (3) cybersecurity risk assessment per Art. 13, (4) support period determination per Art. 13.8, (5) applicable harmonised standards or alternative solutions, (6) test reports, (7) copy of the EU declaration of conformity, and (8) SBOM upon authority request.

Does the documentation need to be in Chinese or English?

Art. 31.4 requires documentation in an official language acceptable to the notified body. For Default products using Module A self-assessment, there is no notified body — English is the industry standard for EU technical documentation. CRACheck generates in English.

Can one dossier cover a product family?

The documentation must cover a specific product with digital elements. If products in a family share the same firmware, same hardware architecture and same cybersecurity properties, a single dossier may reference the shared elements. If they differ in connectivity, firmware or vulnerability surface, separate documentation is required.

How long must we keep the documentation?

Article 13(13) requires the technical documentation to be kept at the disposal of market surveillance authorities for at least 10 years after the product has been placed on the market, or for the duration of the support period, whichever is longer.

What is the SBOM and where does it go?

Annex VII point 2(b) requires the technical documentation to include the software bill of materials. The SBOM lists all software components including third-party and open-source. Annex VII point 8 adds that market surveillance authorities may request the full SBOM. CRACheck generates both sections.

Is this a subscription?

No. One-time payment. 30 days editing, 10 regenerations. PDF yours permanently.

Can I request a refund?

Pursuant to Art. 16(m) of Directive (EU) 2011/83, licence activation constitutes express consent. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate at no additional cost during licence validity.

Official legal sources

Regulation (EU) 2024/2847 — Cyber Resilience Act — full text

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.