Will CE marking under the CRA look different on the product?

No. The CE marking itself is the same symbol (Article 30). What changes is the legal basis: after 11 December 2027, your Declaration of Conformity must cite Regulation (EU) 2024/2847 alongside the other applicable directives. Market surveillance authorities will verify that the CRA Declaration exists and that technical documentation supports it.

Can we issue a single combined Declaration of Conformity?

You may issue a combined Declaration covering multiple EU legal acts, or separate Declarations per regulation. Article 28(2) of the CRA states the Declaration shall contain all required elements of Annex V. CRACheck generates the CRA-specific Declaration, which you can include in a combined document or present separately.

Is the Art. 14 vulnerability reporting obligation really active from September 2026?

Yes. Article 14 reporting obligations apply from 11 September 2026, over a year before full enforcement. From that date, if you become aware of an actively exploited vulnerability in any product you have placed on the EU market, you must notify ENISA within 24 hours (early warning), 72 hours (notification), and 14 days (final report). CRACheck provides the notification template structure.

Do all our products need CRA documentation, or only "smart" ones?

The CRA applies to products with digital elements — defined in Article 3(1) as software or hardware products with a direct or indirect logical or physical data connection to a device or network. If a product has firmware, processes data, or connects to a network in any way, it is within scope. Purely analogue electronics without any digital element are not covered.

Can our Turkish test laboratory perform CRA conformity assessment?

For Default products using Module A (self-assessment), no laboratory or notified body is needed — the manufacturer performs internal control per Annex VIII Part I. For Important products requiring third-party assessment, only notified bodies designated by EU Member States under Articles 35–40 can perform the assessment. Turkish laboratories would need to be notified under this framework.

Is this a subscription?

No. One-time payment. 30 days editing, 10 regenerations. PDF yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, licence activation constitutes express consent. Refunds only for reproducible technical failures.

What if the regulation is amended?

Regenerate at no additional cost during licence validity.

You are a Turkish electronics exporter with an established CE marking process. From 11 December 2027, CE marking for any product with digital elements requires compliance with Regulation (EU) 2024/2847 — the Cyber Resilience Act. This is not an update to existing directives. It is a new horizontal regulation with its own essential requirements, its own conformity assessment, and its own technical documentation structure. CRACheck generates the documentation you are missing.

Your CE marking dossier currently covers the Low Voltage Directive, EMC, RED, RoHS, and possibly the Machinery Regulation. After 11 December 2027, every connected electronic product you place on the EU market must also comply with the CRA. Article 30 requires CE marking to reflect CRA conformity. Article 13(20) requires a separate EU Declaration of Conformity citing Regulation (EU) 2024/2847. Your existing CE process must absorb a new regulation with 40+ pages of essential requirements (Annex I), detailed technical documentation (Annex VII), and mandatory vulnerability reporting (Art. 14). CRACheck generates the 8-document CRA dossier in 15–25 minutes. €149 per product. Browser-side — no product data leaves your device.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

Art. 30

CE marking must reflect CRA conformity from Dec 2027

Annex I

New essential cybersecurity requirements for CE

€149

Per product, one-time documentation

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Classify your product

CRACheck checks your product against Annex III and Annex IV to determine Default, Important, or Critical classification

Enter your product profile

Product type, connectivity, firmware, data processing, user-facing features

Map your product against Annex I essential cybersecurity requirements

These are the new CE requirements specific to the CRA

Document your vulnerability handling processes

Art. 14 readiness: early warning, notification, final report to ENISA

Define your support commitment

Security update period aligned with product lifecycle (minimum 5 years per Art. 13(8))

Generate the 8-document CRA dossier

Your new CE documentation layer, separate from but complementary to your existing technical files

Integrate into your CE marking process

The CRA Declaration of Conformity references Art. 28 + Annex V alongside your existing Declarations

Common mistakes

❌

CE CONTINUITY MYTH

"Our current CE marking process will continue to work after 2027"

CE marking after 11 December 2027 must reflect compliance with Regulation (EU) 2024/2847 for any product with digital elements. Article 30(1) requires the CE marking to be affixed only after conformity with the CRA has been demonstrated. Your existing CE marking under LVD, EMC, or RED remains necessary — but it is no longer sufficient. The CRA adds a new legal basis to your CE Declaration.

❌

DOCUMENTATION OVERLAP

"We can add CRA information to our existing technical file — no separate document needed"

Article 31 and Annex VII define a specific documentation structure for the CRA. While you may physically include it in the same technical file binder, the CRA documentation has distinct content requirements: cybersecurity risk assessment (Annex I Part I), vulnerability handling processes (Annex I Part II), SBOM, user information (Annex II), and conformity assessment evidence (Annex VIII). These sections do not exist in your LVD or EMC files.

❌

TIMELINE MISCALCULATION

"December 2027 is far away — we have time"

Article 14 reporting obligations for actively exploited vulnerabilities apply from 11 September 2026 — more than a year before full enforcement. By September 2026, you must have a vulnerability handling process in place and be ready to notify ENISA within 24 hours. The documentation supporting this process should be prepared now, not in November 2027.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Confirms your product's classification: Default (90%+ of products), Important Class I or II (Annex III), or Critical (Annex IV). Determines which conformity assessment module applies under Article 32.

Technical Documentation

Art. 31 + Annex VII dossier. This is the new layer your CE technical file is missing: cybersecurity design, development, production, and vulnerability handling documentation.

Risk Assessment

Annex I Part I cybersecurity risk analysis. Your existing CE risk assessments cover electrical safety and EMC — this one covers cybersecurity threats specific to connected products.

User Information

Annex II information package. New consumer-facing cybersecurity information: secure setup, password management, update procedures, data handling, support period disclosure.

Declaration of Conformity

Art. 28 + Annex V. A new Declaration citing Regulation (EU) 2024/2847 as legal basis, alongside your existing Declarations for other applicable directives.

CVD Policy

Coordinated vulnerability disclosure: how end users and researchers report security issues. This is a CRA-specific requirement not covered by existing CE directives.

Notification Template

Art. 14 ENISA notification for actively exploited vulnerabilities. Your entry point for the mandatory reporting obligation active from September 2026.

Obligations Calendar

Two-phase timeline: Art. 14 reporting from 11 September 2026, full enforcement 11 December 2027, plus your product-specific support period.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 EXPAND YOUR CURRENT CE CONSULTANCY TO COVER CRA

€10,000–€25,000

8–14 weeks. Your CE consultant may not have CRA expertise — new regulation, new learning curve. Requires renegotiating scope and fees. No structured CRA-specific output.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history