Annex II is the user-facing layer of your CRA compliance. While the technical documentation (Annex VII) stays with the manufacturer and market surveillance authorities, the Annex II information goes to the user. It must be clear, understandable, intelligible, and legible per Art. 13(19). It must be available in a language easily understood by users in the target Member State. It covers eleven mandatory categories including security properties of the product, known cybersecurity risks, support period end date, how to report vulnerabilities, and instructions for secure installation, operation, and maintenance. CRACheck generates the user information document as part of the 8-document package. 15–25 minutes. €149.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
Article 13(21) of Regulation (EU) 2024/2847 requires the support period end date to be "clearly and understandably indicated at the time of purchase, in an accessible manner and, where applicable, on the packaging of the product." A product page, packaging, or accompanying document that omits this date violates the requirement.
Annex II, point (9) requires "information on how cybersecurity-relevant issues, including vulnerabilities in the product, can be reported." A product without a visible vulnerability reporting channel fails this requirement and weakens the Art. 14 notification pipeline.
Art. 13(19) requires "clear, understandable, intelligible and legible" information. Consumer-facing products cannot use ISO references, CVE identifiers, or cryptographic algorithm names without explanation. The information must be adapted to the target audience. B2B products have more latitude for technical depth.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Category per Annex III/IV. Consumer products face stricter readability requirements for user information.
Annex VII. Point 1(d) cross-references the Annex II user information as part of the technical file.
Per Art. 13(2)–(3). The risk assessment informs what users need to know under Annex II, point (5): known risks and foreseeable circumstances.
The core deliverable for this landing. Structured per all 11 Annex II categories: manufacturer identity (1), product identification (2), intended purpose (3), security properties (4), known risks (5), support period (6), SBOM info (7), secure use instructions (8), vulnerability reporting (9), single point of contact (10), CVD reference (11).
Per Art. 28 and Annex V. A simplified version of the declaration must be provided to users per Art. 13(20).
Per Annex I, Part II, point (5). Annex II, point (11) requires the user information to reference this policy.
Per Art. 14. Art. 14(8) requires the manufacturer to inform impacted users of the vulnerability — the User Information document establishes the communication channel. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.
Maps the support period end date — a key Annex II requirement — and user notification milestones.
See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.
Generated from your data, in your browser. No data leaves your device.
Commissioning a technical writer and regulatory consultant to produce CRA-compliant user documentation covering all 11 Annex II categories, adapted for each target market language.
CRACheck generates the User Information document covering all 11 Annex II categories: manufacturer identity, product identification, intended purpose, security properties, known risks, support period, SBOM availability, secure use instructions, vulnerability reporting contact, single point of contact, and CVD policy reference. It cross-references the CVD policy, risk assessment, and technical documentation for consistency.
CRACheck does not deliver the information to your users. It does not print packaging inserts. It does not translate the document into Member State languages. It does not embed the information in your product UI or OOBE flow. You must integrate the generated user information into your product delivery process per Art. 13(19).
CRACheck builds the document. You deliver it to the user through the appropriate channel — packaging, download, in-product display.
Art. 64(2).
Art. 64(3).
Art. 64(4).
| Criterion | No user info | Technical writer | Existing manual | CRACheck |
|---|---|---|---|---|
| All 11 Annex II categories | Missing | Yes | Partial — cyber gaps | Yes — structured |
| Cross-reference with technical file | None | Manual | None | Automatic |
| Time to deliverable | — | 3–6 weeks | 2–4 weeks | 15–25 minutes |
| Cost | €0 (+ fine risk) | €6K–€15K | €2K–€5K | €149 one-time |
Each product requires its own Annex II documentation. CRACheck generates the English-language structure covering all 11 categories. Volume pricing: €99/product (10-pack) or €79/product (30-pack). Translation is your responsibility per Art. 13(19).
Request volume pricingCRACheck generates a structured User Information document according to Annex II of Regulation (EU) 2024/2847, based on the information you provide. The accuracy of your product descriptions, security properties, and known risk disclosures is your responsibility as manufacturer.
We guarantee that the document structure follows Annex II of Regulation (EU) 2024/2847 and that all legal references cited are correct. We do not guarantee that a specific user information document will be accepted by a market surveillance authority in a specific case or satisfy all local language requirements.
CRACheck is not legal advice. For specific questions about Annex II interpretation, local language obligations, or user information delivery formats, consult with a qualified regulatory professional.