I already have GPSRCheck documentation. Do I need CRACheck on top of it?

If your product has digital elements with a data connection — a smart home device, a connected toy, a wearable with wireless connectivity — yes. GPSRCheck generates the GPSR safety documentation under Regulation (EU) 2023/988. CRACheck generates the CRA cybersecurity documentation under Regulation (EU) 2024/2847. Both are independent regulatory requirements.

Can the GPSR and CRA documentation be in a single file?

Article 31(3) of the CRA allows a single technical documentation set for products subject to multiple Union legal acts. In practice, the content requirements are sufficiently different that maintaining them as separate documents reduces confusion during market surveillance inspections.

Does a non-connected consumer product need CRA documentation?

No. CRA Article 2(1) requires the product to have 'a direct or indirect logical or physical data connection to a device or network.' A consumer product without any data connection (a purely mechanical kitchen tool, a non-electronic toy) is outside CRA scope. GPSR still applies for safety.

Who enforces the CRA for consumer products — consumer safety authorities or cybersecurity authorities?

Market surveillance authorities designated under Regulation (EU) 2019/1020. In most Member States, this is the same authority that enforces the GPSR. The CRA leverages the existing market surveillance infrastructure.

Is this a subscription?

No. One-time payment. The licence includes a 30-day editing window and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, by activating the licence you give express consent for the immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are accepted only for reproducible technical defects.

What if the regulation changes?

If the regulation is amended during the validity of your licence, you can regenerate the document with the updated version of the generator at no additional cost.

Regulation (EU) 2023/988 (GPSR) replaced the old General Product Safety Directive and requires all non-food consumer products on the EU market to have documented safety assessments. Regulation (EU) 2024/2847 (CRA) requires all products with digital elements to have documented cybersecurity assessments. If your consumer product has a network connection — a smart thermostat, a connected toy, a home security camera — both regulations apply simultaneously. Article 11 of the CRA states that GPSR Chapters III, V, VII, and IX–XI apply to products with digital elements for safety aspects not covered by the CRA. CRACheck generates the cybersecurity documentation under the CRA.

The boundary is clean in theory: GPSR governs physical safety (burn risk, choking hazard, chemical exposure, mechanical failure). CRA governs cybersecurity (vulnerabilities, unauthorised access, data exposure, attack surface). In practice, for connected consumer products, the same product needs an Article 9 GPSR risk analysis for physical safety and an Article 13 CRA cybersecurity risk assessment for digital security. Article 11 of the CRA explicitly preserves GPSR applicability for safety aspects not covered by the CRA. If you already have GPSRCheck documentation, you need CRACheck documentation on top of it. €149. 15–25 minutes. 8 PDFs. Different regulations, different documentation, different tools.

Generate CRA Dossier — €149 Free: check your product classification

€149 one-time payment per product · 8 PDF documents in ZIP · 15–25 minutes · 100% in your browser

Two regulations, two documentation sets

Art. 11 CRA

GPSR applies to safety risks not covered by the CRA

2 regulations

GPSR (safety) + CRA (cybersecurity) — both mandatory for connected consumer products

€15M CRA

Maximum CRA fine. GPSR fines set by national law (€100,000+ in most Member States).

Two regulations, two documentation sets, two tools

Is it a consumer product?

If yes, GPSR applies for general product safety.

Does it have digital elements with a data connection?

If yes, the CRA applies for cybersecurity.

GPSR documentation

Article 9 GPSR internal risk analysis, EU Declaration of Conformity under GPSR, and EU Responsible Person appointment under Article 16. GPSRCheck generates this layer.

CRA documentation

Article 31 + Annex VII technical documentation, cybersecurity risk assessment under Article 13, CRA Declaration of Conformity under Article 28, CVD policy, ENISA notification template. CRACheck generates this layer.

Two separate files

The GPSR file and the CRA file are parallel documentation sets. Article 31(3) of the CRA allows a single technical documentation containing both, but the content requirements are distinct.

GPSRCheck covers safety. CRACheck covers cybersecurity. One product, two documentation layers, two tools.

Common mistakes with GPSR and CRA overlap

❌

ART. 11 CRA

Assuming GPSR compliance covers cybersecurity

Article 11 of the CRA states that GPSR applies to "aspects and risks or categories of risks that are not covered by this Regulation." Cybersecurity is covered by the CRA, not the GPSR. A GPSR-compliant product without CRA documentation is not compliant with the CRA.

❌

SCOPE

Assuming the CRA replaces the GPSR for connected products

The CRA does not replace the GPSR. Both coexist. GPSR covers physical safety. CRA covers cybersecurity. A connected consumer product must have both documentation sets.

❌

ART. 16 GPSR

Confusing the GPSR EU Responsible Person with CRA obligations

GPSR Article 16 requires non-EU manufacturers to appoint an EU Responsible Person for general product safety. The CRA has its own provisions for authorised representatives under Article 15 of Regulation (EU) 2024/2847. These are separate roles that may or may not be filled by the same entity.

8 CRA documents — parallel to GPSR documentation

The GPSR requires its own documentation. CRACheck generates the CRA cybersecurity documentation layer — a separate, parallel set of documents.

Product Classifier

Annex III / Annex IV classification. Conformity assessment module.

Technical Documentation

Art. 31 + Annex VII. Complete dossier.

Risk Assessment

Art. 13(2)–(3). Cybersecurity risk assessment against Annex I.

User Information

Annex II. 9 required information points.

Declaration of Conformity

Art. 28 + Annex V. Ready for signature.

CVD Policy

Annex I Part II point (5). Coordinated vulnerability disclosure.

Notification Template

Art. 14. ENISA 24h/72h/14d notification.

Obligations Calendar

Key dates and milestones.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated in your browser. No data leaves your device.

Safety and cybersecurity are separate compliance workstreams

🧾 COMBINED GPSR + CRA COMPLIANCE CONSULTANCY

€12,000–€30,000

Covers both. Months of work.

✓ Last regulatory check: 2 May 2026 · No substantive changes detected · View history