Regulation (EU) 2023/988 (GPSR) replaced the old General Product Safety Directive and requires all non-food consumer products on the EU market to have documented safety assessments. Regulation (EU) 2024/2847 (CRA) requires all products with digital elements to have documented cybersecurity assessments. If your consumer product has a network connection — a smart thermostat, a connected toy, a home security camera — both regulations apply simultaneously. Article 11 of the CRA states that GPSR Chapters III, V, VII, and IX–XI apply to products with digital elements for safety aspects not covered by the CRA. CRACheck generates the cybersecurity documentation under the CRA.

Q: Does a non-connected consumer product need CRA documentation?

No. CRA Article 2(1) requires the product to have 'a direct or indirect logical or physical data connection to a device or network.' A consumer product without any data connection (a purely mechanical kitchen tool, a non-electronic toy) is outside CRA scope. GPSR still applies for safety.

The boundary is clean in theory: GPSR governs physical safety (burn risk, choking hazard, chemical exposure, mechanical failure). CRA governs cybersecurity (vulnerabilities, unauthorised access, data exposure, attack surface). In practice, for connected consumer products, the same product needs an Article 9 GPSR risk analysis for physical safety and an Article 13 CRA cybersecurity risk assessment for digital security. Article 11 of the CRA explicitly preserves GPSR applicability for safety aspects not covered by the CRA. If you already have GPSRCheck documentation, you need CRACheck documentation on top of it. €149. 15–25 minutes. 8 PDFs. Different regulations, different documentation, different tools.

Generate CRA Dossier — €149 Free: check your product classification

€149 one-time payment per product · 8 PDF documents in ZIP · 15–25 minutes · 100% in your browser

Two regulations, two documentation sets

Art. 11 CRA

GPSR applies to safety risks not covered by the CRA

2 regulations

GPSR (safety) + CRA (cybersecurity) — both mandatory for connected consumer products

€15M CRA

Maximum CRA fine. GPSR fines set by national law (€100,000+ in most Member States).

Two regulations, two documentation sets, two tools

Is it a consumer product?

If yes, GPSR applies for general product safety.

Does it have digital elements with a data connection?

If yes, the CRA applies for cybersecurity.

GPSR documentation

Article 9 GPSR internal risk analysis, EU Declaration of Conformity under GPSR, and EU Responsible Person appointment under Article 16. GPSRCheck generates this layer.

CRA documentation

Article 31 + Annex VII technical documentation, cybersecurity risk assessment under Article 13, CRA Declaration of Conformity under Article 28, CVD policy, ENISA notification template. CRACheck generates this layer.

Two separate files

The GPSR file and the CRA file are parallel documentation sets. Article 31(3) of the CRA allows a single technical documentation containing both, but the content requirements are distinct.

GPSRCheck covers safety. CRACheck covers cybersecurity. One product, two documentation layers, two tools.

Common mistakes with GPSR and CRA overlap

❌

ART. 11 CRA

Assuming GPSR compliance covers cybersecurity

Article 11 of the CRA states that GPSR applies to "aspects and risks or categories of risks that are not covered by this Regulation." Cybersecurity is covered by the CRA, not the GPSR. A GPSR-compliant product without CRA documentation is not compliant with the CRA.

❌

SCOPE

Assuming the CRA replaces the GPSR for connected products

The CRA does not replace the GPSR. Both coexist. GPSR covers physical safety. CRA covers cybersecurity. A connected consumer product must have both documentation sets.

❌

ART. 16 GPSR

Confusing the GPSR EU Responsible Person with CRA obligations

GPSR Article 16 requires non-EU manufacturers to appoint an EU Responsible Person for general product safety. The CRA has its own provisions for authorised representatives under Article 15 of Regulation (EU) 2024/2847. These are separate roles that may or may not be filled by the same entity.

8 CRA documents — parallel to GPSR documentation

The GPSR requires its own documentation. CRACheck generates the CRA cybersecurity documentation layer — a separate, parallel set of documents.

Product Classifier

Annex III / Annex IV classification. Conformity assessment module.

Technical Documentation

Art. 31 + Annex VII. Complete dossier.

Risk Assessment

Art. 13(2)–(3). Cybersecurity risk assessment against Annex I.

User Information

Annex II. 9 required information points.

Declaration of Conformity

Art. 28 + Annex V. Ready for signature.

CVD Policy

Annex I Part II point (5). Coordinated vulnerability disclosure.

Notification Template

Art. 14. ENISA 24h/72h/14d notification.

Obligations Calendar

Key dates and milestones.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated in your browser. No data leaves your device.

Safety and cybersecurity are separate compliance workstreams

🧾 COMBINED GPSR + CRA COMPLIANCE CONSULTANCY

€12,000–€30,000

Covers both. Months of work.

✓ CRACHECK

€149

CRA cybersecurity layer. GPSRCheck €49 for GPSR safety layer. €198 total for both documentation sets. Minutes, not months.

Two layers of compliance

● LAYER 1

What CRACheck does

CRACheck generates the CRA cybersecurity documentation layer: Annex VII file, cybersecurity risk assessment, CRA Declaration of Conformity, CVD policy, ENISA notification template.

∅ LAYER 2

What CRACheck does NOT do

CRACheck does not generate GPSR documentation. It does not produce the Article 9 internal risk analysis under Regulation (EU) 2023/988, the GPSR Declaration of Conformity, or the product label. For GPSR documentation, use GPSRCheck.

Safety layer → GPSRCheck. Cybersecurity layer → CRACheck. Both are needed for connected consumer products.

Enforcement regime

⚖️

CRA: Cybersecurity non-compliance

€15M / 2.5%

Art. 64(2) of Regulation (EU) 2024/2847.

⚖️

GPSR: National penalties

€100,000+

In most Member States. Safety Gate public listing.

⚖️

Market withdrawal

Both regulations

Both GPSR and CRA grant market surveillance authorities the power to withdraw non-compliant products from the EU market.

CRA and GPSR enforcement are administered by the same market surveillance authorities in most Member States. A connected consumer product missing either documentation set risks parallel enforcement actions.

CRA vs GPSR — comparison

Criterion	GPSR (Reg. 2023/988)	CRA (Reg. 2024/2847)	CRACheck scope
Focus	Physical product safety	Product cybersecurity	Cybersecurity documentation
Risk assessment	Art. 9 internal risk analysis	Art. 13 cybersecurity risk assessment	Generates Art. 13 assessment
Tech doc	Art. 9 technical file	Art. 31 + Annex VII	Generates Annex VII
DoC	GPSR Declaration	CRA Declaration (Art. 28 + Annex V)	Generates CRA DoC
Tool	GPSRCheck (€49)	CRACheck (€149)	CRACheck

Connected consumer product portfolio?

Each product needs both GPSR and CRA documentation. Volume pricing available for CRACheck. Pack of 10: €99. Pack of 30: €79. Contact us for combined GPSRCheck + CRACheck volume pricing.

Request Volume Pricing

Commercial enquiries via hello@solidwaretools.com

What CRACheck guarantees and what it does not

CRACheck generates a structured document set according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy, completeness, and truthfulness of that information is your responsibility as the manufacturer.

We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct. We do not guarantee that a specific document will be accepted by a market surveillance authority in a particular case.

CRACheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.

Frequently asked questions — CRA and GPSR

I already have GPSRCheck documentation. Do I need CRACheck on top of it?

If your product has digital elements with a data connection — a smart home device, a connected toy, a wearable with wireless connectivity — yes. GPSRCheck generates the GPSR safety documentation under Regulation (EU) 2023/988. CRACheck generates the CRA cybersecurity documentation under Regulation (EU) 2024/2847. Both are independent regulatory requirements.

Can the GPSR and CRA documentation be in a single file?

Article 31(3) of the CRA allows a single technical documentation set for products subject to multiple Union legal acts. In practice, the content requirements are sufficiently different that maintaining them as separate documents reduces confusion during market surveillance inspections.

Does a non-connected consumer product need CRA documentation?

No. CRA Article 2(1) requires the product to have "a direct or indirect logical or physical data connection to a device or network." A consumer product without any data connection (a purely mechanical kitchen tool, a non-electronic toy) is outside CRA scope. GPSR still applies for safety.

Who enforces the CRA for consumer products — consumer safety authorities or cybersecurity authorities?

Market surveillance authorities designated under Regulation (EU) 2019/1020. In most Member States, this is the same authority that enforces the GPSR. The CRA leverages the existing market surveillance infrastructure.

Is this a subscription?

No. One-time payment. The licence includes a 30-day editing window and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, by activating the licence you give express consent for the immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are accepted only for reproducible technical defects.

What if the regulation changes?

If the regulation is amended during the validity of your licence, you can regenerate the document with the updated version of the generator at no additional cost.

Official legal sources

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.