The CRA's manufacturer definition does not require you to have designed or developed the product yourself. Art. 3(13) covers any person who "has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge." This is the white-label scenario: you commission production, you brand the product, you are the manufacturer. Art. 21 reinforces it for importers and distributors: placing a product under your own name or trademark makes you the manufacturer. The cybersecurity risk assessment (Art. 13(2)), the technical documentation (Art. 31), the vulnerability handling (Art. 13(6)-(8)), the ENISA reporting (Art. 14) — all of it is yours. CRACheck generates the 8-document technical file under Art. 31 and Annex VII. €149 per product. 15-25 minutes. Your factory's data stays in your browser.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
Art. 3(13) of Regulation (EU) 2024/2847 does not require design or development activity. It requires marketing under your name or trademark. Art. 21 reinforces: an importer or distributor that places a product under its own name is the manufacturer. Market surveillance authorities will not accept "but I only rebranded it" as a defence.
As manufacturer under Art. 3(13), you bear Art. 13 obligations but your factory holds the engineering data. Without contractual clauses requiring vulnerability disclosure, SBOM provision, security update delivery and support period coverage, you cannot fulfil Art. 13(5)-(8) — and you cannot produce credible Art. 31 documentation.
Art. 13(8) requires vulnerability handling for the entire support period. If your factory exits production and stops delivering security updates, you — as the manufacturer on the market — must still handle vulnerabilities. Art. 19(8) and Art. 20(6) impose notification obligations on importers and distributors when the manufacturer ceases operations, but when you are the manufacturer, the obligation stays with you.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Identifies the CRA category. As white-label manufacturer, you need this to determine your conformity assessment route under Art. 32.
Art. 31 and Annex VII documentation. You produce this using engineering data from your factory. This is the document authorities request from you as manufacturer.
Cybersecurity risk assessment per Art. 13(2)-(3). Built from your factory's technical data. Your name is on the product — your signature is on the risk assessment.
Annex II user information with your brand's contact details, vulnerability reporting channel and support period commitment.
EU Declaration per Art. 28 and Annex V. Issued by you as manufacturer. References your product under your trademark.
Coordinated vulnerability disclosure policy under your brand. Establishes the reporting channel users and researchers contact.
ENISA notification template per Art. 14. Pre-structured for the 24h/72h/14-day cycle.
Key dates mapped to a white-label manufacturer: Art. 14 from September 2026, full enforcement December 2027, OEM contract renewal milestones.
See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.
Generated from your data, in your browser. No data leaves your device.
CRACheck generates the Art. 31 and Annex VII documentation under your brand. Eight documents covering classification, risk assessment, technical file, user information, declaration of conformity, CVD policy, ENISA template and obligations calendar. You fill it with engineering data from your factory. The output bears your name because the product bears your name.
CRACheck does not audit your contract manufacturer. It does not negotiate OEM contract cybersecurity clauses. It does not perform penetration testing on factory-supplied hardware. It does not manage your vulnerability handling process during the support period. It does not determine whether your specific commercial arrangement creates manufacturer status — Art. 3(13) and Art. 21 of Regulation (EU) 2024/2847 do that.
Your brand is on the product. Your name is on the documentation. CRACheck structures the documentation. You fill it with verified data.
As manufacturer, you must have ENISA notification capability. If your factory discovers an exploited vulnerability in your branded product, the 24h clock starts for you.
Products placed on the EU market under your brand must carry CE marking and be accompanied by Art. 31 documentation. No documentation, no market access.
For non-compliance with Art. 13 and Art. 14. The brand owner, as manufacturer, faces the highest penalty tier.
| Criterio | Compliance consultancy | Factory-provided documentation | Ignore until 2027 | CRACheck |
|---|---|---|---|---|
| Price | €5K-20K per product | Depends on factory | €0 now | €149 per product |
| Documentation ownership | Consultant owns format | Factory owns format | None | You own the PDF |
| Brand-specific | Generic report | Factory template | N/A | Your brand, your data |
| Browser-side | No — data shared | No — factory holds | N/A | 100% browser-side |
| CRACheck | €149 | You own it | Your brand | 100% browser-side |
Pack 10: €99 per product. Pack 30: €79 per product. For private-label sellers and trading companies with large EU-bound catalogues, contact us.
Request volume pricingCRACheck generates a structured document set according to Art. 31 and Annex VII of Regulation (EU) 2024/2847 based on the information you provide. As white-label manufacturer, the accuracy of the data — including engineering specifications received from your contract manufacturer — is your responsibility under Art. 13(1).
We guarantee that the document structure follows Art. 31 and Annex VII and that the legal references cited are correct. We do not guarantee that a specific product will pass a market surveillance authority inspection or a marketplace compliance review.
CRACheck is not legal advice. For questions about manufacturer status in specific OEM/ODM arrangements, consult a qualified EU product compliance lawyer.
Art. 3(13) makes the brand owner the manufacturer. CRACheck generates the Art. 31 documentation under your brand. Eight documents. €149 per product. Browser-side. No factory data leaves your device.