The white-label model concentrates legal responsibility on the brand owner. Regulation (EU) 2024/2847 makes this explicit: Article 21 states that an importer or distributor who places a product on the market under its own name or trademark becomes the manufacturer and assumes Article 13 obligations. Your EU brand client is now the manufacturer — and Article 13(5) requires them to verify the cybersecurity of the software you provide. In practice, the brand's compliance team will send you a documentation request referencing Annex VII. The first time this happens, you scramble. CRACheck ensures you do not have to. 8 documents. 15–25 minutes. €149 per product. 100% browser-side.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
Correct that the EU brand is the manufacturer under Article 3(1) and Article 21 of Regulation (EU) 2024/2847. But Article 13(5) requires the manufacturer to exercise due diligence on your component. The manufacturer fulfils this obligation by requesting documentation from you. If you cannot provide it, the manufacturer either documents your software themselves (at your cost) or finds another white-label provider.
Regulation (EU) 2024/2847 applies from 11 December 2027 regardless of contract terms. European brand owners are updating their supplier agreements now. If your contract does not yet include a CRA clause, it will at the next renewal. Being ready with documentation before the clause appears strengthens your position.
If the underlying software is identical across all brands, one set of Annex VII documentation for the core platform may suffice. But if each brand has custom features, integrations, or configurations that affect the cybersecurity profile, each variant may need its own documentation. CRACheck documents the core platform. Brand-specific addenda are the brand's responsibility.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Classification for the white-label product category under Annex III/IV.
Annex VII for the core platform architecture: backend, APIs, data model, third-party integrations.
Art. 13(2) risk assessment for the core platform's cybersecurity threat model.
Annex II. Integration documentation for the brand: configuration options, security settings, support period.
Art. 28 + Annex V. The EU brand signs as manufacturer.
Annex I Part II §5. Core platform vulnerability disclosure process.
Art. 14 ENISA notification for platform-level vulnerabilities. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.
Enforcement dates.
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated from your data, in your browser. No data leaves your device.
Documents the core white-label platform under Annex VII. 8 PDFs. 15–25 minutes. €149. The deliverable the EU brand's compliance team needs.
Does not document brand-specific customisations or integrations. Does not perform the conformity assessment (Art. 32) for any specific branded product. Does not advise on white-label contract terms.
We document the platform. Each brand documents their customisations.
Article 64 of Regulation (EU) 2024/2847.
Art. 64(2). Applied to the EU brand as manufacturer. Contractual liability flows back to the white-label provider.
Art. 64(3). Undocumented white-label components are the manufacturer's first vulnerability in an audit.
Art. 64(4).
| Alternative | Cost | What you get |
|---|---|---|
| EU compliance consultant | €10,000–€20,000 | Full supply chain review. 3–6 months. |
| EU brand documents your software themselves | €0 to you (but brand sees your internals) | Loss of IP control. Brand questions your competence. |
| No documentation | €0 | Brand finds another white-label provider with CRA readiness. |
| CRACheck | €149 | 8 documents. 15–25 min. You deliver on your terms. |
If the core platform is identical, one CRACheck licence documents it. If variants exist with different cybersecurity profiles, each needs its own dossier. Contact us to discuss your model.
Request Volume PricingCRACheck generates a structured document under Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy of the information is your responsibility as the technology provider.
We guarantee the document structure follows Annex VII and the legal references are correct. We do not guarantee acceptance by a market surveillance authority or by a specific EU brand partner.
CRACheck is not legal advice. For white-label contract terms and CRA liability allocation, consult a qualified lawyer.
Eight documents. Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.