Does Annex II information need to be printed on the product packaging?

Annex II states that the product "shall be accompanied by" the information, but does not prescribe a specific medium. The information can be provided in printed form, digitally (via a product page, QR code, or in-app), or in the product documentation. The key requirement is that it reaches the user before or at the time the product is made available.

Is the SBOM availability (Annex II §9) mandatory?

Annex II point (9) uses the conditional "if the manufacturer decides to make available the software bill of materials to the user." Making the SBOM available to users is optional. Making the SBOM available to market surveillance authorities upon reasoned request under Annex VII point (8) is not optional.

What language must the Annex II information be in?

The information must be in a language that can be easily understood by users, typically the official language(s) of the Member State where the product is placed on the market. CRACheck generates the information in English; you should translate it for specific national markets.

Does the support period end-date need to be on the product itself?

Article 13(19) of Regulation (EU) 2024/2847 requires the support period end-date to be indicated "at the time of purchase, in a clear and understandable manner, on the packaging or, where there is no packaging, by means of a label, or, where it is not feasible to affix such label, by means of a notice accompanying the product."

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.

What if the regulation changes?

If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

Every product with digital elements placed on the EU market after 11 December 2027 must be accompanied by the 9 data points listed in Annex II of Regulation (EU) 2024/2847. These include manufacturer identification, a vulnerability reporting contact, the support period end-date, and detailed security instructions. Annex VII point (1)(d) also requires that this user information appears in the technical documentation. CRACheck generates the Annex II information sheet as one of the 8 documents in the dossier.

Annex II is not an optional annex. It is referenced by Annex VII point (1)(d) as part of the technical documentation, and it is the information the end user sees. The 9 data points cover: manufacturer identity, vulnerability reporting contact, product identification, intended purpose with security environment, foreseeable cybersecurity risks, link to the EU Declaration of Conformity, support period type and end-date, detailed security instructions (commissioning, lifetime use, update installation, decommissioning, integration for component products), and SBOM availability. CRACheck fills each field from your input and generates a structured information sheet ready for inclusion in product packaging or digital product pages. €149. 15–25 minutes.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key figures

Data points in Annex II

Art. 13

Manufacturer obligation to provide user information

Sub-points under Annex II point (8) covering detailed security instructions

How CRACheck structures the 9 Annex II data points

Manufacturer identification (Annex II §1)

Name, trade name, postal address, email or digital contact, and website.

Vulnerability reporting contact (Annex II §2)

Single point of contact for reporting vulnerabilities and the link to the CVD policy.

Product identification (Annex II §3)

Name, type, and any additional information enabling unique identification.

Intended purpose and security environment (Annex II §4)

Product's intended purpose, essential functionalities, and the security properties the manufacturer provides.

Foreseeable cybersecurity risks (Annex II §5)

Any known or foreseeable circumstances related to use or misuse that may lead to significant cybersecurity risks.

Support period (Annex II §7)

Type of technical security support offered and the end-date of the support period.

Detailed security instructions (Annex II §8)

6 sub-points: (a) secure commissioning, (b) impact of changes on data security, (c) security update installation, (d) secure decommissioning and data removal, (e) how to turn off automatic updates, (f) integration instructions for component products.

Common mistakes

❌

ANNEX II · §7

Omitting the support period end-date

Annex II point (7) requires the manufacturer to state the end-date of the support period during which users can expect to receive security updates. A product page that says "we provide regular updates" without a specific end-date does not comply.

❌

ANNEX II · §2

Not providing a vulnerability reporting contact

Annex II point (2) requires a single point of contact for reporting vulnerabilities and a link to the CVD policy. A generic support email without explicit vulnerability reporting instructions is insufficient.

❌

ANNEX II · §8(d)

Missing decommissioning instructions

Annex II point (8)(d) requires instructions on how to securely decommission the product, including how user data can be securely removed. Products without documented end-of-life data removal procedures fail this requirement.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Identifies the CRA category. The user information requirements apply regardless of classification.

Technical Documentation

Annex VII file. Annex VII §1(d) requires the user information to be embedded in the technical documentation.

Risk Assessment

Cybersecurity risk assessment. Foreseeable risks from the risk assessment feed into Annex II §5.

User Information

The Annex II information sheet. All 9 data points and 6 sub-points of §8, structured for product packaging or digital product pages.

Declaration of Conformity

EU Declaration per Article 28 and Annex V. Annex II §6 requires a link to this Declaration.

CVD Policy

Coordinated vulnerability disclosure policy. Annex II §2 requires a link to this policy.

Notification Template

ENISA/CSIRT notification template per Article 14. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Key dates including the support period end-date referenced in Annex II §7.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 THE ALTERNATIVE

Internal technical writing team

2–4 weeks to research and draft Annex II-compliant user information

Requires legal review to confirm completeness

Cost embedded in headcount

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history