Article 7(1) of the Cyber Resilience Act defines Important products as those whose core functionality matches a category in Annex III. The classification is not voluntary — it is determined by the product's function, not its marketing label. Class I products under Article 32(2) can still use Module A self-assessment if they apply harmonised standards, common specifications, or a European cybersecurity certification scheme in full. If they do not, they must use Module B+C or Module H with a notified body. Class II products under Article 32(3) must always use Module B+C, Module H, or a European cybersecurity certification scheme at assurance level "substantial" — Module A is never available. CRACheck classifies your product and generates the documentation accordingly. €149. 15–25 minutes. 8 PDFs.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
Classification under the CRA is not a label you choose. It is determined by the core functionality of your product against the categories listed in Annex III and Annex IV. CRACheck runs this classification automatically.
Article 7(1) defines Important products by their "core functionality" matching a category in Annex III. A product marketed as a "home hub" may fall under Class I category 16 (smart home general purpose virtual assistants) or category 17 (smart home products with security functionalities) regardless of its brand positioning. Classification follows function, not label.
Article 32(2) allows Module A for Class I products only if the manufacturer applies harmonised standards, common specifications, or a European cybersecurity certification scheme in full. If the manufacturer has not applied any of these — or applied them only in part — the product must go through Module B+C or Module H with a notified body.
Article 7(1) second sentence states that the integration of a product with digital elements which has the core functionality of an Annex III category "shall not in itself render the product in which it is integrated subject to the conformity assessment procedures referred to in Article 32(2) and (3)." The classification applies to the component, not automatically to the final product.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Automated cross-reference against Annex III Class I (19 categories), Class II (4 categories), and Annex IV Critical (3 categories). Output: Default, Important Class I, Important Class II, or Critical, with the matched category and rationale.
Annex VII file with the classification embedded in the product description section and the conformity assessment path recorded.
Cybersecurity risk assessment per Article 13(2)–(3), structured against Annex I. The assessment depth reflects the classification level.
Annex II information sheet. Includes the support period end-date and the security update type per Annex I Part I point (2)(c).
EU Declaration per Article 28 and Annex V. Cites the applicable conformity assessment procedure (Module A, B+C, or H) matching the product classification.
Coordinated vulnerability disclosure policy per Annex I Part II point (5).
ENISA/CSIRT notification template per Article 14 (24h/72h/14d).
Key dates including conformity assessment deadlines relative to 11 December 2027.
See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.
Generated from your data, in your browser. No data leaves your device.
CRACheck classifies your product against Annex III and Annex IV, identifies the conformity assessment procedures available under Article 32, generates the Annex VII technical documentation with the classification embedded, and produces the EU Declaration of Conformity citing the correct module.
CRACheck does not perform the conformity assessment procedure itself. For Class II and Critical products, the Module B+C or Module H assessment must be performed by a notified body designated under Article 39 of Regulation (EU) 2024/2847. CRACheck produces the documentation the notified body will review — it does not replace the notified body.
Documentation first, then assessment. The notified body needs your Annex VII file. CRACheck generates it.
Non-compliance with Annex I essential requirements and Art. 13/14 obligations.
Non-compliance with Art. 28 (Declaration of Conformity), Art. 31 (technical documentation), Art. 32 (conformity assessment procedures). Applying the wrong conformity assessment module falls here.
Supplying incorrect or misleading information to notified bodies or market surveillance authorities. A misclassification that leads to the wrong conformity path could trigger this.
| Criterio | Regulatory consultancy | Internal classification | CRACheck | |
|---|---|---|---|---|
| Price | €8,000–20,000 | Internal headcount | €149/product | |
| Classification method | Manual expert review | Manual reading of Annex III | Automated cross-reference (23 categories) | |
| Delivery | 6–16 weeks | Varies | 15–25 minutes | |
| Output | Classification memo + gap analysis | Internal memo | 8 PDFs with classification embedded | |
| Conformity path | Identified manually | Identified manually | Auto-identified per Art. 32 | |
| CRACheck | €149 | Automated | 8 PDFs | Art. 32 |
If your portfolio spans routers, firewalls, and smart home devices — each falling into a different Annex III category — contact us for volume pricing. Pack of 10: €99 per product. Pack of 30: €79 per product.
Request volume pricingCRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847, based on the information you enter. The accuracy, completeness, and truthfulness of that information is your responsibility as manufacturer.
We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct. We do not guarantee that a specific document will be accepted by a market surveillance authority in a specific case.
CRACheck is not legal advice. For situations specific to your product or market, consult a qualified lawyer or specialised regulatory consultancy.
CRACheck classifies your product against Annex III and IV, identifies the conformity assessment module, and generates the full 8-document dossier. €149 per product. Browser-side.