Our booking widget is embedded on thousands of EU hotel websites. Who is the manufacturer?

You developed the widget. You are the manufacturer under Article 3(13) of Regulation (EU) 2024/2847. Each hotel embedding the widget is using a product with digital elements supplied by you. One Article 31 dossier for the widget product covers all deployments.

We process bookings for EU consumers. Does GDPR overlap with CRA?

GDPR governs personal data processing (lawful basis, data subject rights, DPA). CRA governs product cybersecurity (documentation, risk assessment, conformity). Both apply. CRACheck covers CRA documentation. GDPR compliance requires separate deliverables from your DPO.

Our mobile app processes payments through Stripe. Are we responsible for Stripe's CRA compliance?

Article 13(5) requires due diligence on third-party components. You document Stripe SDK integration in your technical documentation and assess the risks it introduces. You are not responsible for Stripe's CRA compliance, but you are responsible for secure integration.

Peak season availability is critical for our hotel clients. Does CRA address availability?

Annex I, Part I of Regulation (EU) 2024/2847 includes availability as an essential cybersecurity requirement. Your risk assessment should address availability threats: DDoS attacks during peak season, infrastructure failures, and API overload scenarios.

We offer a white-label booking engine. Who is the CRA manufacturer?

If you develop the software and a hotel chain rebrands it without substantial modification, you remain the manufacturer under Article 3(13). The hotel chain using your white-label product does not become the manufacturer unless they substantially modify it per Article 22.

Is CRACheck a subscription?

No. One-time payment. 30 days of editing, 10 regenerations. The PDF is yours to keep.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, activating the license constitutes express consent for immediate generation. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate at no additional cost during your license period.

Your reservation platform powers hotel bookings, restaurant reservations, or appointment scheduling for European businesses. The consumer-facing mobile app and the embeddable booking widget are products with digital elements under Article 3(1) of Regulation (EU) 2024/2847. The cloud reservation engine is remote data processing under Article 3(2). European hospitality clients are starting to include CRA in vendor contracts. CRACheck generates the documentation they expect.

Booking and reservation platforms handle personal data (names, emails, phone numbers, payment details) and operate in a high-availability environment where downtime means lost revenue for your clients. Article 13 of Regulation (EU) 2024/2847 requires the manufacturer to produce technical documentation, assess cybersecurity risks — including data confidentiality and system availability per Annex I — and declare conformity. CRACheck generates the 8-document dossier in 15-25 minutes for €149. The mobile app, the embeddable widget, and the cloud engine are documented as one regulated product.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

Art. 3(1)

Mobile app + embeddable widget = products with digital elements under CRA

Annex I

Data confidentiality + system availability = essential requirements for booking platforms

€149

Full 8-document CRA dossier per product

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Define your product

Booking platform name, components (mobile app, embeddable widget, API, cloud engine), and distribution channels (App Store, Google Play, JavaScript embed).

Classify under Annex III

Booking platforms typically classify as Default. No privileged system functions. CRACheck confirms.

Describe data flows

Consumer personal data (name, email, phone, payment), booking records, calendar integrations, and third-party payment gateway connections.

Map security architecture

Payment processing, PCI DSS controls if applicable, API authentication, widget sandboxing, and data encryption.

Generate risk assessment

Booking-specific threats: payment data theft, reservation manipulation, personal data scraping through widget vulnerabilities, API abuse for mass booking attacks, and consumer account takeover.

Produce 8 documents

Technical documentation, risk assessment, declaration of conformity, user information (for business clients and consumers), CVD policy, ENISA template, obligations calendar.

Present to EU clients

Documentation accompanies your vendor agreement. European hospitality clients see structured CRA compliance alongside your PCI DSS attestation.

Common mistakes

❌

MANUFACTURER IDENTITY

"Our embeddable widget runs in our client's website — they are responsible"

You developed the widget. You are the manufacturer under Article 3(13). The widget is software placed on the EU market when your client embeds it in their website. Your client embeds it; you manufactured it. Documentation obligations rest with the manufacturer.

❌

PRODUCT DEFINITION

"Booking platforms are services, not products"

If your platform distributes any installable or embeddable code — a mobile app, a JavaScript widget, an API client — that code is a product with digital elements under Article 3(1). The "service" framing does not create a CRA exemption when downloadable components exist.

❌

STANDARD MISMATCH

"We already comply with PCI DSS for payment handling"

PCI DSS governs cardholder data environments. CRA governs product cybersecurity documentation, risk assessment, and conformity declaration. Different scope, different deliverables. PCI DSS does not produce an Article 31 technical dossier.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Default classification confirmation for booking platform software.

Technical Documentation

Art. 31 + Annex VII: mobile app, embeddable widget, cloud booking engine, payment integrations, and calendar API connections.

Risk Assessment

Booking-specific: payment fraud, reservation tampering, personal data exposure through widget, API rate limiting, and availability threats during peak booking periods.

User Information

Annex II for business clients and consumers: security properties, data handling, update policy, and incident contact.

Declaration of Conformity

Art. 28 + Annex V.

CVD Policy

Vulnerability disclosure policy for booking platform: widget security reports, API vulnerability reports, payment handling issues.

Notification Template

ENISA template per Article 14 for booking platform incidents. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

CRA milestones and platform support period.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 HOSPITALITY TECH CONSULTANT

€10,000–€20,000

6-12 weeks.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history