CRA for US Booking & Reservation Platforms

Key numbers

Art. 3(1)

Mobile app + embeddable widget = products with digital elements under CRA

Annex I

Data confidentiality + system availability = essential requirements for booking platforms

€149

Full 8-document CRA dossier per product

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Define your product

Booking platform name, components (mobile app, embeddable widget, API, cloud engine), and distribution channels (App Store, Google Play, JavaScript embed).

Classify under Annex III

Booking platforms typically classify as Default. No privileged system functions. CRACheck confirms.

Describe data flows

Consumer personal data (name, email, phone, payment), booking records, calendar integrations, and third-party payment gateway connections.

Map security architecture

Payment processing, PCI DSS controls if applicable, API authentication, widget sandboxing, and data encryption.

Generate risk assessment

Booking-specific threats: payment data theft, reservation manipulation, personal data scraping through widget vulnerabilities, API abuse for mass booking attacks, and consumer account takeover.

Produce 8 documents

Technical documentation, risk assessment, declaration of conformity, user information (for business clients and consumers), CVD policy, ENISA template, obligations calendar.

Present to EU clients

Documentation accompanies your vendor agreement. European hospitality clients see structured CRA compliance alongside your PCI DSS attestation.

Common mistakes

❌

MANUFACTURER IDENTITY

"Our embeddable widget runs in our client's website — they are responsible"

You developed the widget. You are the manufacturer under Article 3(13). The widget is software placed on the EU market when your client embeds it in their website. Your client embeds it; you manufactured it. Documentation obligations rest with the manufacturer.

❌

PRODUCT DEFINITION

"Booking platforms are services, not products"

If your platform distributes any installable or embeddable code — a mobile app, a JavaScript widget, an API client — that code is a product with digital elements under Article 3(1). The "service" framing does not create a CRA exemption when downloadable components exist.

❌

STANDARD MISMATCH

"We already comply with PCI DSS for payment handling"

PCI DSS governs cardholder data environments. CRA governs product cybersecurity documentation, risk assessment, and conformity declaration. Different scope, different deliverables. PCI DSS does not produce an Article 31 technical dossier.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Default classification confirmation for booking platform software.

Technical Documentation

Art. 31 + Annex VII: mobile app, embeddable widget, cloud booking engine, payment integrations, and calendar API connections.

Risk Assessment

Booking-specific: payment fraud, reservation tampering, personal data exposure through widget, API rate limiting, and availability threats during peak booking periods.

User Information

Annex II for business clients and consumers: security properties, data handling, update policy, and incident contact.

Declaration of Conformity

Art. 28 + Annex V.

CVD Policy

Vulnerability disclosure policy for booking platform: widget security reports, API vulnerability reports, payment handling issues.

Notification Template

ENISA template per Article 14 for booking platform incidents. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

CRA milestones and platform support period.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 HOSPITALITY TECH CONSULTANT

€10,000–€20,000

6-12 weeks.

✓ CRACHECK

€149

€149. 15–25 min. 8 documents. Mobile app, widget, and cloud engine covered in one dossier.

Two layers

● LAYER 1

Documentation (CRACheck)

Generates CRA documentation for your booking platform covering all components: mobile app, widget, API, and cloud engine.

∅ LAYER 2

What CRACheck does NOT do

Does not test your payment processing. Does not audit your widget security. Does not verify PCI DSS compliance. Does not load-test your booking engine.

CRACheck documents. Your engineering validates. Both needed.

Enforcement regime

Article 64 of Regulation (EU) 2024/2847.

🔴

Essential requirements + manufacturer obligations (Art. 64(2))

€15,000,000 / 2.5%

Non-compliance with essential requirements or manufacturer obligations.

🟠

Documentation and conformity obligations (Art. 64(3))

€10,000,000 / 2%

Missing documentation or conformity assessment.

🟡

Misleading information (Art. 64(4))

€5,000,000 / 1%

Misleading information to authorities.

Alternatives

Criteria	Hospitality tech consultant	Generic CRA consultant	DIY	CRACheck
Time	6-12 weeks	8-16 weeks	Weeks	15-25 minutes
Cost	€10,000-€20,000	€10,000-€20,000	Staff hours	€149
Covers app + widget + cloud	If briefed	Partially	If capable	Yes
CRA-specific output	Custom report	Custom report	DIY	8 PDFs

Your booking platform includes multiple products?

Hotel booking engine, restaurant reservation module, event ticketing system — each separately marketed product needs its own dossier. Volume: 10 at €99, 30 at €79.

Request Volume Pricing

Response within 24 business hours.

What CRACheck guarantees and what it does not

CRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy of that information is your responsibility as the manufacturer.

We guarantee document structure follows Article 31 + Annex VII and legal references are correct.

CRACheck is not legal advice.

Frequently asked questions

Our booking widget is embedded on thousands of EU hotel websites. Who is the manufacturer?

You developed the widget. You are the manufacturer under Article 3(13) of Regulation (EU) 2024/2847. Each hotel embedding the widget is using a product with digital elements supplied by you. One Article 31 dossier for the widget product covers all deployments.

We process bookings for EU consumers. Does GDPR overlap with CRA?

GDPR governs personal data processing (lawful basis, data subject rights, DPA). CRA governs product cybersecurity (documentation, risk assessment, conformity). Both apply. CRACheck covers CRA documentation. GDPR compliance requires separate deliverables from your DPO.

Our mobile app processes payments through Stripe. Are we responsible for Stripe's CRA compliance?

Article 13(5) requires due diligence on third-party components. You document Stripe SDK integration in your technical documentation and assess the risks it introduces. You are not responsible for Stripe's CRA compliance, but you are responsible for secure integration.

Peak season availability is critical for our hotel clients. Does CRA address availability?

Annex I, Part I of Regulation (EU) 2024/2847 includes availability as an essential cybersecurity requirement. Your risk assessment should address availability threats: DDoS attacks during peak season, infrastructure failures, and API overload scenarios.

We offer a white-label booking engine. Who is the CRA manufacturer?

If you develop the software and a hotel chain rebrands it without substantial modification, you remain the manufacturer under Article 3(13). The hotel chain using your white-label product does not become the manufacturer unless they substantially modify it per Article 22.

Is CRACheck a subscription?

No. One-time payment. 30 days of editing, 10 regenerations. The PDF is yours to keep.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, activating the license constitutes express consent for immediate generation. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate at no additional cost during your license period.

Official legal sources

Regulation (EU) 2024/2847 — Cyber Resilience Act

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.