The CRA cybersecurity risk assessment is distinct from NIST RMF, ISO 27005, or your existing enterprise risk management process. Article 13(2)-(3) requires a per-product analysis covering threats, attack vectors, and mitigations mapped to the essential cybersecurity requirements in Annex I, Part I (product security) and Part II (vulnerability handling). The assessment must be included in the technical documentation under Article 31 and Annex VII. CRACheck generates the structured risk assessment as part of the 8-document dossier in 15-25 minutes for €149. The template follows the CRA structure, not NIST or ISO.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.
NIST CSF assesses organizational cybersecurity posture across five functions (Identify, Protect, Detect, Respond, Recover). The CRA requires a product-specific risk assessment mapped to the essential requirements in Annex I, Part I and Part II. Different scope (organization vs. product), different structure (NIST functions vs. CRA annex requirements), different legal basis (voluntary framework vs. EU regulation). Adapting one for the other produces a misaligned document.
A penetration test identifies specific vulnerabilities in a deployed system. A CRA risk assessment per Article 13(2)-(3) evaluates cybersecurity risks during the planning, design, development, production, delivery, and maintenance phases. The risk assessment is a design-time document covering threat modeling, mitigation strategy, and residual risk acceptance. Penetration testing may inform the assessment but does not replace it.
Article 13(3) requires the risk assessment to be "documented and updated as appropriate during a support period." New threats, new attack techniques, new vulnerabilities in dependencies, and changes to your product architecture all require reassessment. The risk assessment is a living document maintained for the support period, not a one-time exercise.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Annex III classification that determines the conformity assessment path and informs the risk assessment scope.
Art. 31 + Annex VII dossier with the risk assessment integrated as a core component per Article 13(4).
The primary deliverable: structured cybersecurity risk analysis per Article 13(2)-(3), mapped to every applicable requirement in Annex I, Part I and Part II. Covers intended purpose, foreseeable use, operational environment, threat identification, mitigation measures, and residual risk.
Annex II including residual risk disclosure to users — directly linked to the risk assessment findings.
Art. 28 + Annex V. The declaration's validity depends on the risk assessment demonstrating compliance with essential requirements.
Directly addresses Annex I, Part II requirements for vulnerability handling assessed in the risk assessment.
Art. 14. The incident notification process is a risk mitigation measure documented in the assessment. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.
Risk assessment update triggers, support period milestones, and reassessment schedule.
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated from your data, in your browser. No data leaves your device.
Generates the structured cybersecurity risk assessment per Article 13(2)-(3), mapped to Annex I, Part I and Part II. Integrated within the Article 31 technical documentation alongside declaration of conformity, user information, and vulnerability handling policies.
Does not perform actual threat modeling workshops. Does not run vulnerability scans. Does not test your security controls. Does not verify your claims. The risk assessment documents what you declare — the engineering work that validates those declarations is yours.
CRACheck structures the risk assessment. Your security team validates the substance. Both are required for CRA compliance.
Article 64 of Regulation (EU) 2024/2847.
Explicitly covers non-compliance with Article 13 obligations, which include the risk assessment.
Covers documentation obligations under Article 31.
Misleading risk assessment content to authorities.
| Criteria | Cybersecurity risk firm | GRC platform template | NIST RMF adaptation | CRACheck |
|---|---|---|---|---|
| Time | 4-10 weeks | Self-guided (weeks) | Weeks of mapping | 15-25 minutes |
| Cost per product | €8,000-€20,000 | $5,000-$15,000/yr | Staff hours | €149 |
| Maps to Annex I Part I/II | If specified | No (wrong framework) | No (wrong framework) | Yes — every requirement |
| Includes supporting docs | Separate scope | No | No | Yes — 8 documents |
Article 13(2) requires a per-product cybersecurity risk assessment. If your company operates 5 SaaS products, each needs its own assessment. Volume pricing: 10 products at €99, 30 at €79.
Request Volume PricingCRACheck generates a structured risk assessment document according to Article 13(2)-(3) and Annex I of Regulation (EU) 2024/2847 from the information you provide. The accuracy and completeness of that information is your responsibility as the manufacturer.
We guarantee that the risk assessment structure maps to Annex I, Part I and Part II, and that the legal references cited are correct. We do not guarantee that a specific risk assessment will be accepted by a market surveillance authority.
CRACheck is not legal advice. For complex risk scenarios or high-classification products, engage a qualified cybersecurity risk professional.
Eight documents. Article 31 + Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.