CRA in EU Enterprise RFPs — SaaS Compliance Documentation

Key numbers

Art. 19(2)(b)

EU importers must verify manufacturer has produced technical documentation before market placement

15 min

Time to generate the documentation your EU prospect's procurement team requires

€149

Cost to unblock a deal that might be worth six or seven figures

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Receive the RFP

Your EU prospect includes a CRA compliance section. Typical questions: "Has the manufacturer produced technical documentation per Art. 31?", "Is a declaration of conformity available?", "What is your vulnerability disclosure policy?"

Open CRACheck

Enter your product details: name, version, architecture, security controls. CRACheck structures the documentation your prospect expects.

Classify your product

The Product Classifier determines your Annex III category and applicable conformity assessment procedure. This information answers the classification question in the RFP.

Generate the dossier

8 documents covering every CRA compliance area the procurement team can ask about: technical documentation, risk assessment, conformity declaration, user information, CVD policy.

Attach to your RFP response

Include the relevant PDFs in your proposal. The procurement team sees structured documentation, not a promise to "work on compliance."

Close the deal

Your competitor without CRA documentation gets flagged as a compliance risk. You move to the next evaluation round.

Common mistakes

❌

COMMERCIAL REALITY

"We will respond that CRA enforcement does not start until 2027, so compliance is not required yet"

Procurement teams evaluate vendors on readiness, not on enforcement dates. An RFP that asks about CRA compliance in 2026 is a signal that the buyer is building their supply chain for post-2027 compliance. Responding with "not yet required" tells the buyer you are not planning ahead. Your competitor who submits Article 31 documentation wins the evaluation.

❌

DOCUMENT MISMATCH

"Our SOC 2 Type II report should satisfy the CRA section of the RFP"

SOC 2 covers your organization's security controls per AICPA Trust Services Criteria. CRA requires product-specific documentation per Article 31 + Annex VII of Regulation (EU) 2024/2847: product design, cybersecurity risk assessment, declaration of conformity, user information. They are different documents answering different questions. The EU procurement team knows the difference.

❌

MANUFACTURER OBLIGATION

"We will ask our EU reseller to handle the CRA compliance part"

Your EU reseller is the importer or distributor. Under Article 19(2)(b), the importer must verify that the manufacturer has produced the documentation — not produce it themselves. The RFP is asking about the manufacturer's documentation. That is your documentation. You produce it.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Annex III classification document. Answers the RFP question: "What is the product's CRA classification?"

Technical Documentation

Art. 31 + Annex VII dossier. The primary document EU procurement teams request.

Risk Assessment

Per Article 13(2)-(3). Answers: "Has the manufacturer conducted a cybersecurity risk assessment?"

User Information

Annex II. Answers: "What security information is provided to users?"

Declaration of Conformity

Art. 28 + Annex V. Answers: "Is a formal declaration of CRA conformity available?"

CVD Policy

Annex I, Part II. Answers: "What is the manufacturer's vulnerability disclosure policy?"

Notification Template

Art. 14. Demonstrates: "The manufacturer has incident notification procedures.". Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Shows: "The manufacturer tracks CRA milestones proactively."

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 LOSE THE DEAL OR WAIT

$50K–$500K+

Revenue impact of a single enterprise contract. Or delay the deal by 8-16 weeks while a law firm produces documentation. Meanwhile, a CRA-ready competitor advances.

✓ CRACHECK

€149

€149. 15 minutes. Documentation attached to your RFP response before the submission deadline. The deal stays on track.

Two layers

● LAYER 1

Documentation (CRACheck)

Produces the CRA compliance documentation that unblocks the procurement evaluation. Technical documentation, risk assessment, declaration of conformity, CVD policy — everything the RFP section asks for, in structured PDF format.

∅ LAYER 2

What CRACheck does NOT do

Does not prepare your full RFP response. Does not negotiate contract terms. Does not provide legal representations about your product's compliance. Does not substitute for your sales team's relationship with the buyer.

CRACheck fills the CRA section of the RFP. Your sales team handles the rest.

Enforcement regime

Article 64 of Regulation (EU) 2024/2847.

🔴

Essential requirements + manufacturer obligations (Art. 64(2))

€15,000,000 / 2.5%

Essential requirements / manufacturer obligations.

🟠

Documentation and conformity obligations (Art. 64(3))

€10,000,000 / 2%

Documentation and conformity obligations.

🟡

Misleading information (Art. 64(4))

€5,000,000 / 1%

Misleading information to authorities.

Alternatives

Criteria	Wait for enforcement	Hire EU law firm	Internal legal team	CRACheck
Deal impact	Lost/delayed	Delayed 8-16 weeks	Delayed 4-8 weeks	No delay — same day
Cost	Revenue lost	€15,000-€25,000	Staff hours ($30K+)	€149
Procurement-ready format	No	Varies	Varies	Yes — 8 structured PDFs
Reusable across RFPs	N/A	Partially	Partially	Yes — per product

Your sales pipeline includes multiple products for EU enterprise customers?

Each product mentioned in an EU RFP needs its own CRA documentation. If your product portfolio includes 5 modules sold separately, each needs an Article 31 dossier. Volume pricing: 10 products at €99 each, 30 at €79 each.

Request Volume Pricing

Response within 24 business hours.

What CRACheck guarantees and what it does not

CRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy of that information is your responsibility as the manufacturer.

We guarantee the document structure follows Article 31 + Annex VII and that legal references cited are correct. We do not guarantee that a specific procurement team will accept the documentation or award the contract.

CRACheck is not legal advice. For procurement-specific legal questions or contract clause interpretation, consult your legal team.

Frequently asked questions

EU procurement teams are asking about CRA compliance now. Is this premature?

No. EU enterprise buyers are building compliant supply chains ahead of the December 2027 enforcement date. Article 19 of Regulation (EU) 2024/2847 will require importers to verify manufacturer compliance before market placement. Procurement teams are aligning their vendor evaluation criteria with upcoming obligations. Vendors who cannot demonstrate CRA readiness risk exclusion from shortlists starting now.

Can we submit CRACheck documentation as part of an RFP response?

Yes. CRACheck generates structured PDFs that can be included as appendices to your proposal. The Product Classifier, Technical Documentation, Declaration of Conformity, and CVD Policy are the documents most commonly requested in CRA compliance sections of EU enterprise RFPs.

Will CRA documentation replace our SOC 2 report in EU procurement?

No. SOC 2 and CRA documentation serve different purposes. SOC 2 attests to organizational security controls. CRA documentation covers product-specific cybersecurity requirements under Regulation (EU) 2024/2847. EU procurement teams are likely to request both: SOC 2 for your operational security posture and CRA documentation for the specific product being procured.

Our product is sold through a US-based channel partner who resells to EU customers. Who needs CRA documentation?

The manufacturer — you. Article 13 of Regulation (EU) 2024/2847 places the documentation obligation on the entity that designed and developed the product. Your channel partner, if they import the product into the EU, has importer obligations under Article 19, which include verifying that your documentation exists. The procurement team's CRA questions are ultimately directed at the manufacturer.

We have a pending deal that requires CRA documentation within two weeks. Can CRACheck meet that timeline?

CRACheck generates the 8-document dossier in 15-25 minutes. You can produce, review, and deliver CRA documentation to your prospect within a single business day. The tool is available immediately — no onboarding, no consultation scheduling, no waiting for a law firm's availability.

Is CRACheck a subscription?

No. One-time payment. 30 days of editing, 10 regenerations. The PDF is yours to keep.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, activating the license constitutes express consent for immediate digital content generation. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate with the updated version at no additional cost during your license period.

Official legal sources

Regulation (EU) 2024/2847 — Cyber Resilience Act

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.