EU procurement teams are asking about CRA compliance now. Is this premature?

No. EU enterprise buyers are building compliant supply chains ahead of the December 2027 enforcement date. Article 19 of Regulation (EU) 2024/2847 will require importers to verify manufacturer compliance before market placement. Procurement teams are aligning their vendor evaluation criteria with upcoming obligations. Vendors who cannot demonstrate CRA readiness risk exclusion from shortlists starting now.

Can we submit CRACheck documentation as part of an RFP response?

Yes. CRACheck generates structured PDFs that can be included as appendices to your proposal. The Product Classifier, Technical Documentation, Declaration of Conformity, and CVD Policy are the documents most commonly requested in CRA compliance sections of EU enterprise RFPs.

Will CRA documentation replace our SOC 2 report in EU procurement?

No. SOC 2 and CRA documentation serve different purposes. SOC 2 attests to organizational security controls. CRA documentation covers product-specific cybersecurity requirements under Regulation (EU) 2024/2847. EU procurement teams are likely to request both: SOC 2 for your operational security posture and CRA documentation for the specific product being procured.

Our product is sold through a US-based channel partner who resells to EU customers. Who needs CRA documentation?

The manufacturer — you. Article 13 of Regulation (EU) 2024/2847 places the documentation obligation on the entity that designed and developed the product. Your channel partner, if they import the product into the EU, has importer obligations under Article 19, which include verifying that your documentation exists. The procurement team's CRA questions are ultimately directed at the manufacturer.

We have a pending deal that requires CRA documentation within two weeks. Can CRACheck meet that timeline?

CRACheck generates the 8-document dossier in 15-25 minutes. You can produce, review, and deliver CRA documentation to your prospect within a single business day. The tool is available immediately — no onboarding, no consultation scheduling, no waiting for a law firm's availability.

Is CRACheck a subscription?

No. One-time payment. 30 days of editing, 10 regenerations. The PDF is yours to keep.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, activating the license constitutes express consent for immediate digital content generation. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate with the updated version at no additional cost during your license period.

Your EU enterprise prospect just sent an RFP with a section titled "Cyber Resilience Act Compliance." Your sales team does not know what to put there. The procurement team on the other side does — they need to verify that your product has technical documentation under Article 31 of Regulation (EU) 2024/2847. CRACheck generates that documentation in 15 minutes.

European enterprise procurement departments are incorporating CRA compliance checks into their vendor evaluation processes. Article 19 of the Cyber Resilience Act requires EU importers to verify that manufacturers have produced technical documentation before placing products on the market. In practice, this means your EU buyer will ask for proof of documentation — not a verbal assurance, but the actual Article 31 + Annex VII dossier. CRACheck generates 8 structured documents in 15-25 minutes for €149 per product. The documentation travels with your sales proposal. The deal closes on schedule.

Generate CRA documentation — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

Art. 19(2)(b)

EU importers must verify manufacturer has produced technical documentation before market placement

15 min

Time to generate the documentation your EU prospect's procurement team requires

€149

Cost to unblock a deal that might be worth six or seven figures

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Receive the RFP

Your EU prospect includes a CRA compliance section. Typical questions: "Has the manufacturer produced technical documentation per Art. 31?", "Is a declaration of conformity available?", "What is your vulnerability disclosure policy?"

Open CRACheck

Enter your product details: name, version, architecture, security controls. CRACheck structures the documentation your prospect expects.

Classify your product

The Product Classifier determines your Annex III category and applicable conformity assessment procedure. This information answers the classification question in the RFP.

Generate the dossier

8 documents covering every CRA compliance area the procurement team can ask about: technical documentation, risk assessment, conformity declaration, user information, CVD policy.

Attach to your RFP response

Include the relevant PDFs in your proposal. The procurement team sees structured documentation, not a promise to "work on compliance."

Close the deal

Your competitor without CRA documentation gets flagged as a compliance risk. You move to the next evaluation round.

Common mistakes

❌

COMMERCIAL REALITY

"We will respond that CRA enforcement does not start until 2027, so compliance is not required yet"

Procurement teams evaluate vendors on readiness, not on enforcement dates. An RFP that asks about CRA compliance in 2026 is a signal that the buyer is building their supply chain for post-2027 compliance. Responding with "not yet required" tells the buyer you are not planning ahead. Your competitor who submits Article 31 documentation wins the evaluation.

❌

DOCUMENT MISMATCH

"Our SOC 2 Type II report should satisfy the CRA section of the RFP"

SOC 2 covers your organization's security controls per AICPA Trust Services Criteria. CRA requires product-specific documentation per Article 31 + Annex VII of Regulation (EU) 2024/2847: product design, cybersecurity risk assessment, declaration of conformity, user information. They are different documents answering different questions. The EU procurement team knows the difference.

❌

MANUFACTURER OBLIGATION

"We will ask our EU reseller to handle the CRA compliance part"

Your EU reseller is the importer or distributor. Under Article 19(2)(b), the importer must verify that the manufacturer has produced the documentation — not produce it themselves. The RFP is asking about the manufacturer's documentation. That is your documentation. You produce it.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Annex III classification document. Answers the RFP question: "What is the product's CRA classification?"

Technical Documentation

Art. 31 + Annex VII dossier. The primary document EU procurement teams request.

Risk Assessment

Per Article 13(2)-(3). Answers: "Has the manufacturer conducted a cybersecurity risk assessment?"

User Information

Annex II. Answers: "What security information is provided to users?"

Declaration of Conformity

Art. 28 + Annex V. Answers: "Is a formal declaration of CRA conformity available?"

CVD Policy

Annex I, Part II. Answers: "What is the manufacturer's vulnerability disclosure policy?"

Notification Template

Art. 14. Demonstrates: "The manufacturer has incident notification procedures.". Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Shows: "The manufacturer tracks CRA milestones proactively."

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 LOSE THE DEAL OR WAIT

$50K–$500K+

Revenue impact of a single enterprise contract. Or delay the deal by 8-16 weeks while a law firm produces documentation. Meanwhile, a CRA-ready competitor advances.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history