Does CRA apply to HR software that only processes data, with no downloadable component?

If your HR platform is accessed exclusively via web browser with no mobile app, desktop agent, or SDK, it likely falls outside CRA scope per Recital 12 of Regulation (EU) 2024/2847. NIS2 (Directive (EU) 2022/2555) may apply instead. However, most HR platforms offer mobile apps for employee self-service, which triggers CRA scope.

Our HR platform processes data for employees in 15 EU countries. Do we need separate documentation per country?

No. CRA is an EU Regulation, directly applicable in all 27 Member States. One Article 31 dossier per product covers all EU countries. Country-specific payroll rules affect your product's functionality, not your CRA documentation.

How does CRA interact with GDPR for our HR platform?

CRA and GDPR have different scopes: CRA governs product cybersecurity (documentation, risk assessment, conformity); GDPR governs personal data protection (lawful basis, DPA, data subject rights). Both may apply simultaneously. Your CRA technical documentation addresses product security controls. Your GDPR data processing agreement addresses personal data handling. CRACheck produces CRA documentation; GDPR compliance requires separate deliverables.

Our platform integrates with SAP, Workday, and ADP via APIs. Does that affect CRA scope?

Third-party integrations are components you integrate into your product. Article 13(5) requires due diligence on third-party components. Document the API integrations in your technical documentation and assess the security risks they introduce. You are not responsible for SAP's or Workday's CRA compliance, but you are responsible for how your product interacts with their APIs.

Employee personal data is highly sensitive. Does CRA add requirements beyond GDPR?

CRA Annex I, Part I requires data confidentiality, integrity, and minimization as essential cybersecurity requirements for the product itself — independent of GDPR. This means your product must be designed with these properties built in (secure-by-default), documented in technical documentation, and validated through risk assessment. GDPR covers the organizational data processing; CRA covers the product's built-in security.

Is CRACheck a subscription?

No. One-time payment. 30 days of editing, 10 regenerations. The PDF is yours to keep.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, activating the license constitutes express consent for immediate generation. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate at no additional cost during your license period.

Your HR platform processes payroll for European employees. Your mobile app lets them clock in, request time off, and view payslips. That app is a product with digital elements under Article 3(1) of Regulation (EU) 2024/2847. The cloud payroll engine behind it is remote data processing under Article 3(2). Your EU client's procurement team is adding CRA to the vendor assessment checklist alongside GDPR. CRACheck generates the documentation they need to see.

HR and payroll platforms handle some of the most sensitive employee data in any organization: salaries, tax identifiers, bank accounts, personal addresses, health insurance. When that platform includes a downloadable component — a mobile app for employees, a desktop time-tracking agent, an API connector for ERP integration — the product falls within CRA scope. Article 13 of Regulation (EU) 2024/2847 requires the manufacturer to produce technical documentation, conduct a cybersecurity risk assessment, and issue a declaration of conformity. CRACheck generates the 8-document dossier in 15-25 minutes for €149. Your EU client sees structured compliance documentation at the next contract review.

Generate CRA documentation — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

Annex I

Essential requirements include data confidentiality, integrity, and minimization — directly relevant to payroll data

€15M

Maximum fine for non-compliance with essential cybersecurity requirements (Art. 64(2))

€149

One-time cost for the full 8-document CRA dossier per product

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Define your product boundary

Mobile app + cloud payroll engine + any desktop agent = one product with digital elements and its remote data processing. CRACheck documents all layers.

Classify under Annex III

HR/payroll software typically classifies as Default unless it performs identity management or authentication functions that would trigger Important Class I.

Describe sensitive data handling

Payroll data, tax IDs, bank accounts, personal addresses, health insurance records. Map each data category against Annex I, Part I data protection requirements.

Document access controls

Role-based access, multi-factor authentication, API key management, SSO integration. These map directly to Annex I essential requirements.

Generate risk assessment

HR-specific threats: payroll manipulation, unauthorized salary disclosure, tax ID theft, employee data exfiltration, and insider threats through admin access.

Produce 8 documents

Technical documentation, risk assessment, declaration of conformity, user information (for both HR admins and employees), CVD policy, ENISA template, obligations calendar.

Present at contract renewal

Your EU client's procurement team reviews CRA documentation alongside your GDPR DPA and SOC 2 report.

Common mistakes

❌

REGULATION OVERLAP

"GDPR compliance covers our cybersecurity obligations for HR data"

GDPR (Regulation (EU) 2016/679) governs data protection and privacy. CRA (Regulation (EU) 2024/2847) governs product cybersecurity. GDPR requires a DPA and appropriate technical measures for personal data. CRA requires product-specific technical documentation, risk assessment, declaration of conformity, and vulnerability handling — separate legal obligations with separate documentation. A GDPR DPA is not CRA technical documentation.

❌

PRODUCT SCOPE

"Our platform is B2B — the employer is our customer, not the employee"

The CRA applies to the product, not to the contractual relationship. If the employee installs your mobile app on their personal phone to clock in or view payslips, that app is placed on the EU market as a product with digital elements. The employer-employee relationship does not change the product's CRA classification.

❌

MARKET PLACEMENT

"We process payroll data in the US, so EU product regulation does not apply"

The CRA applies to products placed on the EU market, regardless of where data is processed. If your mobile app is available to EU users through app stores, the product is on the EU market. Data processing location is relevant to GDPR (data transfers) but does not affect CRA product scope.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Annex III classification for HR/payroll software. Default category unless authentication or identity management functions trigger Important Class I.

Technical Documentation

Art. 31 + Annex VII covering HR platform architecture: mobile app, cloud payroll engine, API integrations, data encryption, role-based access, and audit logging.

Risk Assessment

HR-specific analysis: payroll fraud vectors, unauthorized salary data access, tax ID harvesting, employee data breach scenarios, API abuse, and admin account compromise.

User Information

Annex II for two audiences: HR administrators (configuration, security settings, access control) and employees (app security properties, data handling, update policy).

Declaration of Conformity

Art. 28 + Annex V for your HR/payroll product.

CVD Policy

Vulnerability disclosure policy with escalation procedures for vulnerabilities affecting payroll data integrity or employee personal data.

Notification Template

ENISA template per Article 14 for HR platform incidents: payroll data breach, authentication bypass, API exploitation. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Timeline with CRA milestones and GDPR-adjacent dates for coordinated compliance planning.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 EU HR REGULATORY CONSULTANT

€15,000–€30,000

8-16 weeks. Requires briefing on payroll processing workflows, multi-country tax regulations, and employment data sensitivity levels.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history