Reg (EU) 2024/2847Generate dossier — €149
LIVE — Enforcement tracker · Deadline dashboard · Transposition status — Updated weekly from EUR-Lex, Safety Gate, OEIL & 12 official sourcesView regulatory intelligence →

Your HR platform processes payroll for European employees. Your mobile app lets them clock in, request time off, and view payslips. That app is a product with digital elements under Article 3(1) of Regulation (EU) 2024/2847. The cloud payroll engine behind it is remote data processing under Article 3(2). Your EU client's procurement team is adding CRA to the vendor assessment checklist alongside GDPR. CRACheck generates the documentation they need to see.

HR and payroll platforms handle some of the most sensitive employee data in any organization: salaries, tax identifiers, bank accounts, personal addresses, health insurance. When that platform includes a downloadable component — a mobile app for employees, a desktop time-tracking agent, an API connector for ERP integration — the product falls within CRA scope. Article 13 of Regulation (EU) 2024/2847 requires the manufacturer to produce technical documentation, conduct a cybersecurity risk assessment, and issue a declaration of conformity. CRACheck generates the 8-document dossier in 15-25 minutes for €149. Your EU client sees structured compliance documentation at the next contract review.

Generate CRA documentation — €149Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Regulation (EU) 2024/2847 · Art. 31 + Annex VII · 8 documents · 100% browser-side — your data never leaves your device

Key numbers

Annex I
Essential requirements include data confidentiality, integrity, and minimization — directly relevant to payroll data
€15M
Maximum fine for non-compliance with essential cybersecurity requirements (Art. 64(2))
€149
One-time cost for the full 8-document CRA dossier per product

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

1
Define your product boundary
Mobile app + cloud payroll engine + any desktop agent = one product with digital elements and its remote data processing. CRACheck documents all layers.
2
Classify under Annex III
HR/payroll software typically classifies as Default unless it performs identity management or authentication functions that would trigger Important Class I.
3
Describe sensitive data handling
Payroll data, tax IDs, bank accounts, personal addresses, health insurance records. Map each data category against Annex I, Part I data protection requirements.
4
Document access controls
Role-based access, multi-factor authentication, API key management, SSO integration. These map directly to Annex I essential requirements.
5
Generate risk assessment
HR-specific threats: payroll manipulation, unauthorized salary disclosure, tax ID theft, employee data exfiltration, and insider threats through admin access.
6
Produce 8 documents
Technical documentation, risk assessment, declaration of conformity, user information (for both HR admins and employees), CVD policy, ENISA template, obligations calendar.
7
Present at contract renewal
Your EU client's procurement team reviews CRA documentation alongside your GDPR DPA and SOC 2 report.

Common mistakes

REGULATION OVERLAP

"GDPR compliance covers our cybersecurity obligations for HR data"

GDPR (Regulation (EU) 2016/679) governs data protection and privacy. CRA (Regulation (EU) 2024/2847) governs product cybersecurity. GDPR requires a DPA and appropriate technical measures for personal data. CRA requires product-specific technical documentation, risk assessment, declaration of conformity, and vulnerability handling — separate legal obligations with separate documentation. A GDPR DPA is not CRA technical documentation.

PRODUCT SCOPE

"Our platform is B2B — the employer is our customer, not the employee"

The CRA applies to the product, not to the contractual relationship. If the employee installs your mobile app on their personal phone to clock in or view payslips, that app is placed on the EU market as a product with digital elements. The employer-employee relationship does not change the product's CRA classification.

MARKET PLACEMENT

"We process payroll data in the US, so EU product regulation does not apply"

The CRA applies to products placed on the EU market, regardless of where data is processed. If your mobile app is available to EU users through app stores, the product is on the EU market. Data processing location is relevant to GDPR (data transfers) but does not affect CRA product scope.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

1

Product Classifier

Annex III classification for HR/payroll software. Default category unless authentication or identity management functions trigger Important Class I.

2

Technical Documentation

Art. 31 + Annex VII covering HR platform architecture: mobile app, cloud payroll engine, API integrations, data encryption, role-based access, and audit logging.

3

Risk Assessment

HR-specific analysis: payroll fraud vectors, unauthorized salary data access, tax ID harvesting, employee data breach scenarios, API abuse, and admin account compromise.

4

User Information

Annex II for two audiences: HR administrators (configuration, security settings, access control) and employees (app security properties, data handling, update policy).

5

Declaration of Conformity

Art. 28 + Annex V for your HR/payroll product.

6

CVD Policy

Vulnerability disclosure policy with escalation procedures for vulnerabilities affecting payroll data integrity or employee personal data.

7

Notification Template

ENISA template per Article 14 for HR platform incidents: payroll data breach, authentication bypass, API exploitation. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

8

Obligations Calendar

Timeline with CRA milestones and GDPR-adjacent dates for coordinated compliance planning.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 EU HR REGULATORY CONSULTANT
€15,000–€30,000
8-16 weeks. Requires briefing on payroll processing workflows, multi-country tax regulations, and employment data sensitivity levels.
✓ CRACHECK
€149
8 documents. 15–25 min. You describe your HR platform architecture. 8 PDFs ready for your client's procurement team.

Two layers

● LAYER 1

Documentation (CRACheck)

Generates CRA documentation covering your HR/payroll product: technical documentation, risk assessment, declaration of conformity, user information for admins and employees, and vulnerability handling policies.

∅ LAYER 2

What CRACheck does NOT do

Does not audit your payroll processing accuracy. Does not assess GDPR compliance. Does not review your data processing agreements. Does not test your multi-factor authentication implementation. Those are operational compliance and security activities.

CRACheck covers CRA product documentation. Your DPO covers GDPR. Your security team covers operational controls. Three compliance workstreams, three separate deliverables.

Enforcement regime

Article 64 of Regulation (EU) 2024/2847.

🔴
Essential requirements + manufacturer obligations (Art. 64(2))
€15,000,000 / 2.5%

Non-compliance with essential requirements or manufacturer obligations.

🟠
Documentation and conformity obligations (Art. 64(3))
€10,000,000 / 2%

Missing documentation or conformity assessment.

🟡
Misleading information (Art. 64(4))
€5,000,000 / 1%

Misleading information to authorities.

Alternatives

CriteriaEU HR regulatory consultantGeneric CRA consultantInternal legal + DPOCRACheck
Time8-16 weeks6-12 weeks4-8 weeks15-25 minutes
Cost€15,000-€30,000€10,000-€20,000Staff hours€149
Understands HR data sensitivityYesPartiallyPartiallyArchitecture-agnostic input
Separates CRA from GDPRYesVariesDependsYes — CRA-specific output

Your HR platform includes multiple separately marketed products?

If your payroll module, time-tracking app, and benefits administration portal are sold as separate products, each needs its own Article 31 dossier. Volume pricing: 10 products at €99, 30 at €79.

Request Volume Pricing
Response within 24 business hours.

What CRACheck guarantees and what it does not

CRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy of that information is your responsibility as the manufacturer.

We guarantee the document structure follows Article 31 + Annex VII and legal references are correct. We do not guarantee acceptance by a specific client's procurement process.

CRACheck is not legal advice. For GDPR-CRA interaction questions or employment data-specific compliance, consult a qualified attorney.

Frequently asked questions

Does CRA apply to HR software that only processes data, with no downloadable component?
If your HR platform is accessed exclusively via web browser with no mobile app, desktop agent, or SDK, it likely falls outside CRA scope per Recital 12 of Regulation (EU) 2024/2847. NIS2 (Directive (EU) 2022/2555) may apply instead. However, most HR platforms offer mobile apps for employee self-service, which triggers CRA scope.
Our HR platform processes data for employees in 15 EU countries. Do we need separate documentation per country?
No. CRA is an EU Regulation, directly applicable in all 27 Member States. One Article 31 dossier per product covers all EU countries. Country-specific payroll rules affect your product's functionality, not your CRA documentation.
How does CRA interact with GDPR for our HR platform?
CRA and GDPR have different scopes: CRA governs product cybersecurity (documentation, risk assessment, conformity); GDPR governs personal data protection (lawful basis, DPA, data subject rights). Both may apply simultaneously. Your CRA technical documentation addresses product security controls. Your GDPR data processing agreement addresses personal data handling. CRACheck produces CRA documentation; GDPR compliance requires separate deliverables.
Our platform integrates with SAP, Workday, and ADP via APIs. Does that affect CRA scope?
Third-party integrations are components you integrate into your product. Article 13(5) requires due diligence on third-party components. Document the API integrations in your technical documentation and assess the security risks they introduce. You are not responsible for SAP's or Workday's CRA compliance, but you are responsible for how your product interacts with their APIs.
Employee personal data is highly sensitive. Does CRA add requirements beyond GDPR?
CRA Annex I, Part I requires data confidentiality, integrity, and minimization as essential cybersecurity requirements for the product itself — independent of GDPR. This means your product must be designed with these properties built in (secure-by-default), documented in technical documentation, and validated through risk assessment. GDPR covers the organizational data processing; CRA covers the product's built-in security.
Is CRACheck a subscription?
No. One-time payment. 30 days of editing, 10 regenerations. The PDF is yours to keep.
Can I request a refund?
Per Article 16(m) of Directive (EU) 2011/83, activating the license constitutes express consent for immediate generation. Refunds only for reproducible technical failures.
What if the regulation changes?
Regenerate at no additional cost during your license period.

Official legal sources

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.

Your EU client added CRA to the vendor assessment. Your GDPR DPA is not enough. Add the Article 31 dossier.

Eight documents. Article 31 + Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.

€149 one-time
8-document professional dossier · 15–25 minutes · No subscription · Browser-side
Generate CRA documentation — €149

Related landings

US SaaS

CRA Compliance for US SaaS Companies Selling to European Customers
ENTERPRISE RFP

Cyber Resilience Act in EU Enterprise SaaS Procurement RFPs
ANALYTICS

CRA Compliance for US Analytics Platforms and Data Tools with European Clients
✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history