Reg (EU) 2024/2847Generate dossier — €149
LIVE — Enforcement tracker · Deadline dashboard · Transposition status — Updated weekly from EUR-Lex, Safety Gate, OEIL & 12 official sourcesView regulatory intelligence →

You develop software in the United States and sell licenses to European companies. Regulation (EU) 2024/2847 requires you to produce technical documentation under Article 31 and Annex VII before placing that product on the EU market. Your legal team does not need to read 81 pages — CRACheck structures the entire dossier from your product data.

The Cyber Resilience Act applies to all products with digital elements placed on the EU market, regardless of the manufacturer's country of establishment (Article 2(1)). If you develop downloadable software — a desktop application, a middleware component, a development tool, an on-premise enterprise solution — you are the manufacturer under Article 3(13). CRACheck generates the 8 documents required under Article 31 + Annex VII in 15-25 minutes for €149. All processing runs in your browser. Your source code and architecture data never leave your machine.

Generate CRA documentation — €149Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Regulation (EU) 2024/2847 · Art. 31 + Annex VII · 8 documents · 100% browser-side — your data never leaves your device

Key numbers

8 documents
Complete technical dossier: classifier, documentation, risk assessment, user info, declaration, CVD, notification, calendar
2.5%
Maximum fine calculated on global annual turnover for non-compliance with Art. 13 obligations (Art. 64(2))
€149
One-time cost per product for the full Article 31 + Annex VII dossier

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

1
Enter product identity
Product name, version, manufacturer legal entity, contact details, EU authorized representative if applicable (Article 18).
2
Classify under Annex III
CRACheck walks you through the Annex III criteria to determine if your software is Default, Important Class I, Important Class II, or Critical. Desktop productivity software typically classifies as Default.
3
Describe architecture and components
Enter your tech stack, third-party libraries, open-source dependencies. CRACheck uses this to map your SBOM obligations and supply chain due diligence under Article 13(5).
4
Map against Annex I requirements
The tool checks your product against each essential cybersecurity requirement in Annex I, Part I (product security) and Part II (vulnerability handling processes).
5
Generate risk assessment
Structured cybersecurity risk analysis per Article 13(2)-(3), covering threats, attack vectors, and mitigations specific to your product type and deployment model.
6
Produce all 8 documents
Technical documentation (Art. 31 + Annex VII), declaration of conformity (Art. 28 + Annex V), user information (Annex II), CVD policy, ENISA notification template (Art. 14), and obligations calendar.
7
Download ZIP
8 PDFs ready for your compliance folder, your EU distributor, or your customer's procurement team.

Common mistakes

FRAMEWORK MISMATCH

"We already comply with US cybersecurity frameworks, so CRA should be covered"

NIST CSF, CMMC, and FedRAMP address organizational and service security. The Cyber Resilience Act requires product-specific technical documentation under Article 31 + Annex VII, a per-product cybersecurity risk assessment under Article 13(2)-(3), and a formal EU declaration of conformity under Article 28 + Annex V. These are distinct legal instruments with distinct content requirements. US frameworks do not produce CRA-compliant documents.

DELEGATION LIMIT

"We will appoint an EU authorized representative and let them handle documentation"

Article 18(2) explicitly states that the obligations under Article 13(1)-(11) — including technical documentation, risk assessment, and conformity procedures — "shall not form part of the authorised representative's mandate." The authorized representative holds documents and cooperates with authorities. The manufacturer produces the documents. You cannot delegate the documentation obligation.

SCOPE ERROR

"Our product is B2B-only, so consumer protection regulations do not apply"

The Cyber Resilience Act is not a consumer protection regulation. Article 2(1) covers all products with digital elements placed on the EU market with a direct or indirect data connection, regardless of whether the end user is a consumer or an enterprise. B2B software is fully within scope.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

1

Product Classifier

Determines your software's category under Annex III. Identifies whether you qualify for self-assessment (Module A) or require third-party evaluation (Module B+C or Module H).

2

Technical Documentation

Article 31 + Annex VII dossier structured for a US-developed software product: architecture description, design decisions, development processes, third-party component inventory, and conformity assessment path.

3

Risk Assessment

Per Article 13(2)-(3) and Annex I, Part I. Covers the specific threat landscape of your software product: data exfiltration, unauthorized access, supply chain compromise, update integrity, and residual risks.

4

User Information

Annex II document with manufacturer identity, security update policy, known residual risks, secure deployment instructions, and SBOM reference. Formatted for inclusion in your product documentation.

5

Declaration of Conformity

Article 28 + Annex V. The formal statement that your product meets CRA essential requirements. Pre-filled with your legal entity, product data, and applicable conformity modules.

6

CVD Policy

Coordinated vulnerability disclosure policy per Annex I, Part II. Defines intake channel, response timelines, and researcher communication protocol. Required for all manufacturers.

7

Notification Template

ENISA notification structure per Article 14: 24h early warning, 72h vulnerability notification, and 14-day final report. Adaptable to your incident response workflow.

8

Obligations Calendar

Key dates for your product: Art. 14 reporting active from September 2026, full CRA enforcement December 2027, support period calculation per Article 13(8).

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 IN-HOUSE LEGAL TEAM
$36,000–$100,000
120-200 attorney hours at $300-$500/h. 3-6 months. Output: untested internal documents that may not match the structure EU authorities expect.
✓ CRACHECK
€149
8 documents. 15–25 min. You enter the technical data; the tool structures the legal documents. Pack of 10: €99 each. Pack of 30: €79 each.

Two layers

● LAYER 1

Documentation (CRACheck)

Generates the 8 structured documents that Article 31, Annex VII, Article 28, Annex V, Annex II, and Article 14 require. This is the paper trail that market surveillance authorities request and that EU enterprise customers include in procurement checklists.

∅ LAYER 2

What CRACheck does NOT do

Does not audit your codebase. Does not run vulnerability scans. Does not serve as a notified body for Important Class II or Critical products under Article 32(3). Does not provide ongoing monitoring of your vulnerability disclosure process. Does not replace internal engineering work to meet the substantive cybersecurity requirements of Annex I.

Layer 1 gives your compliance team the documentation framework. Layer 2 is the engineering and audit work your security team performs independently.

Enforcement regime

Article 64 of Regulation (EU) 2024/2847.

🔴
Essential requirements + manufacturer obligations (Art. 64(2))
€15,000,000 / 2.5%

Failure to meet Annex I essential requirements or Art. 13/14 obligations.

🟠
Documentation and conformity obligations (Art. 64(3))
€10,000,000 / 2%

Missing technical documentation (Art. 31), declaration of conformity (Art. 28), or CE marking (Art. 30).

🟡
Misleading information (Art. 64(4))
€5,000,000 / 1%

Providing incorrect or misleading information to notified bodies or market surveillance authorities.

Alternatives

CriteriaIn-house legal teamEU regulatory consultantOpen-source templatesCRACheck
Time to complete dossier3-6 months6-12 weeksUnknown (no structure)15-25 minutes
Cost per product$36K-$100K staff time€8,000-€20,000Free but unstructured€149
Covers all 8 CRA documentsVaries by expertiseVaries by scopeNoYes
Browser-side (data stays local)N/A (shared internally)No (shared with consultant)YesYes — 100%

Your company ships multiple software products to EU customers?

Each product with digital elements needs its own independent technical documentation under Article 31. Volume pricing makes it manageable: 10 products at €99 each, 30 products at €79 each.

Request Volume Pricing
Response within 24 business hours.

What CRACheck guarantees and what it does not

CRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy and completeness of that information is your responsibility as the manufacturer.

We guarantee that the document structure follows Article 31 + Annex VII and that the legal references cited are correct. We do not guarantee that a specific document will be accepted by a market surveillance authority in a particular case.

CRACheck is not legal advice. For specific questions about your product's classification or conformity assessment path, consult a regulatory attorney qualified in EU product safety law.

Frequently asked questions

Which CRA requirements apply specifically to downloadable software products?
All essential cybersecurity requirements in Annex I of Regulation (EU) 2024/2847 apply to software products with digital elements. These include secure-by-default configuration (Annex I, Part I, point 1), protection of data confidentiality and integrity (point 2), access control mechanisms (point 3), and vulnerability handling processes (Part II). Additionally, Article 13 requires the manufacturer to produce technical documentation (Art. 31 + Annex VII), conduct a cybersecurity risk assessment, and issue a declaration of conformity (Art. 28 + Annex V).
Is US-developed software subject to CRA even if we have no EU legal entity?
Yes. Article 2(1) of Regulation (EU) 2024/2847 covers all products with digital elements made available on the EU market, regardless of the manufacturer's establishment. If your software is sold, licensed, or distributed to EU users, you fall within scope. Article 18 allows you to appoint an EU-based authorized representative to hold documentation and liaise with authorities, but the documentation obligation remains with you.
Does CRA require us to disclose our source code?
No. Article 31 and Annex VII require a description of your product's design and development, not disclosure of proprietary source code. The technical documentation covers architecture, security controls, component inventory, and risk assessment. CRACheck structures this documentation without requiring source code input.
What conformity assessment procedure applies to our software?
For Default category products (the majority of software), Article 32(1) allows self-assessment via Module A (Annex VIII, Part I). No notified body involvement is required. For Important Class I products, you can use Module A with harmonised standards, or Module B+C/Module H without them (Article 32(2)). Important Class II and Critical products require third-party assessment (Article 32(3)). CRACheck's Product Classifier determines which path applies to your product.
Can we use CRACheck documentation across multiple EU countries?
Yes. The Cyber Resilience Act is an EU Regulation, directly applicable in all 27 Member States without national transposition. The technical documentation under Article 31 + Annex VII and the declaration of conformity under Article 28 + Annex V are valid across the entire EU single market. One dossier per product covers all Member States.
Is CRACheck a subscription?
No. One-time payment. The license includes 30 days of editing and 10 regenerations. The downloaded PDF is yours to keep.
Can I request a refund?
Per Article 16(m) of Directive (EU) 2011/83, by activating the license you give express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only accepted for reproducible technical failures.
What if the regulation changes?
If Regulation (EU) 2024/2847 is amended during your license validity period, you can regenerate the document with the updated version of the generator at no additional cost.

Official legal sources

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.

Your EU customers need Article 31 documentation. Your legal team needs 81 pages summarized into 8 structured documents. CRACheck does both.

Eight documents. Article 31 + Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.

€149 one-time
8-document professional dossier · 15–25 minutes · No subscription · Browser-side
Generate CRA documentation — €149

Related landings

CONFORMITY DECLARATION

CRA Declaration of Conformity for US Software Products Entering the EU
ANNEX VII TEMPLATE

CRA Annex VII Technical Documentation Template for US Software Companies
IoT HARDWARE

Cyber Resilience Act for US IoT Manufacturers Exporting to Europe by 2027
✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history