Which CRA requirements apply specifically to downloadable software products?

All essential cybersecurity requirements in Annex I of Regulation (EU) 2024/2847 apply to software products with digital elements. These include secure-by-default configuration (Annex I, Part I, point 1), protection of data confidentiality and integrity (point 2), access control mechanisms (point 3), and vulnerability handling processes (Part II). Additionally, Article 13 requires the manufacturer to produce technical documentation (Art. 31 + Annex VII), conduct a cybersecurity risk assessment, and issue a declaration of conformity (Art. 28 + Annex V).

Is US-developed software subject to CRA even if we have no EU legal entity?

Yes. Article 2(1) of Regulation (EU) 2024/2847 covers all products with digital elements made available on the EU market, regardless of the manufacturer's establishment. If your software is sold, licensed, or distributed to EU users, you fall within scope. Article 18 allows you to appoint an EU-based authorized representative to hold documentation and liaise with authorities, but the documentation obligation remains with you.

Does CRA require us to disclose our source code?

No. Article 31 and Annex VII require a description of your product's design and development, not disclosure of proprietary source code. The technical documentation covers architecture, security controls, component inventory, and risk assessment. CRACheck structures this documentation without requiring source code input.

What conformity assessment procedure applies to our software?

For Default category products (the majority of software), Article 32(1) allows self-assessment via Module A (Annex VIII, Part I). No notified body involvement is required. For Important Class I products, you can use Module A with harmonised standards, or Module B+C/Module H without them (Article 32(2)). Important Class II and Critical products require third-party assessment (Article 32(3)). CRACheck's Product Classifier determines which path applies to your product.

Can we use CRACheck documentation across multiple EU countries?

Yes. The Cyber Resilience Act is an EU Regulation, directly applicable in all 27 Member States without national transposition. The technical documentation under Article 31 + Annex VII and the declaration of conformity under Article 28 + Annex V are valid across the entire EU single market. One dossier per product covers all Member States.

Is CRACheck a subscription?

No. One-time payment. The license includes 30 days of editing and 10 regenerations. The downloaded PDF is yours to keep.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, by activating the license you give express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only accepted for reproducible technical failures.

What if the regulation changes?

If Regulation (EU) 2024/2847 is amended during your license validity period, you can regenerate the document with the updated version of the generator at no additional cost.

You develop software in the United States and sell licenses to European companies. Regulation (EU) 2024/2847 requires you to produce technical documentation under Article 31 and Annex VII before placing that product on the EU market. Your legal team does not need to read 81 pages — CRACheck structures the entire dossier from your product data.

The Cyber Resilience Act applies to all products with digital elements placed on the EU market, regardless of the manufacturer's country of establishment (Article 2(1)). If you develop downloadable software — a desktop application, a middleware component, a development tool, an on-premise enterprise solution — you are the manufacturer under Article 3(13). CRACheck generates the 8 documents required under Article 31 + Annex VII in 15-25 minutes for €149. All processing runs in your browser. Your source code and architecture data never leave your machine.

Generate CRA documentation — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

8 documents

Complete technical dossier: classifier, documentation, risk assessment, user info, declaration, CVD, notification, calendar

2.5%

Maximum fine calculated on global annual turnover for non-compliance with Art. 13 obligations (Art. 64(2))

€149

One-time cost per product for the full Article 31 + Annex VII dossier

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Enter product identity

Product name, version, manufacturer legal entity, contact details, EU authorized representative if applicable (Article 18).

Classify under Annex III

CRACheck walks you through the Annex III criteria to determine if your software is Default, Important Class I, Important Class II, or Critical. Desktop productivity software typically classifies as Default.

Describe architecture and components

Enter your tech stack, third-party libraries, open-source dependencies. CRACheck uses this to map your SBOM obligations and supply chain due diligence under Article 13(5).

Map against Annex I requirements

The tool checks your product against each essential cybersecurity requirement in Annex I, Part I (product security) and Part II (vulnerability handling processes).

Generate risk assessment

Structured cybersecurity risk analysis per Article 13(2)-(3), covering threats, attack vectors, and mitigations specific to your product type and deployment model.

Produce all 8 documents

Technical documentation (Art. 31 + Annex VII), declaration of conformity (Art. 28 + Annex V), user information (Annex II), CVD policy, ENISA notification template (Art. 14), and obligations calendar.

Download ZIP

8 PDFs ready for your compliance folder, your EU distributor, or your customer's procurement team.

Common mistakes

❌

FRAMEWORK MISMATCH

"We already comply with US cybersecurity frameworks, so CRA should be covered"

NIST CSF, CMMC, and FedRAMP address organizational and service security. The Cyber Resilience Act requires product-specific technical documentation under Article 31 + Annex VII, a per-product cybersecurity risk assessment under Article 13(2)-(3), and a formal EU declaration of conformity under Article 28 + Annex V. These are distinct legal instruments with distinct content requirements. US frameworks do not produce CRA-compliant documents.

❌

DELEGATION LIMIT

"We will appoint an EU authorized representative and let them handle documentation"

Article 18(2) explicitly states that the obligations under Article 13(1)-(11) — including technical documentation, risk assessment, and conformity procedures — "shall not form part of the authorised representative's mandate." The authorized representative holds documents and cooperates with authorities. The manufacturer produces the documents. You cannot delegate the documentation obligation.

❌

SCOPE ERROR

"Our product is B2B-only, so consumer protection regulations do not apply"

The Cyber Resilience Act is not a consumer protection regulation. Article 2(1) covers all products with digital elements placed on the EU market with a direct or indirect data connection, regardless of whether the end user is a consumer or an enterprise. B2B software is fully within scope.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Determines your software's category under Annex III. Identifies whether you qualify for self-assessment (Module A) or require third-party evaluation (Module B+C or Module H).

Technical Documentation

Article 31 + Annex VII dossier structured for a US-developed software product: architecture description, design decisions, development processes, third-party component inventory, and conformity assessment path.

Risk Assessment

Per Article 13(2)-(3) and Annex I, Part I. Covers the specific threat landscape of your software product: data exfiltration, unauthorized access, supply chain compromise, update integrity, and residual risks.

User Information

Annex II document with manufacturer identity, security update policy, known residual risks, secure deployment instructions, and SBOM reference. Formatted for inclusion in your product documentation.

Declaration of Conformity

Article 28 + Annex V. The formal statement that your product meets CRA essential requirements. Pre-filled with your legal entity, product data, and applicable conformity modules.

CVD Policy

Coordinated vulnerability disclosure policy per Annex I, Part II. Defines intake channel, response timelines, and researcher communication protocol. Required for all manufacturers.

Notification Template

ENISA notification structure per Article 14: 24h early warning, 72h vulnerability notification, and 14-day final report. Adaptable to your incident response workflow.

Obligations Calendar

Key dates for your product: Art. 14 reporting active from September 2026, full CRA enforcement December 2027, support period calculation per Article 13(8).

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 IN-HOUSE LEGAL TEAM

$36,000–$100,000

120-200 attorney hours at $300-$500/h. 3-6 months. Output: untested internal documents that may not match the structure EU authorities expect.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history