Reg (EU) 2024/2847Generate dossier — €149
LIVE — Enforcement tracker · Deadline dashboard · Transposition status — Updated weekly from EUR-Lex, Safety Gate, OEIL & 12 official sourcesView regulatory intelligence →

You publish a desktop application, a mobile SDK, or a firmware module — and it has cloud backend components. You need to know whether Regulation (EU) 2024/2847 treats it as a product with digital elements. The answer depends on whether the software is placed on the market — Article 3(1) and Article 3(24) draw the line. Pure remote-service SaaS with nothing running on the user's device is generally outside scope. Software delivered to the user's environment is inside.

The Cyber Resilience Act defines "product with digital elements" in Article 3(1) of Regulation (EU) 2024/2847 as any software or hardware product and its remote data processing solutions, including software components placed on the market separately. "Placing on the market" under Article 3(24) means making the product available for the first time on the EU market. If your software is downloaded, installed, or runs on the user's device, it is placed on the market and the CRA applies. If your product is delivered exclusively as a remote service with no client-side component, it is generally outside scope — but Directive (EU) 2022/2555 (NIS2) may apply instead. CRACheck generates the Art. 31 dossier for in-scope software in 15–25 minutes. €149 per product.

Generate CRA Dossier — €149Free: check your product classification

€149 one-time payment per product · 8 PDF documents in ZIP · 15–25 minutes · 100% in your browser

Regulation (EU) 2024/2847 · Art. 31 + Annex VII · 8 documents · 100% browser-side

Key definitions for software

Art. 3(1)
Definition: software is explicitly a "product with digital elements"
Art. 3(24)
"Placing on the market" — the trigger for CRA obligations
15 min
Time to generate the 8-document dossier for in-scope software

How to determine if your software is in scope

1
Determine if your software is "placed on the market"
Article 3(24): is the software made available for the first time on the EU market? If it is downloaded, installed, deployed on-premise, or runs on the user's device — yes, it is placed on the market.
2
Check the SaaS boundary
If your product is delivered entirely as a remote service — the user accesses functionality via a browser or API with no software running locally — it is generally not 'placed on the market'. However, if the SaaS product includes a desktop client, mobile app, agent, or plugin that runs on the user's device, that client component is a product with digital elements.
3
Assess "remote data processing solutions"
Article 3(1) includes 'remote data processing solutions' as part of the product if they are designed by or under the responsibility of the manufacturer and the product cannot perform one of its functions without them. A cloud backend essential to the product's operation is part of the product.
4
Classify the software
Run CRACheck's Product Classifier. Software categories in Annex III Class I include browsers (point 2), password managers (point 3), VPNs (point 5), operating systems (point 11). Class II includes firewalls (point 2) and intrusion detection systems (point 2).
5
Generate the Art. 31 dossier
For in-scope software, CRACheck produces the 8-document technical dossier including system architecture description, vulnerability handling processes, SBOM reference, and all Annex VII elements.

Common software scope mistakes

SAAS MISUNDERSTANDING

Assuming all SaaS is outside the CRA

If your SaaS product includes any client-side component — a desktop app, mobile app, browser plugin, or agent — that component is a product with digital elements under Article 3(1) of Regulation (EU) 2024/2847. Only products delivered entirely as a remote service with zero local execution are outside scope.

VERSION OVERSIGHT

Treating software updates as separate products

Article 3(1) refers to the product and its versions. Security updates are part of the manufacturer's vulnerability handling obligations under Annex I Part II and Article 13(8). Each version does not require a new dossier, but the technical documentation must be 'continuously updated' per Article 31(2).

COMPONENT BLIND SPOT

Ignoring SDKs and libraries placed on the market separately

Article 3(1) explicitly includes "software or hardware components being placed on the market separately". If you publish a library, SDK, or API client that third parties integrate into their products, that component is an independent product with digital elements under the CRA.

8 CRA documents for software products

CRACheck generates the complete Art. 31 + Annex VII dossier adapted for software products.

1

Product Classifier

Classification of your software product against Annex III and Annex IV categories.

2

Technical Documentation

Art. 31 + Annex VII dossier with software-specific fields: system architecture, software components, dependency map, update distribution mechanism.

3

Risk Assessment

Cybersecurity risk assessment per Art. 13(2)–(3) for software: vulnerability surface, data handling, authentication, update integrity.

4

User Information

Annex II: vulnerability reporting contact, support period, commissioning instructions, secure removal/decommissioning.

5

Declaration of Conformity

Art. 28 + Annex V.

6

CVD Policy

Coordinated vulnerability disclosure policy per Annex I Part II point (5).

7

Notification Template

Art. 14 three-stage notification for software vulnerabilities. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

8

Obligations Calendar

Key dates for your software product lifecycle.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated in your browser. No data leaves your device.

Law firm scope analysis vs CRACheck

🧾 LAW FIRM SCOPE ANALYSIS FOR SOFTWARE
€5,000–€12,000
Written opinion on CRA applicability to SaaS/software. 3–6 weeks. Multiple rounds of clarification. No documentation output.
✓ CRACHECK
€149
Product Classifier determines scope. 8-document dossier generated if in scope. 15–25 minutes. 100% browser-side. One-time payment.

Two layers of compliance

● LAYER 1

Documentation for in-scope software — CRACheck does this

For software products placed on the EU market, CRACheck generates the complete Art. 31 + Annex VII dossier: system architecture, development and production processes, cybersecurity risk assessment, user information, declaration of conformity, CVD policy, and notification template. Adapted to software-specific requirements.

∅ LAYER 2

Scope determination for boundary cases — Your responsibility

CRACheck's Product Classifier provides a structured scope analysis based on Art. 2 and Art. 3 definitions. For products at the SaaS/product boundary — hybrid models with both cloud and client components — the classification may require legal interpretation beyond what any automated tool provides. Consult specialised counsel for binding opinions on boundary cases.

If it is software and it is placed on the market, start with CRACheck. If the scope is genuinely uncertain, add legal counsel.

Enforcement regime

⚖️
CRA: Annex I cybersecurity non-compliance
€15M / 2.5%

Art. 64(2) of Regulation (EU) 2024/2847.

⚖️
CRA: Documentation and conformity assessment failures
€10M / 2%

Art. 64(3) of Regulation (EU) 2024/2847.

⚖️
CRA: Misleading information to authorities
€5M / 1%

Art. 64(4) of Regulation (EU) 2024/2847.

Alternatives compared

CriterionLaw firmIn-house legalIndustry peer adviceCRACheck
Scope analysisWritten opinionManual, time-consumingAnecdotalAutomated classifier per Art. 2 + 3
DocumentationSeparate engagementDIYNone8 PDFs per Art. 31 + Annex VII
Price€5,000–€12,000Internal hoursFree€149 per product
Turnaround3–6 weeksWeeksN/A15–25 minutes

Software publisher with multiple products? SDKs, apps, and plugins each count separately.

Every software product placed on the EU market separately needs its own dossier. Volume pricing: €99/product (pack 10), €79/product (pack 30).

Request Volume Pricing
Commercial enquiries via hello@solidwaretools.com

What CRACheck guarantees and what it does not

CRACheck generates a structured document set according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy, completeness, and truthfulness of that information is your responsibility as the manufacturer.

We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct. We do not guarantee that a specific document will be accepted by a market surveillance authority in a particular case.

CRACheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.

Frequently asked questions — CRA and software

Is a mobile app covered by the CRA?
If the mobile app is placed on the EU market — downloaded by users from an app store — it is a product with digital elements under Article 3(1) of Regulation (EU) 2024/2847. The CRA applies, and Art. 31 technical documentation is required.
Our software runs entirely in the cloud. Is it a 'product with digital elements'?
If the user accesses functionality exclusively through a web browser or API with no software component installed locally, the product is generally outside the scope of Article 2(1) of Regulation (EU) 2024/2847 because it is not "placed on the market". However, Directive (EU) 2022/2555 (NIS2) may apply to the service provider.
We provide both a cloud platform and a desktop agent. Which is covered?
The desktop agent is a product with digital elements under Article 3(1) of Regulation (EU) 2024/2847. The cloud platform, to the extent it constitutes a 'remote data processing solution' essential to the agent's function, is part of that product per Art. 3(1). CRA documentation covers the product as a whole — agent plus essential cloud components.
Does the CRA apply to APIs sold as a product?
If you distribute an API client library or SDK that is installed on the customer's systems, it is a software component placed on the market separately under Article 3(1). If the API is accessed purely remotely with no client-side code, the analysis is the same as for SaaS.
What about firmware updates delivered over-the-air (OTA)?
Firmware updates are part of the manufacturer's vulnerability handling obligations under Annex I Part II and Article 13(8) of Regulation (EU) 2024/2847. The OTA update mechanism must be described in the technical documentation per Annex VII point 2(b) as part of the 'technical solutions chosen for the secure distribution of updates'.
Is this a subscription?
No. One-time payment. The licence includes a 30-day editing window and 10 regenerations. The downloaded PDF is yours permanently.
Can I request a refund?
Under Article 16(m) of Directive (EU) 2011/83, by activating the licence you give express consent for the immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are accepted only for reproducible technical defects.
What if the regulation changes?
If the regulation is amended during the validity of your licence, you can regenerate the document with the updated version of the generator at no additional cost.

Official legal sources

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.

Your software is placed on the EU market. The documentation requirement is not optional.

€149 one-time
8 PDFs · 15–25 minutes · Art. 31 + Annex VII · Software-adapted · 100% browser-side
Generate CRA Dossier — €149

Related landings

SCOPE

CRA scope: what products are covered by Regulation (EU) 2024/2847
EXCLUDED

Cyber Resilience Act excluded products — what is not covered
COST

CRA compliance cost: how much for a small company?
✓ Last regulatory check: 2 May 2026 · No substantive changes detected · View history