What are the main obligations the CRA imposes on manufacturers?

Article 13 of Regulation (EU) 2024/2847 establishes five obligation categories: (1) designing, developing, and producing the product in accordance with the essential cybersecurity requirements of Annex I Part I; (2) conducting and documenting a cybersecurity risk assessment (Art. 13(2)–(3)); (3) handling vulnerabilities throughout the support period per Annex I Part II; (4) producing technical documentation under Article 31 and Annex VII; (5) performing the appropriate conformity assessment under Article 32 and issuing the EU declaration of conformity under Article 28.

What are the essential cybersecurity requirements in Annex I?

Annex I Part I covers product requirements: products must be delivered without known exploitable vulnerabilities, with a secure-by-default configuration, with protection against unauthorised access, with confidentiality and integrity of stored and transmitted data, with event logging, and with the ability to receive and install security updates. Part II covers vulnerability handling: manufacturers must identify and document vulnerabilities, apply remediation, disclose coordinated vulnerability information, and provide security updates free of charge.

Does the CRA apply to free and open-source software?

Article 2(6) of Regulation (EU) 2024/2847 excludes free and open-source software that is not made available on the market in the course of a commercial activity. If the software is provided commercially — even if the source code is open — the CRA applies. Recitals 18 and 19 provide further guidance on what constitutes a commercial activity in this context.

Is CRACheck sufficient for full CRA compliance?

CRACheck covers the documentation layer: the technical documentation under Article 31 and Annex VII, the declaration of conformity under Article 28 and Annex V, and supporting documents. Full CRA compliance also requires secure product engineering (Annex I Part I), operational vulnerability handling (Annex I Part II), vulnerability reporting to ENISA (Art. 14), and — for Important Class II and Critical products — third-party conformity assessment (Art. 32). CRACheck produces the documents; the engineering and operational obligations remain yours.

What does 'support period' mean under the CRA?

Article 13(8) of Regulation (EU) 2024/2847 requires manufacturers to determine a support period during which they must handle vulnerabilities and provide security updates. The minimum support period is five years, unless the product's expected use period is shorter. The support period must be stated in the Annex II user information and documented in the technical documentation per Annex VII point 4.

Is this a subscription?

No. One-time payment. The licence includes a 30-day editing window and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, by activating the licence you give express consent for the immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are accepted only for reproducible technical defects.

What if the regulation changes?

If the regulation is amended during the validity of your licence, you can regenerate the document with the updated version of the generator at no additional cost.

You know the Cyber Resilience Act exists. You need to know what it specifically requires from your company before December 2027. Here is the structured summary: manufacturer obligations under Article 13, vulnerability reporting under Article 14, technical documentation under Article 31, and the essential cybersecurity requirements of Annex I — mapped to the documents you must produce.

Regulation (EU) 2024/2847 introduces five categories of obligations for manufacturers of products with digital elements: design and production requirements (Art. 13 + Annex I Part I), vulnerability handling (Art. 13(8) + Annex I Part II), reporting to ENISA (Art. 14), technical documentation (Art. 31 + Annex VII), and conformity assessment (Art. 32 + Annex VIII). The full enforcement date is 11 December 2027, but Article 14 reporting obligations apply from 11 September 2026. CRACheck generates the documentation layer — 8 structured PDFs covering Art. 31, Annex VII, Annex V, Annex II, and Art. 14 templates — in 15–25 minutes at €149 per product.

Generate CRA Dossier — €149 Free: check your product classification

€149 one-time payment per product · 8 PDF documents in ZIP · 15–25 minutes · 100% in your browser

CRA obligations at a glance

Categories of manufacturer obligations — Art. 13, 14, 28, 31, 32

11 Sept 2026

Art. 14 reporting obligations apply — vulnerability notifications to ENISA

15 min

Time to generate the 8-document dossier with CRACheck

The 7 steps to CRA documentation

Classify your product

CRACheck's Product Classifier maps your product against Annex III (Important Class I and II) and Annex IV (Critical). Default category products use the internal control procedure (Module A). Important or Critical products may require a notified body (Modules B+C or H).

Map the essential cybersecurity requirements

Annex I Part I lists the security requirements for the product: security by default, no known exploitable vulnerabilities, secure updates, data protection, event logging. Part II lists vulnerability handling requirements. CRACheck's guided questionnaire walks you through each one.

Document the cybersecurity risk assessment

Article 13(2) requires a documented risk assessment covering the intended purpose, foreseeable use, and operational environment. CRACheck structures this into the format required by Annex VII point 3.

Produce the technical documentation

Article 31 and Annex VII require 8 elements: general product description, design and development information, risk assessment, support period rationale, standards applied, test reports, declaration of conformity, and SBOM reference. CRACheck generates all of these.

Prepare the vulnerability notification process

Article 14 applies from 11 September 2026. CRACheck produces a pre-structured notification template with the three mandatory stages: 24-hour early warning (Art. 14(2)(a)), 72-hour notification (Art. 14(2)(b)), and 14-day final report (Art. 14(2)(c)).

Sign the EU Declaration of Conformity

Article 28 and Annex V. The declaration states that your product conforms to the essential requirements. CRACheck generates it in the harmonised format — you print, sign, and file.

File and retain for 10 years

Article 13(18) requires manufacturers to keep the technical documentation at the disposal of market surveillance authorities for at least 10 years after the product is placed on the market.

Common mistakes with CRA requirements

❌

INCOMPLETE SCOPE

Treating the CRA as only a documentation exercise

Article 13(1) requires that the product has been designed, developed, and produced in accordance with the essential cybersecurity requirements of Annex I Part I. Documentation under Article 31 is one obligation. Secure-by-design engineering, vulnerability handling, and security updates are equally binding.

❌

MISSED DEADLINE

Ignoring the September 2026 reporting obligation

Article 14 applies from 11 September 2026 — 15 months before full enforcement. Manufacturers must have processes to notify ENISA of actively exploited vulnerabilities within 24 hours (Art. 14(2)(a)). This requires operational infrastructure, not just a document.

❌

CLASSIFICATION ERROR

Applying Module A to a Class II product

Article 32(2) requires Important Class II products (Annex III Part II — firewalls, intrusion detection systems, tamper-resistant microprocessors) and Critical products (Annex IV) to undergo conformity assessment through a notified body under Module B+C or Module H. The internal control procedure (Module A) is insufficient for these categories.

8 CRA documents per product

CRACheck generates the documentation layer for each product — all 8 documents required under Article 31 and Annex VII.

Product Classifier

Classification against Annex III (Important Class I, II) and Annex IV (Critical). Identifies the conformity assessment module required under Article 32.

Technical Documentation

Complete dossier per Art. 31 + Annex VII: product description, architecture, development process, vulnerability handling, standards, test reports.

Risk Assessment

Structured cybersecurity risk assessment per Art. 13(2)–(3), covering each applicable requirement of Annex I Parts I and II.

User Information

Document per Annex II: manufacturer contact, vulnerability reporting address, support period, commissioning and decommissioning instructions.

Declaration of Conformity

Harmonised format per Art. 28 + Annex V, pre-populated and ready to sign.

CVD Policy

Coordinated vulnerability disclosure policy per Annex I Part II point (5), including contact address and acknowledgement timeline.

Notification Template

Three-stage template for Art. 14 notifications to ENISA: early warning (24h), notification (72h), final report (14 days).

Obligations Calendar

Gantt-style timeline: Art. 14 reporting start (11 Sept 2026), full enforcement (11 Dec 2027), support period milestones, 10-year retention.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated in your browser. No data leaves your device.

Regulatory briefing vs CRACheck

🧾 REGULATORY BRIEFING FROM A LAW FIRM

€8,000–€15,000

For a regulatory gap analysis. 4–6 weeks to deliver. Separate engagement for each product. Ongoing retainer for regulatory updates.

✓ Last regulatory check: 2 May 2026 · No substantive changes detected · View history