CRA Summary: Requirements & Obligations for 2027

CRA obligations at a glance

Categories of manufacturer obligations — Art. 13, 14, 28, 31, 32

11 Sept 2026

Art. 14 reporting obligations apply — vulnerability notifications to ENISA

15 min

Time to generate the 8-document dossier with CRACheck

The 7 steps to CRA documentation

Classify your product

CRACheck's Product Classifier maps your product against Annex III (Important Class I and II) and Annex IV (Critical). Default category products use the internal control procedure (Module A). Important or Critical products may require a notified body (Modules B+C or H).

Map the essential cybersecurity requirements

Annex I Part I lists the security requirements for the product: security by default, no known exploitable vulnerabilities, secure updates, data protection, event logging. Part II lists vulnerability handling requirements. CRACheck's guided questionnaire walks you through each one.

Document the cybersecurity risk assessment

Article 13(2) requires a documented risk assessment covering the intended purpose, foreseeable use, and operational environment. CRACheck structures this into the format required by Annex VII point 3.

Produce the technical documentation

Article 31 and Annex VII require 8 elements: general product description, design and development information, risk assessment, support period rationale, standards applied, test reports, declaration of conformity, and SBOM reference. CRACheck generates all of these.

Prepare the vulnerability notification process

Article 14 applies from 11 September 2026. CRACheck produces a pre-structured notification template with the three mandatory stages: 24-hour early warning (Art. 14(2)(a)), 72-hour notification (Art. 14(2)(b)), and 14-day final report (Art. 14(2)(c)).

Sign the EU Declaration of Conformity

Article 28 and Annex V. The declaration states that your product conforms to the essential requirements. CRACheck generates it in the harmonised format — you print, sign, and file.

File and retain for 10 years

Article 13(18) requires manufacturers to keep the technical documentation at the disposal of market surveillance authorities for at least 10 years after the product is placed on the market.

Common mistakes with CRA requirements

❌

INCOMPLETE SCOPE

Treating the CRA as only a documentation exercise

Article 13(1) requires that the product has been designed, developed, and produced in accordance with the essential cybersecurity requirements of Annex I Part I. Documentation under Article 31 is one obligation. Secure-by-design engineering, vulnerability handling, and security updates are equally binding.

❌

MISSED DEADLINE

Ignoring the September 2026 reporting obligation

Article 14 applies from 11 September 2026 — 15 months before full enforcement. Manufacturers must have processes to notify ENISA of actively exploited vulnerabilities within 24 hours (Art. 14(2)(a)). This requires operational infrastructure, not just a document.

❌

CLASSIFICATION ERROR

Applying Module A to a Class II product

Article 32(2) requires Important Class II products (Annex III Part II — firewalls, intrusion detection systems, tamper-resistant microprocessors) and Critical products (Annex IV) to undergo conformity assessment through a notified body under Module B+C or Module H. The internal control procedure (Module A) is insufficient for these categories.

8 CRA documents per product

CRACheck generates the documentation layer for each product — all 8 documents required under Article 31 and Annex VII.

Product Classifier

Classification against Annex III (Important Class I, II) and Annex IV (Critical). Identifies the conformity assessment module required under Article 32.

Technical Documentation

Complete dossier per Art. 31 + Annex VII: product description, architecture, development process, vulnerability handling, standards, test reports.

Risk Assessment

Structured cybersecurity risk assessment per Art. 13(2)–(3), covering each applicable requirement of Annex I Parts I and II.

User Information

Document per Annex II: manufacturer contact, vulnerability reporting address, support period, commissioning and decommissioning instructions.

Declaration of Conformity

Harmonised format per Art. 28 + Annex V, pre-populated and ready to sign.

CVD Policy

Coordinated vulnerability disclosure policy per Annex I Part II point (5), including contact address and acknowledgement timeline.

Notification Template

Three-stage template for Art. 14 notifications to ENISA: early warning (24h), notification (72h), final report (14 days).

Obligations Calendar

Gantt-style timeline: Art. 14 reporting start (11 Sept 2026), full enforcement (11 Dec 2027), support period milestones, 10-year retention.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated in your browser. No data leaves your device.

Regulatory briefing vs CRACheck

🧾 REGULATORY BRIEFING FROM A LAW FIRM

€8,000–€15,000

For a regulatory gap analysis. 4–6 weeks to deliver. Separate engagement for each product. Ongoing retainer for regulatory updates.

✓ CRACHECK

€149

8 PDFs in 15–25 minutes. One-time payment, 30-day edit window. Covers all Art. 31 + Annex VII requirements. Regenerate with updated generator if regulation changes. 100% browser-side processing.

Two layers of compliance

● LAYER 1

Documentation — CRACheck covers this

The complete documentary layer of CRA compliance: product classification, technical documentation (Art. 31 + Annex VII), cybersecurity risk assessment (Art. 13(2)–(3)), user information (Annex II), EU declaration of conformity (Art. 28 + Annex V), CVD policy (Annex I Part II), notification template (Art. 14), and obligations calendar. Generated in your browser from your input.

∅ LAYER 2

Engineering, testing, and organisational — Your responsibility

CRACheck does not perform penetration testing, code review, or vulnerability scanning. It does not serve as a notified body (Art. 32). It does not implement security-by-design in your product. It does not operate the vulnerability handling process or file notifications to ENISA. These are manufacturer obligations under Article 13 that require engineering and operational capacity.

CRACheck produces the documents. You produce the compliant product. Both layers are required.

Enforcement regime

⚖️

CRA: Annex I cybersecurity non-compliance

€15M / 2.5%

Art. 64(2) of Regulation (EU) 2024/2847.

⚖️

CRA: Documentation and conformity assessment failures

€10M / 2%

Art. 64(3) of Regulation (EU) 2024/2847.

⚖️

CRA: Misleading information to authorities

€5M / 1%

Art. 64(4) of Regulation (EU) 2024/2847.

Alternatives compared

Criterion	Law firm briefing	DIY from OJ text	Compliance platform (annual)	CRACheck
Deliverable	PDF report, no structured files	Unstructured notes	Varies by platform	8 structured PDFs per Art. 31 + Annex VII
Price	€8,000–€15,000	€0 + internal hours	€2,000–€10,000/year	€149 per product
Time to first dossier	4–6 weeks	Weeks of internal work	Weeks of onboarding	15–25 minutes
Data location	External firm	Internal	Vendor servers	Your browser only

Portfolio of 20 connected products? Documentation scales linearly. Pricing does not have to.

Volume pricing for manufacturers with 10+ products: €99/product (pack 10), €79/product (pack 30). Each product receives its own independent 8-document dossier.

Request Volume Pricing

Commercial enquiries via hello@solidwaretools.com

What CRACheck guarantees and what it does not

CRACheck generates a structured document set according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy, completeness, and truthfulness of that information is your responsibility as the manufacturer.

We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct. We do not guarantee that a specific document will be accepted by a market surveillance authority in a particular case.

CRACheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.

Frequently asked questions — CRA requirements summary

What are the main obligations the CRA imposes on manufacturers?

Article 13 of Regulation (EU) 2024/2847 establishes five obligation categories: (1) designing, developing, and producing the product in accordance with the essential cybersecurity requirements of Annex I Part I; (2) conducting and documenting a cybersecurity risk assessment (Art. 13(2)–(3)); (3) handling vulnerabilities throughout the support period per Annex I Part II; (4) producing technical documentation under Article 31 and Annex VII; (5) performing the appropriate conformity assessment under Article 32 and issuing the EU declaration of conformity under Article 28.

What are the essential cybersecurity requirements in Annex I?

Annex I Part I covers product requirements: products must be delivered without known exploitable vulnerabilities, with a secure-by-default configuration, with protection against unauthorised access, with confidentiality and integrity of stored and transmitted data, with event logging, and with the ability to receive and install security updates. Part II covers vulnerability handling: manufacturers must identify and document vulnerabilities, apply remediation, disclose coordinated vulnerability information, and provide security updates free of charge.

Does the CRA apply to free and open-source software?

Article 2(6) of Regulation (EU) 2024/2847 excludes free and open-source software that is not made available on the market in the course of a commercial activity. If the software is provided commercially — even if the source code is open — the CRA applies. Recitals 18 and 19 provide further guidance on what constitutes a commercial activity in this context.

Is CRACheck sufficient for full CRA compliance?

CRACheck covers the documentation layer: the technical documentation under Article 31 and Annex VII, the declaration of conformity under Article 28 and Annex V, and supporting documents. Full CRA compliance also requires secure product engineering (Annex I Part I), operational vulnerability handling (Annex I Part II), vulnerability reporting to ENISA (Art. 14), and — for Important Class II and Critical products — third-party conformity assessment (Art. 32). CRACheck produces the documents; the engineering and operational obligations remain yours.

What does 'support period' mean under the CRA?

Article 13(8) of Regulation (EU) 2024/2847 requires manufacturers to determine a support period during which they must handle vulnerabilities and provide security updates. The minimum support period is five years, unless the product's expected use period is shorter. The support period must be stated in the Annex II user information and documented in the technical documentation per Annex VII point 4.

Is this a subscription?

No. One-time payment. The licence includes a 30-day editing window and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, by activating the licence you give express consent for the immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are accepted only for reproducible technical defects.

What if the regulation changes?

If the regulation is amended during the validity of your licence, you can regenerate the document with the updated version of the generator at no additional cost.

Official legal sources

Regulation (EU) 2024/2847 — Cyber Resilience Act — full text

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.