The Cyber Resilience Act applies to all products with digital elements placed on the EU market, including hardware manufactured in the United States (Article 2(1)). An IoT device with firmware and a cloud backend is a product with digital elements plus remote data processing under Article 3(1)-(2). The manufacturer — the company that designed and developed the product — bears the documentation obligations under Article 13, regardless of establishment. CRACheck generates the 8 documents required under Article 31 + Annex VII in 15-25 minutes for €149 per product. All processing runs in your browser.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.
Article 13 assigns technical documentation, risk assessment, and conformity obligations to the manufacturer. Article 19 assigns verification obligations to the importer: they must confirm you have done your work before placing the product on the EU market. If you have not produced the Article 31 documentation, your importer cannot legally import your device. The importer does not produce your documents — they verify yours exist.
FCC Part 15 covers electromagnetic interference. UL covers electrical safety. Neither addresses cybersecurity documentation. The Cyber Resilience Act requires a cybersecurity risk assessment (Art. 13), essential security requirements (Annex I), user information on security properties (Annex II), and a specific technical documentation structure (Annex VII). These are distinct from and additional to FCC and UL requirements.
Article 2(1) covers any product with a direct or indirect data connection. A WiFi-connected sensor transmitting data to a cloud platform is a product with digital elements under Article 3(1). Complexity does not determine scope — connectivity does. Even a simple temperature sensor with a WiFi chip and OTA firmware updates must meet CRA requirements.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Determines your IoT device's Annex III category. Devices with network management functions or that serve as smart home hubs may classify as Important Class I.
Art. 31 + Annex VII dossier covering hardware design, firmware architecture, connectivity protocols, cloud integration, supply chain components, and conformity assessment references.
IoT-specific cybersecurity risk analysis: firmware integrity, OTA update security, default credential risks, physical attack vectors, data-in-transit protection, and cloud backend dependencies.
Annex II document for IoT end users: device security properties, update procedure, factory reset instructions, data handling disclosure, and manufacturer support contact.
Article 28 + Annex V formal declaration for your IoT product. Accompanies the CE marking required under Article 30.
Vulnerability disclosure policy for hardware manufacturers: how researchers report firmware bugs, your response timeline, and coordinated disclosure process.
ENISA notification structure per Article 14 adapted for IoT incidents: firmware exploits, botnet recruitment, data exfiltration through compromised devices. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.
IoT-specific timeline: Art. 14 reporting from September 2026, full enforcement December 2027, 5-year support period calculation per Article 13(8).
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated from your data, in your browser. No data leaves your device.
Generates the technical documentation, risk assessment, declaration of conformity, and all supporting documents that your EU importer will request and that market surveillance authorities can demand at any time after your product enters the EU market.
Does not test your firmware for vulnerabilities. Does not verify your OTA update mechanism works securely. Does not perform hardware penetration testing. Does not serve as a notified body for Important Class II or Critical classifications. Does not provide CE marking physical labels. Those are engineering, testing, and certification activities.
Layer 1 is the regulatory documentation. Layer 2 is the engineering work that makes the documentation truthful. CRACheck produces the documents. Your engineering team ensures the substance.
Article 64 of Regulation (EU) 2024/2847.
Non-compliance with Annex I essential requirements or Art. 13/14 obligations.
Missing technical documentation or declaration of conformity.
Misleading information to authorities.
| Criteria | EU regulatory consultant | US trade compliance firm | Manual from EUR-Lex | CRACheck |
|---|---|---|---|---|
| Time per product | 8-16 weeks | 4-8 weeks | Weeks of research | 15-25 minutes |
| Cost per device category | €10,000-€25,000 | $8,000-$15,000 | Staff hours | €149 |
| IoT-specific risk template | Varies | Rarely | No | Yes |
| Data stays on your device | No | No | Yes | Yes — 100% |
Each product model needs independent Article 31 documentation. If you manufacture 15 sensor variants for the EU market, each requires its own dossier. Volume pricing: 10 products at €99, 30 at €79.
Request Volume PricingCRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy of that information is your responsibility as the manufacturer.
We guarantee that the document structure follows Article 31 + Annex VII and that the legal references cited are correct. We do not guarantee acceptance by a market surveillance authority in a specific case.
CRACheck is not legal advice. For product classification questions or conformity assessment path decisions, consult a qualified regulatory professional.
Eight documents. Article 31 + Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.