What exactly does a CISO expect when they ask about CRA compliance?

A European CISO conducting vendor assessment typically expects evidence of three things: (1) that you have identified your product's CRA classification under Annex III of Regulation (EU) 2024/2847, (2) that you have produced technical documentation per Article 31 + Annex VII, including a cybersecurity risk assessment per Article 13(2)-(3), and (3) that you have a vulnerability handling process per Annex I, Part II. CRACheck produces all three as structured PDFs.

Is the CISO's request legally binding, or is it voluntary?

The request itself is contractual, not regulatory. However, it is driven by the CISO's own regulatory obligations. If their organization falls under DORA (Regulation (EU) 2022/2554) or NIS2 (Directive (EU) 2022/2555), they must manage ICT third-party risk, which includes evaluating vendor cybersecurity. Refusing to provide documentation does not violate CRA, but it may cause contract termination or non-renewal.

Can we provide CRA documentation now even though enforcement starts in 2027?

Yes, and it is advisable. Producing Article 31 documentation before the enforcement date demonstrates proactive compliance. The documents are valid from the date of production. Early documentation also gives you time to iterate and improve based on feedback from your EU customers.

The CISO asked for a "CRA compliance certificate." Can CRACheck produce that?

CRA does not create a compliance certificate as such. For Default category products, the manufacturer performs a self-assessment under Module A (Annex VIII) and issues a declaration of conformity per Article 28 + Annex V. CRACheck generates this declaration. For Important Class II or Critical products, a notified body assessment is required per Article 32(3). CRACheck does not replace notified body involvement for those categories.

We have multiple EU customers. Do we need separate documentation for each?

No. CRA documentation is per product, not per customer. One Article 31 dossier per product covers all EU customers. If you sell the same product to 50 European companies, one dossier serves all 50.

Is CRACheck a subscription?

No. One-time payment. 30 days of editing, 10 regenerations. The PDF is yours to keep.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, activating the license constitutes express consent for immediate digital content generation. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate with the updated generator version at no additional cost during your license period.

The CISO of your largest European customer just emailed: "Can you confirm your product is compliant with Regulation (EU) 2024/2847?" You have 48 hours before the next vendor review. Responding with "we are working on it" signals risk. Responding with Article 31 documentation signals readiness. CRACheck generates that documentation in 15 minutes.

When a European CISO asks about CRA compliance, they are not asking a theoretical question. They are conducting vendor risk assessment under their own regulatory obligations — potentially DORA (Regulation (EU) 2022/2554) or NIS2 (Directive (EU) 2022/2555). What they need is evidence: technical documentation per Article 31 + Annex VII of Regulation (EU) 2024/2847, a cybersecurity risk assessment per Article 13(2)-(3), and a declaration of conformity per Article 28 + Annex V. CRACheck generates all 8 documents in 15-25 minutes for €149. You respond with a dossier, not an excuse.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

48h

Typical response window before an EU CISO escalates a vendor compliance gap to procurement

8 documents

The complete CRA dossier that answers every question the CISO will ask

€149

Cost to produce the documentation that keeps your European contract alive

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Receive the CISO inquiry

The email asks about Regulation (EU) 2024/2847. Your product is a product with digital elements under Article 3(1). You need documentation.

Open CRACheck

Enter your product details: name, version, architecture, security controls, deployment model. All processing stays in your browser.

Classify your product

CRACheck determines your Annex III category and conformity assessment path. This is the first data point the CISO needs.

Generate risk assessment

Structured cybersecurity analysis per Article 13(2)-(3). Demonstrates you have evaluated threats specific to your product.

Produce the full dossier

8 PDFs: technical documentation, risk assessment, declaration of conformity, user information, CVD policy, ENISA notification template, obligations calendar, product classifier.

Respond to the CISO

Attach the relevant documents to your reply. The CISO sees structured, regulation-referenced documentation — not a vague promise.

Retain the contract

Your competitor who responded with "we are evaluating our CRA obligations" gets flagged. You move forward.

Common mistakes

❌

COMMERCIAL MISJUDGMENT

"We responded that CRA does not apply until 2027, so compliance is not required yet"

The CISO is not asking about enforcement dates. They are assessing vendor risk for their organization's supply chain. European CISOs under DORA or NIS2 must evaluate ICT third-party risk continuously. A response citing future enforcement dates tells the CISO you have no current documentation and no plan. That is a risk flag, not a reassurance.

❌

WRONG DELIVERABLE

"We sent our SOC 2 report and assumed that would satisfy the CRA question"

SOC 2 is an organizational security attestation under AICPA standards. CRA requires product-specific documentation under EU regulation: Article 31 + Annex VII technical documentation, Article 13 risk assessment, Article 28 + Annex V declaration of conformity. A CISO asking about CRA expects CRA documents, not SOC 2.

❌

TIMELINE MISMATCH

"We told the CISO we will hire a consultant and get back to them in 3 months"

Three months is a vendor review cycle. The CISO may need to complete their assessment within weeks. If you cannot produce CRA documentation within the review window, you are evaluated as a non-compliant vendor. CRACheck produces the documentation in 15-25 minutes — within the same business day the CISO asks.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Immediate answer to "What is your product's CRA classification?" Annex III category and conformity assessment path.

Technical Documentation

Art. 31 + Annex VII dossier. The core document the CISO's team will review: architecture, security design, component inventory, conformity references.

Risk Assessment

Per Article 13(2)-(3). Demonstrates structured threat analysis specific to your product. CISOs evaluate vendors on the quality of their risk assessment process.

User Information

Annex II. Shows the CISO what security information you provide to users of your product.

Declaration of Conformity

Art. 28 + Annex V. The formal declaration of CRA compliance. This is the document the CISO will file in their vendor assessment record.

CVD Policy

Annex I, Part II. Shows the CISO your vulnerability handling process. Critical for their third-party risk evaluation.

Notification Template

Art. 14. Demonstrates you have incident notification procedures aligned with ENISA requirements. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Shows the CISO you are tracking CRA milestones proactively.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 LOSE THE CONTRACT OR WAIT

$100K–$500K+

Annual contract value at risk. Or delay response while hiring a consultant: €15K–€25K, 8-16 weeks. The CISO does not wait 16 weeks.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history