When a European CISO asks about CRA compliance, they are not asking a theoretical question. They are conducting vendor risk assessment under their own regulatory obligations — potentially DORA (Regulation (EU) 2022/2554) or NIS2 (Directive (EU) 2022/2555). What they need is evidence: technical documentation per Article 31 + Annex VII of Regulation (EU) 2024/2847, a cybersecurity risk assessment per Article 13(2)-(3), and a declaration of conformity per Article 28 + Annex V. CRACheck generates all 8 documents in 15-25 minutes for €149. You respond with a dossier, not an excuse.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.
The CISO is not asking about enforcement dates. They are assessing vendor risk for their organization's supply chain. European CISOs under DORA or NIS2 must evaluate ICT third-party risk continuously. A response citing future enforcement dates tells the CISO you have no current documentation and no plan. That is a risk flag, not a reassurance.
SOC 2 is an organizational security attestation under AICPA standards. CRA requires product-specific documentation under EU regulation: Article 31 + Annex VII technical documentation, Article 13 risk assessment, Article 28 + Annex V declaration of conformity. A CISO asking about CRA expects CRA documents, not SOC 2.
Three months is a vendor review cycle. The CISO may need to complete their assessment within weeks. If you cannot produce CRA documentation within the review window, you are evaluated as a non-compliant vendor. CRACheck produces the documentation in 15-25 minutes — within the same business day the CISO asks.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Immediate answer to "What is your product's CRA classification?" Annex III category and conformity assessment path.
Art. 31 + Annex VII dossier. The core document the CISO's team will review: architecture, security design, component inventory, conformity references.
Per Article 13(2)-(3). Demonstrates structured threat analysis specific to your product. CISOs evaluate vendors on the quality of their risk assessment process.
Annex II. Shows the CISO what security information you provide to users of your product.
Art. 28 + Annex V. The formal declaration of CRA compliance. This is the document the CISO will file in their vendor assessment record.
Annex I, Part II. Shows the CISO your vulnerability handling process. Critical for their third-party risk evaluation.
Art. 14. Demonstrates you have incident notification procedures aligned with ENISA requirements. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.
Shows the CISO you are tracking CRA milestones proactively.
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated from your data, in your browser. No data leaves your device.
Generates the specific CRA documents the CISO's vendor assessment process requires. Structured, regulation-referenced, ready to attach to your response.
Does not conduct a security audit of your product. Does not provide a compliance certificate. Does not guarantee the CISO will approve your vendor assessment. Does not replace your ongoing security practices. The documentation reflects what you declare — the substance must be real.
CRACheck gets the documentation out the door today. Your security engineering ensures the documentation is truthful. The CISO evaluates both.
Article 64 of Regulation (EU) 2024/2847.
Essential requirements / manufacturer obligations.
Documentation and conformity obligations.
Misleading information to authorities.
| Criteria | "We are working on it" | Engage a law firm | Internal legal team | CRACheck |
|---|---|---|---|---|
| Response time to CISO | Immediate (but empty) | 8-16 weeks | 4-8 weeks | Same day |
| Contract retention risk | High | Medium (delayed) | Medium (delayed) | Low |
| Cost | €0 + lost contract | €15,000-€25,000 | Staff hours ($20K+) | €149 |
| Documentation quality | None | High but delayed | Varies | Structured, immediate |
If your European customer uses three of your products, they may request CRA documentation for each. Generate one dossier per product. Volume pricing: 10 products at €99, 30 at €79.
Request Volume PricingCRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy of that information is your responsibility as the manufacturer.
We guarantee the document structure follows Article 31 + Annex VII and that legal references cited are correct. We do not guarantee that a specific CISO or vendor assessment process will approve your product.
CRACheck is not legal advice. For specific questions about your vendor relationship or contractual CRA obligations, consult your legal team.
Eight documents. Article 31 + Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.