My AI software is not high-risk under the AI Act. Does the CRA still apply?

Yes. CRA Article 3(1) covers all software products with digital elements that have a data connection, regardless of their AI Act risk classification. The CRA applies to your AI software as a product with digital elements. The AI Act risk classification determines AI Act obligations; the CRA classification (Default, Important, Critical) determines CRA obligations. Both are independent.

Does CRA Article 12 mean I only need one conformity assessment for both regulations?

Not exactly. CRA Article 12(2) states that for high-risk AI systems subject to the CRA, the AI Act conformity assessment procedure (Article 43 of Regulation 2024/1689) applies for the cybersecurity component. You still need the full AI Act conformity assessment. The CRA creates a presumption that CRA Annex I compliance satisfies AI Act Article 15 cybersecurity — but the AI Act assessment procedure is the one that runs.

Is a standalone AI model (e.g., a fine-tuned LLM) a 'product with digital elements' under the CRA?

It depends on whether the AI model is 'placed on the market' as a product with a data connection. An AI model distributed as a downloadable software package that connects to a network for inference or update delivery falls within CRA Article 3(1). A model used purely internally without market placement does not. The boundary depends on distribution and connectivity, not on the AI technique.

Does the CRA SBOM requirement apply to AI training data?

CRA Annex I Part II point (1) requires an SBOM covering 'at least the top-level dependencies' of the product. Training data is not a software dependency — it is an input to the model. However, if the AI product depends on specific software libraries, frameworks, or runtime components, those must be in the SBOM. The AI Act has its own data governance requirements under Article 10.

Is this a subscription?

No. One-time payment. The licence includes a 30-day editing window and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, by activating the licence you give express consent for the immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are accepted only for reproducible technical defects.

What if the regulation changes?

If the regulation is amended during the validity of your licence, you can regenerate the document with the updated version of the generator at no additional cost.

Regulation (EU) 2024/1689 (AI Act) regulates AI systems based on risk level — from prohibited practices to high-risk requirements to transparency obligations. Regulation (EU) 2024/2847 (CRA) regulates the cybersecurity of products with digital elements. If your AI system is a software product with a data connection placed on the EU market, both apply. Article 12 of the CRA creates a bridge: high-risk AI systems that comply with CRA Annex I are deemed to comply with the cybersecurity requirements of AI Act Article 15. CRACheck generates the CRA documentation layer.

The interaction between the CRA and the AI Act is governed by CRA Article 12. For high-risk AI systems classified under AI Act Article 6: if the product meets all CRA Annex I Part I requirements, the manufacturer's processes comply with CRA Annex I Part II, and the CRA Declaration of Conformity demonstrates the required cybersecurity protection level — then the product is deemed to comply with the cybersecurity requirements of AI Act Article 15 (accuracy, robustness, cybersecurity). This is a presumption of conformity, not an exemption. Both Acts still apply, but the CRA conformity assessment can satisfy the AI Act's cybersecurity component. For non-high-risk AI software, the CRA applies independently as a product cybersecurity regulation. CRACheck generates the Article 31 + Annex VII documentation. €149. 15–25 minutes.

Generate CRA Dossier — €149 Free: check your product classification

€149 one-time payment per product · 8 PDF documents in ZIP · 15–25 minutes · 100% in your browser

How to determine which framework applies to your AI product

Art. 12

CRA provision bridging high-risk AI systems with AI Act Article 15

Art. 3(1)

CRA defines software as a "product with digital elements"

€15M / €35M

Maximum fines under CRA (€15M) and AI Act (€35M) for prohibited practices or Annex I non-compliance

How to determine which framework applies to your AI product

Is it a product with digital elements?

CRA Article 3(1) defines this as "a software or hardware product and its remote data processing solutions" with a data connection. If your AI software connects to a device or network, the CRA applies.

Is it an AI system under the AI Act?

AI Act Article 3(1) defines "AI system." If your product meets this definition, the AI Act also applies. Classification under the AI Act (prohibited, high-risk, limited risk, minimal risk) determines which AI Act obligations apply.

Is it high-risk under AI Act Article 6?

If yes, CRA Article 12 applies. CRA Annex I compliance creates a presumption of conformity with AI Act Article 15 cybersecurity requirements. The AI Act conformity assessment procedure under Article 43 applies instead of the CRA's own Article 32 for the cybersecurity component.

CRA classification

CRACheck classifies the product under Annex III/IV regardless of AI Act classification. AI software may fall under Default, or under Important Class I if it has identity management or network management functions.

Documentation

CRACheck generates the CRA Annex VII file, risk assessment, and Declaration of Conformity. For high-risk AI systems, the Declaration explicitly demonstrates the cybersecurity protection level per CRA Article 12(1)(c).

The CRA documentation is one layer. The AI Act documentation (conformity assessment per AI Act Annex III/IV, risk management per AI Act Article 9, technical documentation per AI Act Article 11) is a separate layer.

Common mistakes when navigating CRA and AI Act overlap

❌

ART. 12(1)

Assuming CRA compliance automatically satisfies all AI Act requirements

CRA Article 12 creates a presumption of conformity only for the cybersecurity requirements of AI Act Article 15. It does not satisfy AI Act requirements for accuracy (Article 15(1)), transparency (Article 13), data governance (Article 10), or human oversight (Article 14). The CRA covers cybersecurity; the AI Act covers the full AI system lifecycle.

❌

ART. 12(2)

Using CRA conformity assessment for the AI Act cybersecurity component of Important/Critical products

CRA Article 12(3) specifies that for Important or Critical products that are also high-risk AI systems, the CRA conformity assessment procedures (Module B+C, Module H) apply for the cybersecurity component, even if the AI Act would otherwise allow internal control under AI Act Annex VI. The stricter CRA procedure prevails.

❌

ART. 3(1) CRA

Assuming AI software without a client-side component is outside CRA scope

CRA Article 3(1) includes "remote data processing solutions" in the definition of products with digital elements if the absence of the remote processing would prevent the product from performing one of its functions. An AI system that processes data on a server but delivers results to a client application is within CRA scope.

8 CRA documents — the cybersecurity layer for AI products

The AI Act requires its own documentation (risk management, data governance, technical documentation per AI Act Article 11). CRACheck generates the CRA cybersecurity documentation layer — which for high-risk AI systems, creates a presumption of conformity with AI Act Article 15.

Product Classifier

Annex III / Annex IV classification. Conformity assessment module.

Technical Documentation

Art. 31 + Annex VII. Complete dossier.

Risk Assessment

Art. 13(2)–(3). Cybersecurity risk assessment against Annex I.

User Information

Annex II. 9 required information points.

Declaration of Conformity

Art. 28 + Annex V. For high-risk AI, demonstrates Art. 15 cybersecurity protection per CRA Art. 12(1)(c).

CVD Policy

Annex I Part II point (5). Coordinated vulnerability disclosure.

Notification Template

Art. 14. ENISA 24h/72h/14d notification.

Obligations Calendar

Key dates and milestones.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated in your browser. No data leaves your device.

CRA + AI Act compliance: cost comparison

🧾 COMBINED AI ACT + CRA COMPLIANCE CONSULTANCY

€25,000–€60,000

Covers both frameworks. 4–12 months. Requires deep understanding of both regulations.

✓ Last regulatory check: 2 May 2026 · No substantive changes detected · View history