The interaction between the CRA and the AI Act is governed by CRA Article 12. For high-risk AI systems classified under AI Act Article 6: if the product meets all CRA Annex I Part I requirements, the manufacturer's processes comply with CRA Annex I Part II, and the CRA Declaration of Conformity demonstrates the required cybersecurity protection level — then the product is deemed to comply with the cybersecurity requirements of AI Act Article 15 (accuracy, robustness, cybersecurity). This is a presumption of conformity, not an exemption. Both Acts still apply, but the CRA conformity assessment can satisfy the AI Act's cybersecurity component. For non-high-risk AI software, the CRA applies independently as a product cybersecurity regulation. CRACheck generates the Article 31 + Annex VII documentation. €149. 15–25 minutes.
€149 one-time payment per product · 8 PDF documents in ZIP · 15–25 minutes · 100% in your browser
The CRA documentation is one layer. The AI Act documentation (conformity assessment per AI Act Annex III/IV, risk management per AI Act Article 9, technical documentation per AI Act Article 11) is a separate layer.
CRA Article 12 creates a presumption of conformity only for the cybersecurity requirements of AI Act Article 15. It does not satisfy AI Act requirements for accuracy (Article 15(1)), transparency (Article 13), data governance (Article 10), or human oversight (Article 14). The CRA covers cybersecurity; the AI Act covers the full AI system lifecycle.
CRA Article 12(3) specifies that for Important or Critical products that are also high-risk AI systems, the CRA conformity assessment procedures (Module B+C, Module H) apply for the cybersecurity component, even if the AI Act would otherwise allow internal control under AI Act Annex VI. The stricter CRA procedure prevails.
CRA Article 3(1) includes "remote data processing solutions" in the definition of products with digital elements if the absence of the remote processing would prevent the product from performing one of its functions. An AI system that processes data on a server but delivers results to a client application is within CRA scope.
The AI Act requires its own documentation (risk management, data governance, technical documentation per AI Act Article 11). CRACheck generates the CRA cybersecurity documentation layer — which for high-risk AI systems, creates a presumption of conformity with AI Act Article 15.
Annex III / Annex IV classification. Conformity assessment module.
Art. 31 + Annex VII. Complete dossier.
Art. 13(2)–(3). Cybersecurity risk assessment against Annex I.
Annex II. 9 required information points.
Art. 28 + Annex V. For high-risk AI, demonstrates Art. 15 cybersecurity protection per CRA Art. 12(1)(c).
Annex I Part II point (5). Coordinated vulnerability disclosure.
Art. 14. ENISA 24h/72h/14d notification.
Key dates and milestones.
See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.
Generated in your browser. No data leaves your device.
CRACheck generates the CRA documentation: Annex VII file, cybersecurity risk assessment, Declaration of Conformity (which for high-risk AI, demonstrates Article 15 cybersecurity protection per CRA Article 12(1)(c)), CVD policy, and vulnerability handling documentation.
CRACheck does not address AI Act obligations beyond cybersecurity. It does not produce AI Act risk management documentation (Article 9), data governance plans (Article 10), human oversight documentation (Article 14), or the AI Act technical documentation (Article 11 + Annex IV). AI Act compliance is a separate engagement.
CRA covers cybersecurity. AI Act covers the AI system. CRACheck covers the CRA.
Art. 64(2) of Regulation (EU) 2024/2847.
Art. 99 of Regulation (EU) 2024/1689.
Art. 99 of Regulation (EU) 2024/1689.
CRA and AI Act penalties are independent and cumulative. A cybersecurity flaw in a high-risk AI system could trigger penalties under both regulations.
| Criterion | AI Act (Reg. 2024/1689) | CRA (Reg. 2024/2847) | CRACheck scope |
|---|---|---|---|
| Focus | AI safety, transparency, governance | Product cybersecurity | Cybersecurity documentation |
| Legal object | AI system | Product with digital elements | Product documentation |
| Cybersecurity | Art. 15 (accuracy, robustness, cyber) | Annex I (21 requirements) | Maps all 21 requirements |
| Bridge | Art. 15 cybersecurity | Art. 12 presumption of conformity | DoC demonstrates Art. 15 compliance |
| Tech doc | Art. 11 + Annex IV | Art. 31 + Annex VII | Generates Annex VII |
Each AI product with digital elements needs its own CRA documentation. Volume pricing: Pack of 10: €99. Pack of 30: €79.
Request Volume PricingCRACheck generates a structured document set according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy, completeness, and truthfulness of that information is your responsibility as the manufacturer.
We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct. We do not guarantee that a specific document will be accepted by a market surveillance authority in a particular case.
CRACheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.
€149 per product