Does CRA Annex I compliance satisfy GDPR Article 32 (security of processing)?

Not automatically. CRA Annex I Part I point (2)(e) requires product-level encryption and data protection. GDPR Article 32 requires the controller/processor to implement appropriate security measures for their processing operations. A product that meets Annex I may still require additional organisational measures to satisfy GDPR Article 32. The CRA requirement is a design obligation on the manufacturer; the GDPR requirement is a processing obligation on the controller.

Does the CRA risk assessment (Article 13) replace the DPIA (GDPR Article 35)?

No. The CRA risk assessment under Article 13(2)–(3) evaluates cybersecurity risks to the product and its users. The DPIA under GDPR Article 35 evaluates risks to the rights and freedoms of data subjects from data processing operations. They may share input data but produce different analyses for different regulators.

My product collects personal data. Does CRACheck address GDPR-specific fields?

CRACheck addresses CRA Annex I Part I point (2)(e) (data confidentiality), point (2)(f) (data integrity), and point (2)(g) (data minimisation) in the risk assessment and technical documentation. These are product design requirements under the CRA. CRACheck does not generate GDPR documentation (privacy policies, DPIAs, consent mechanisms).

Can CRA and GDPR fines apply to the same incident?

Yes. A cybersecurity vulnerability in the product (CRA scope) that leads to a personal data breach (GDPR scope) could trigger penalties under both regulations. CRA fines under Article 64 are administered by market surveillance authorities. GDPR fines under Article 83 are administered by data protection authorities. They are independent enforcement actions.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.

What if the regulation changes?

If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

Regulation (EU) 2016/679 (GDPR) requires data protection by design and by default under Article 25, and security of processing under Article 32. Regulation (EU) 2024/2847 (CRA) requires cybersecurity by design under Annex I and technical documentation under Article 31. If your product with digital elements processes personal data, both regulations apply. The GDPR governs how you handle the data. The CRA governs how the product is designed, developed, and documented to be cybersecure. A DPIA does not replace an Annex VII file. CRACheck generates the CRA documentation.

The overlap is real but narrow. GDPR Article 32 requires the controller or processor to implement appropriate technical and organisational measures for security of processing — encryption, pseudonymisation, resilience, regular testing. CRA Annex I Part I point (2)(e) requires the product to protect the confidentiality of data by encrypting data at rest or in transit. Both mention encryption. But the legal subjects are different: GDPR addresses the data controller/processor, the CRA addresses the product manufacturer. A manufacturer who is also a controller must comply with both. The CRA technical documentation (Article 31 + Annex VII) documents the product's cybersecurity properties. The GDPR records of processing (Article 30) document the data processing activities. They are parallel documentation sets that do not substitute each other. CRACheck generates the CRA layer. €149. 15–25 minutes. 8 PDFs.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key figures

2 regulations

GDPR (data protection) + CRA (product cybersecurity). Both apply simultaneously.

Annex I · (2)(e)(g)

CRA requirements directly relevant to data protection: encryption + data minimisation

€15M CRA / €20M GDPR

Maximum fines under each regulation. They stack.

How CRACheck addresses the CRA documentation layer for data-processing products

Product scope

You enter the product type and its data processing characteristics. CRACheck scopes the Annex I requirements, including point (2)(e) (data confidentiality/encryption) and point (2)(g) (data minimisation).

Risk assessment

CRACheck structures the cybersecurity risk assessment under Article 13, including risks related to personal data exposure as a cybersecurity risk dimension.

Annex I mapping

CRACheck maps the encryption, access control, and data minimisation requirements of Annex I to your product's implementation. These overlap with GDPR Article 25 and Article 32 concepts but are documented separately in the CRA file.

User information

CRACheck generates the Annex II information sheet, including foreseeable cybersecurity risks (point 5) which may include personal data exposure scenarios.

Full dossier

8 PDFs. The CRA documentation stands independently from your GDPR documentation (privacy notices, DPIAs, records of processing).

Common mistakes

❌

GDPR ART. 25 vs CRA ANNEX I

Treating the DPIA as equivalent to the CRA risk assessment

A DPIA under GDPR Article 35 assesses risks to the rights and freedoms of data subjects. The CRA risk assessment under Article 13(2)–(3) assesses cybersecurity risks to the product and its users. They share vocabulary (risk, impact, mitigation) but assess different legal objects. One does not replace the other.

❌

CRA ANNEX I · (2)(g)

Assuming GDPR data minimisation is the same as CRA data minimisation

GDPR Article 5(1)(c) requires data minimisation in processing operations. CRA Annex I Part I point (2)(g) requires the product to "process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose." The CRA requirement is a product design requirement, not a processing principle. Both must be satisfied independently.

❌

FINES

Assuming CRA and GDPR fines are mutually exclusive

A product that has a cybersecurity flaw leading to a personal data breach could trigger both CRA Article 64 penalties (up to €15M / 2.5%) and GDPR Article 83 penalties (up to €20M / 4%). The fines are additive, not alternative.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Identifies the CRA category. GDPR applicability is a separate determination.

Technical Documentation

Art. 31 and Annex VII file — covers product cybersecurity, not data processing records.

Risk Assessment

CRA cybersecurity risk assessment per Article 13. Separate from GDPR DPIA under Article 35.

User Information

Annex II information sheet including foreseeable cybersecurity risks related to personal data.

Declaration of Conformity

EU Declaration per Article 28 and Annex V.

CVD Policy

Coordinated vulnerability disclosure policy per Annex I Part II point (5).

Notification Template

ENISA notification template per CRA Article 14. Separate from GDPR breach notification under Article 33. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

CRA dates. GDPR obligations (DPIAs, records) are not included — they are a parallel workstream.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 THE ALTERNATIVE

Combined CRA + GDPR compliance assessment

€15,000–40,000 for data-processing products

Months of engagement

Covers both but charges for both

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history