The overlap is real but narrow. GDPR Article 32 requires the controller or processor to implement appropriate technical and organisational measures for security of processing — encryption, pseudonymisation, resilience, regular testing. CRA Annex I Part I point (2)(e) requires the product to protect the confidentiality of data by encrypting data at rest or in transit. Both mention encryption. But the legal subjects are different: GDPR addresses the data controller/processor, the CRA addresses the product manufacturer. A manufacturer who is also a controller must comply with both. The CRA technical documentation (Article 31 + Annex VII) documents the product's cybersecurity properties. The GDPR records of processing (Article 30) document the data processing activities. They are parallel documentation sets that do not substitute each other. CRACheck generates the CRA layer. €149. 15–25 minutes. 8 PDFs.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
A DPIA under GDPR Article 35 assesses risks to the rights and freedoms of data subjects. The CRA risk assessment under Article 13(2)–(3) assesses cybersecurity risks to the product and its users. They share vocabulary (risk, impact, mitigation) but assess different legal objects. One does not replace the other.
GDPR Article 5(1)(c) requires data minimisation in processing operations. CRA Annex I Part I point (2)(g) requires the product to "process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose." The CRA requirement is a product design requirement, not a processing principle. Both must be satisfied independently.
A product that has a cybersecurity flaw leading to a personal data breach could trigger both CRA Article 64 penalties (up to €15M / 2.5%) and GDPR Article 83 penalties (up to €20M / 4%). The fines are additive, not alternative.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Identifies the CRA category. GDPR applicability is a separate determination.
Art. 31 and Annex VII file — covers product cybersecurity, not data processing records.
CRA cybersecurity risk assessment per Article 13. Separate from GDPR DPIA under Article 35.
Annex II information sheet including foreseeable cybersecurity risks related to personal data.
EU Declaration per Article 28 and Annex V.
Coordinated vulnerability disclosure policy per Annex I Part II point (5).
ENISA notification template per CRA Article 14. Separate from GDPR breach notification under Article 33. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.
CRA dates. GDPR obligations (DPIAs, records) are not included — they are a parallel workstream.
See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.
Generated from your data, in your browser. No data leaves your device.
CRACheck generates the CRA product documentation: Annex VII technical file, Annex I risk assessment including data confidentiality and minimisation requirements, Declaration of Conformity, vulnerability handling documentation.
CRACheck does not generate GDPR documentation. It does not produce DPIAs, privacy notices, records of processing, or data processing agreements. If your product processes personal data, GDPR compliance is a parallel obligation that CRACheck does not address.
CRA documents the product. GDPR documents the processing. Both must exist.
Annex I non-compliance.
Art. 31 technical documentation non-compliance.
Data protection principle violations. CRA and GDPR penalties are administered by different authorities and can apply cumulatively.
| Criterio | GDPR (Reg. 2016/679) | CRA (Reg. 2024/2847) | CRACheck scope | |
|---|---|---|---|---|
| Legal object | Personal data processing | Product with digital elements | Product documentation | |
| Key obligation | Data protection by design (Art. 25) | Cybersecurity by design (Annex I) | Annex I mapping | |
| Documentation | DPIA, Art. 30 records | Art. 31 + Annex VII tech doc | Generates Annex VII | |
| Risk assessment | DPIA (Art. 35) | Cybersecurity risk (Art. 13) | Generates Art. 13 risk assessment | |
| Max fine | €20M / 4% | €15M / 2.5% | Documentation to reduce CRA risk | |
| CRACheck | Product layer | Art. 31 | Art. 13 risk | CRA documentation |
Each product needs its own CRA documentation regardless of shared GDPR infrastructure. Volume pricing: Pack of 10: €99. Pack of 30: €79.
Request volume pricingCRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847, based on the information you enter. The accuracy, completeness, and truthfulness of that information is your responsibility as manufacturer.
We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct. We do not guarantee that a specific document will be accepted by a market surveillance authority in a specific case.
CRACheck is not legal advice. For situations specific to your product or market, consult a qualified lawyer or specialised regulatory consultancy.
CRACheck generates the CRA product documentation. GDPR compliance is separate. €149 per product. Browser-side.