I comply with NIST CSF. Does that satisfy the CRA?

No. The NIST Cybersecurity Framework is a voluntary organisational risk management framework. The CRA is a mandatory product regulation requiring documentation under Article 31 + Annex VII, cybersecurity risk assessment under Article 13, and EU Declaration of Conformity under Article 28. NIST CSF alignment is valuable context — you can reference it in Annex VII §5 — but it does not produce the CRA file.

Does the CRA apply to my company if we are headquartered in the US?

Yes. Article 2(1) of Regulation (EU) 2024/2847 applies to products 'made available on the market' — the EU market. If your product is sold, distributed, or made available in the EU, the CRA applies regardless of where your company is incorporated. Article 15 allows you to appoint an authorised representative in the EU to handle regulatory correspondence.

We already generate SBOMs for US federal procurement (EO 14028). Can we reuse them for the CRA?

Yes. CRA Annex I Part II point (1) requires an SBOM 'in a commonly used and machine-readable format covering at least the top-level dependencies.' If your EO 14028 SBOM meets these criteria, it can be referenced in the CRA technical documentation. CRACheck provides the structured reference in Annex VII §2(b). The SBOM itself is not published — it is documented for market surveillance authority request under Annex VII §8.

How does the FCC Cyber Trust Mark compare to CRA CE marking?

The FCC Cyber Trust Mark is a voluntary labelling program for consumer IoT products sold in the US. CE marking under the CRA is mandatory for all products with digital elements placed on the EU market. The Cyber Trust Mark involves voluntary testing by accredited labs. CRA CE marking requires conformity assessment under Article 32 and Declaration of Conformity under Article 28. They are separate programs for separate markets.

Is this a subscription?

No. One-time payment. The licence includes a 30-day editing window and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, by activating the licence you give express consent for the immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are accepted only for reproducible technical defects.

What if the regulation changes?

If the regulation is amended during the validity of your licence, you can regenerate the document with the updated version of the generator at no additional cost.

The United States does not have a single horizontal regulation equivalent to the EU Cyber Resilience Act. US product cybersecurity is addressed through a patchwork of executive orders, voluntary frameworks, sector-specific regulations, and emerging programs — NIST CSF, CISA Secure by Design, FCC Cyber Trust Mark, FDA premarket guidance, state IoT laws. The EU CRA (Regulation (EU) 2024/2847) is a single mandatory regulation covering all products with digital elements on the EU market, with standardised documentation under Article 31 and Annex VII, mandatory vulnerability notification under Article 14, and administrative fines up to €15M under Article 64. If you sell in both markets, the CRA is the binding obligation. CRACheck generates the EU documentation.

The structural difference is enforcement. The NIST Cybersecurity Framework is voluntary. CISA's Secure by Design pledge is voluntary. EO 14028 directed federal agencies to improve their own cybersecurity posture and created SBOM requirements for federal procurement — but does not mandate product documentation for all products sold in the US market. The FCC Cyber Trust Mark is a voluntary labelling program for consumer IoT. State-level IoT laws (California SB-327, Oregon HB 2395) impose some requirements on IoT manufacturers but with limited scope and enforcement. The EU CRA covers every product with digital elements placed on the EU market regardless of origin, requires structured technical documentation, mandates ENISA notification within 24 hours of discovering an actively exploited vulnerability, and imposes fines of up to €15,000,000 or 2.5% of global turnover. If you manufacture in the US and sell in the EU, the CRA is not optional. CRACheck generates the Article 31 + Annex VII documentation. €149. 15–25 minutes.

Generate CRA Dossier — €149 Free: check your product classification

€149 one-time payment per product · 8 PDF documents in ZIP · 15–25 minutes · 100% in your browser

Key facts

Mandatory vs voluntary

CRA = mandatory EU regulation. Most US frameworks = voluntary or sector-specific.

€15M / 2.5%

CRA maximum fine under Art. 64(2). No US-equivalent horizontal penalty.

Art. 2(1)

CRA applies to all products on the EU market, regardless of where the manufacturer is established.

How the EU CRA compares to US cybersecurity frameworks

Scope

CRA: all products with digital elements on the EU market (Art. 2(1)). US: no single horizontal equivalent. NIST CSF is voluntary. FCC Cyber Trust Mark is voluntary. FDA guidance is sector-specific (medical devices). State laws are jurisdiction-limited.

Documentation

CRA: mandatory technical documentation per Article 31 + Annex VII (8 elements). US: SBOM required for federal procurement (EO 14028); no mandatory product documentation for private-sector sales.

Vulnerability notification

CRA: mandatory 24h/72h/14d notification to CSIRT and ENISA per Article 14. US: CISA vulnerability reporting is voluntary (except for critical infrastructure operators under CIRCIA).

Conformity assessment

CRA: Module A, B+C, or H per Article 32, with CE marking. US: no horizontal conformity assessment for product cybersecurity. FCC Cyber Trust Mark uses voluntary testing by accredited labs.

Penalties

CRA: administrative fines up to €15M / 2.5% of global turnover (Art. 64). US: no horizontal penalty framework for product cybersecurity. Sector-specific penalties exist (FDA enforcement, FTC Act Section 5).

CRACheck action

If you sell in the EU, CRACheck generates the mandatory CRA documentation. Your US compliance practices (NIST CSF alignment, SBOM generation, CISA Secure by Design) can be referenced in the Annex VII §5 section but do not replace the CRA file.

US compliance practices are valuable inputs. The CRA file is the mandatory output. CRACheck generates the output.

Common mistakes for US manufacturers

❌

EO 14028

Assuming US Executive Order 14028 produces CRA-equivalent documentation

EO 14028 directed federal agencies to require SBOMs from software suppliers for federal procurement. It does not create a product-level documentation obligation for all products on the US market. The CRA's Annex VII file goes far beyond SBOM: it requires product description, system architecture, risk assessment, support period rationale, standards, test reports, and Declaration of Conformity.

❌

NIST CSF

Treating NIST CSF compliance as CRA compliance

The NIST Cybersecurity Framework is a voluntary risk management framework for organisations. It is not a product regulation. CRA Annex I addresses the product's cybersecurity properties. NIST CSF addresses the organisation's cybersecurity posture. A company can be NIST CSF compliant and still lack CRA documentation for its products.

❌

ART. 2(1) CRA

Assuming the CRA does not apply because the manufacturer is US-based

Article 2(1) of Regulation (EU) 2024/2847 applies to products "made available on the market." The manufacturer's location is irrelevant. If a US company places a product with digital elements on the EU market, the CRA applies. Article 15 of the CRA allows non-EU manufacturers to appoint an authorised representative in the EU.

8 CRA documents — the EU cybersecurity layer for US manufacturers

US compliance practices are referenced in Annex VII §5 but do not substitute the CRA dossier. CRACheck generates the EU-specific documentation.

Product Classifier

Annex III / Annex IV classification. Conformity assessment module.

Technical Documentation

Art. 31 + Annex VII. Complete dossier.

Risk Assessment

Art. 13(2)–(3). Cybersecurity risk assessment against Annex I.

User Information

Annex II. 9 required information points.

Declaration of Conformity

Art. 28 + Annex V. Ready for signature.

CVD Policy

Annex I Part II point (5). Coordinated vulnerability disclosure.

Notification Template

Art. 14. ENISA 24h/72h/14d notification.

Obligations Calendar

Key dates and milestones.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated in your browser. No data leaves your device.

US cybersecurity compliance is scattered. EU CRA compliance is structured.

🧾 EU REGULATORY COMPLIANCE CONSULTANCY FOR US MANUFACTURER

€10,000–€30,000

Per product. Requires consultant with dual US/EU expertise. 2–6 months.

✓ Last regulatory check: 2 May 2026 · No substantive changes detected · View history