A WordPress plugin is software placed on the market. If you sell it through WordPress.org, CodeCanyon, Gumroad, or your own website to EU users, you are making a product with digital elements available on the EU market in the course of commercial activity (Article 3(22)). The Cyber Resilience Act requires you to produce technical documentation under Article 31 + Annex VII, conduct a cybersecurity risk assessment per Article 13(2)-(3), and issue a declaration of conformity per Article 28 + Annex V. CRACheck generates all 8 documents in 15-25 minutes for €149. Built for developers, not for legal teams.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.
Article 3(1) of Regulation (EU) 2024/2847 defines a product with digital elements as "a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately." A plugin sold separately on a marketplace is a software component placed on the market separately. It is explicitly within the CRA definition.
WordPress.org is a distribution platform. It may review plugins for basic security issues, but Article 13 places the technical documentation, risk assessment, and conformity obligations on the manufacturer — the developer who wrote the code. WordPress.org does not produce your Article 31 documentation.
Recital 18 of Regulation (EU) 2024/2847 excludes free and open-source software only when developed and supplied outside a commercial activity. If you sell the plugin, offer a pro version, provide paid support, or monetize the plugin in any way, it is supplied in the course of commercial activity and falls within CRA scope regardless of the GPL license.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Confirms your plugin's Default category classification under Annex III. Identifies the Module A self-assessment path.
Art. 31 + Annex VII dossier structured for a WordPress plugin: PHP/JS architecture, WordPress hooks and filters used, database interactions, REST API endpoints, and third-party library inventory.
WordPress-specific cybersecurity risk analysis: SQL injection, XSS, CSRF, file inclusion, privilege escalation, and dependency vulnerabilities. Mapped to Annex I, Part I requirements.
Annex II document for plugin users: minimum WordPress version, PHP requirements, known incompatibilities, security update mechanism, data handling disclosure, and developer contact.
Article 28 + Annex V declaration for your plugin.
Vulnerability disclosure policy for plugin developers: how researchers report security issues, your response SLA, and coordinated disclosure process.
ENISA notification template per Article 14 for plugin vulnerabilities: zero-day exploits in production WordPress installations, SQL injection discoveries, and authentication bypass findings. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.
Plugin developer timeline: Art. 14 reporting from September 2026, full enforcement December 2027, support period obligations.
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated from your data, in your browser. No data leaves your device.
Generates the CRA documentation for your WordPress plugin: product classification, technical documentation, risk assessment, declaration of conformity, user information, and vulnerability handling policies.
Does not audit your PHP code. Does not run SAST scans. Does not verify your plugin against WordPress coding standards. Does not check your sanitization and escaping practices. Those are development best practices handled by your code review process and the WordPress Plugin Review Team.
CRACheck documents. You code securely. Both are required.
Article 64 of Regulation (EU) 2024/2847.
Non-compliance with essential requirements or manufacturer obligations.
Missing documentation or conformity assessment.
Misleading information to authorities.
| Criteria | Regulatory attorney | WordPress security service | DIY from regulation | CRACheck |
|---|---|---|---|---|
| Time | 4-8 weeks | N/A (no CRA service) | Weeks of reading | 15-25 minutes |
| Cost | $5,000-$15,000 | N/A | Your time | €149 |
| Understands WordPress architecture | Unlikely | Yes (but no CRA) | Depends on you | Architecture-agnostic input |
| Produces CRA documentation | Legal memo | No | DIY | 8 structured PDFs |
Each plugin sold commercially is a separate product with digital elements under CRA. If you have 5 premium plugins on WordPress.org, each needs its own dossier. Volume pricing: 10 products at €99, 30 at €79.
Request Volume PricingCRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy of that information is your responsibility as the manufacturer.
We guarantee the document structure follows Article 31 + Annex VII and that legal references cited are correct. We do not guarantee acceptance by a market surveillance authority in a specific case.
CRACheck is not legal advice. For edge cases (freemium vs. free, GPL-only distribution, plugin bundles), consult a qualified attorney.
Eight documents. Article 31 + Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.