8 PDF documents in your ZIP

Each document covers a specific obligation under Regulation (EU) 2024/2847. Each one cites the exact articles that underpin its content.

⚖

Product Classifier & Scope

Per Arts. 2, 7 and 8 and Annexes III/IV. Determines whether your product falls under the CRA, its category (Default, Class I, Class II or Critical) and the applicable conformity assessment procedure.

📄

Technical Documentation — Annex VII

The core document. Covers the 8 points of Annex VII per Art. 31: general description, design and development, cybersecurity risk assessment, support period, standards and test reports.

🛡

Cybersecurity Risk Assessment

Per Art. 13(2)-(4) and Annex I. Maps the 13 product property requirements (Part I) and the 8 vulnerability handling requirements (Part II) against your product.

✅

EU Declaration of Conformity

Per Art. 28 and Annex V. Signed document declaring that the product meets the essential requirements of Annex I. The basis for CE marking (Art. 30).

📖

User Information & Instructions

Per Annex II: 9 mandatory points that must accompany the product. Includes single point of contact, CVD policy, support period, secure commissioning and decommissioning.

🔒

Coordinated Vulnerability Disclosure Policy

Per Annex I, Part II, point 5. Structured CVD policy: intake, triage, remediation, disclosure and record-keeping. Mandatory for every manufacturer.

🚨

Art. 14 Notification Template

The 3 mandatory phases: early warning (24h), notification (72h) and final report (14 days). For actively exploited vulnerabilities and severe incidents. Mandatory from September 2026.

📅

Obligations Calendar + Penalties

All CRA key dates in chronological order: conformity body notification (Jun 2026), reporting obligations (Sep 2026), full application (Dec 2027). With Art. 64 penalty framework.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

What CRACheck covers

Regulation (EU) 2024/2847 applies horizontally to all products with digital elements. CRACheck generates technical documentation for all four categories. Check which one applies to you before purchasing.

IN SCOPE

Products with digital elements — Default, Class I, Class II and Critical

CRACheck generates Annex VII technical documentation for any product with digital elements placed on the EU market. Applies to manufacturers (Art. 13), importers (Art. 19), distributors (Art. 20) and authorised representatives (Art. 18).

Commercial software (applications, SaaS with remote data processing, mobile apps)
IoT devices (smart home, wearables, industrial sensors, baby monitors)
Connected hardware (routers, switches, modems, IP cameras, smart locks)
Operating systems, hypervisors, boot managers
Security components (firewalls, IDS/IPS, password managers, VPNs)
Microcontrollers and microprocessors with security-related functionality
Connected toys, personal health wearables (non-medical)
Any hardware or software product with a direct or indirect network connection

EXEMPT

Products excluded from the scope

These categories are outside the CRA because they are already regulated under other EU sectoral legislation. They do not need CRA documentation.

Medical devices and in vitro diagnostics (Regulations 2017/745 and 2017/746)
Motor vehicles and their components (Regulation 2019/2144)
Products certified under civil aviation rules (Regulation 2018/1139)
Marine equipment (Directive 2014/90/EU)
Products developed exclusively for defence or national security (Art. 2(7))
Non-commercial FOSS: free open-source software without commercial activity (Art. 2, Recital 18)
Identical spare parts for pre-CRA products (Art. 2(6))

REQUIRES EXTRA ATTENTION

Products that also need third-party conformity assessment

These products fall under the CRA but their conformity assessment requires a notified body. CRACheck generates the base documentation; the third-party assessment is a separate step.

Important Class II (Annex III): firewalls, IDS/IPS, hypervisors, tamper-resistant microprocessors — mandatory third-party assessment (Art. 32(3))
Critical products (Annex IV): HSMs, smart meter gateways, smartcards, secure elements — possible mandatory EU cybersecurity certification (Art. 8)
Important Class I without applied harmonised standards — third-party assessment required (Art. 32(2))

Not sure about your case? Take the free test first. If CRACheck is not the right tool for your product, we tell you before you buy.

Who buys CRACheck

Manufacturers (Art. 13), importers (Art. 19), distributors (Art. 20) and compliance officers of products with digital elements marketed in the EU.

💻European software company with a SaaS application, mobile app or desktop tool with a direct or indirect network connection. 5-50 employees, technical CTO but no regulatory experience. December 2027 is their deadline. They don’t have €15,000 for an external consultancy.

⚙IoT device manufacturer (smart home, wearables, industrial sensors, alarm systems, IP cameras) selling on the EU market. Needs Annex VII technical documentation + Annex I risk assessment + EU declaration of conformity + CVD policy before affixing the CE marking.

🌍Non-EU manufacturer (USA, UK, China, India, Korea, Taiwan) selling connected hardware or software to European buyers. Their EU importer asks for CRA documentation per Art. 19. €149 versus losing a European distribution channel.

📦EU importer introducing products with digital elements manufactured in third countries to the European market. Art. 19: before placing on the market, must verify that technical documentation exists and the product bears CE marking.

📊CISO, Compliance Officer or in-house Legal of a mid-to-large company with 5-30 digital products on the market. Needs to document all of them before December 2027. Packs of 10 or 30 licences are the solution: from €79/product.

💼Cybersecurity consultant or small firm looking to offer “CRA compliance” as a service. Buys CRACheck as an internal tool and invoices the service. Pack 30 at €79/product, bills €2,000–5,000 per client.

What happens without technical documentation

Art. 64 of Regulation (EU) 2024/2847 establishes three tiers of administrative fines. In addition, market surveillance authorities can order product withdrawal, market ban or recall.

🛡 Non-compliance with essential requirements (Annex I) and manufacturer obligations (Arts. 13, 14)

Up to €15,000,000 or 2.5% of total worldwide annual turnover, whichever is higher. Covers: product without essential cybersecurity requirements, missing risk assessment, no security updates, failure to report actively exploited vulnerabilities or severe incidents to CSIRT and ENISA. For SMEs and startups: the lower of the two amounts applies. Art. 64(2) of Regulation (EU) 2024/2847.

📄 Non-compliance with other obligations (Arts. 18-23, 28, 31, 32)

Up to €10,000,000 or 2% of total worldwide annual turnover, whichever is higher. Includes: missing technical documentation (Art. 31), absent or incorrect EU declaration of conformity (Art. 28), misuse of CE marking (Art. 30), importer and distributor non-compliance, missing conformity assessment procedures. Art. 64(3) of Regulation (EU) 2024/2847.

⚠ False information to authorities or notified bodies

Up to €5,000,000 or 1% of total worldwide annual turnover, whichever is higher. Triggered when the economic operator provides incorrect, incomplete or misleading information to market surveillance authorities or notified bodies in response to a request. Art. 64(4) of Regulation (EU) 2024/2847. On top of fines: product withdrawal, marketing ban and mandatory recall.

CRACheck versus the alternatives

Compare the four models available on the market for documenting products with digital elements under Regulation (EU) 2024/2847.

Criteria	Traditional consultancy	SaaS compliance platform	Generic templates	CRACheck
Price	€3,000 – 30,000 per product	€300 – 1,500/month	€0 – 500	€149 per product (one-time)
Turnaround time	4 – 12 weeks	Setup: 2 – 4 weeks	Variable (you do everything)	30 minutes
Documents generated	Variable by scope	Variable by plan	1 – 3 templates	8 PDF documents in ZIP (~40 pages)
Article coverage	Customised	Partial (SBOM/CI focus)	Shallow	Arts. 2, 7, 13, 14, 28, 31 + Annexes I, II, III, IV, V, VII
Data in browser	Your data goes to the consultant	Your data goes to their servers	Local (manual)	100% browser-side · Zero data to server
Commercial model	Per-project engagement	Monthly recurring subscription	No commitment	One-time payment, no subscription
Legal basis cited	Varies	Varies	No	Art. 31 + Annex VII of Regulation (EU) 2024/2847

Consultancy price ranges based on published market rates for CRA cybersecurity services. SaaS ranges based on public pricing of compliance platforms (€300–1,500/month segment). No specific brands cited.

Why CRACheck is structurally different

It’s not that it’s cheaper. The model is different.

GUIDED SELF-ASSESSMENT

The manufacturer assesses, CRACheck structures

Regulation (EU) 2024/2847 places the responsibility for technical documentation on the manufacturer (Art. 13(12)). CRACheck inverts the consultancy model: you, as the manufacturer, assess your own product requirement by requirement, guided by the generator questions that map the 21 points of Annex I. CRACheck structures your assessment into 8 professional documents per Annex VII.

BROWSER-SIDE

Your product data never leaves your browser

CRACheck is JavaScript running on your machine. There is no server processing your product data, no database, no storage. The generation of all 8 PDFs happens locally and you download the ZIP directly. You can disconnect from wifi after loading the page and the generator keeps working. GDPR-native by design.

PORTABILITY

The downloaded PDFs are yours, no subscription

The 8 documents you download are not tied to any active subscription. In three years they are still valid without paying another euro. SaaS compliance platforms force you to renew to keep access to your reports. Here, the ZIP is a portable package that survives your commercial relationship with us.

Choose your CRACheck licence

Without technical documentation per Annex VII, your product cannot bear the CE marking or be legally marketed in the EU from December 2027. One licence per product. One-time payment. No subscription.

1 PRODUCT

149 €

/ product

✔ 8 PDF documents in ZIP (~40 pages)

✔ Full Annex VII Technical Documentation

✔ Annex I Risk Assessment

✔ EU Declaration of Conformity

✔ 10 regenerations · 30 days

Buy licence →

PACK 10 — MOST POPULAR

990 €

€99 / product

Save €500 (34% off)

✔ 10 individual licences

✔ 8 documents × 10 products = 80 PDFs

✔ Ideal for companies with a product portfolio

✔ For consultants billing CRA compliance

✔ 10 regen. per licence · 30 days each

Buy Pack 10 →

PACK 30

2,370 €

€79 / product

Save €2,100 (47% off)

✔ 30 individual licences

✔ 8 documents × 30 products = 240 PDFs

✔ For large portfolios, corporate groups

✔ Lowest per-product cost on the market

✔ 10 regen. per licence · 30 days each

Buy Pack 30 →

✔ Doc 1: Product Classifier — Art. 2 + Annexes III/IV

✔ Doc 5: EU Declaration of Conformity — Annex V

✔ Doc 2: Technical Documentation — Annex VII (8 points)

✔ Doc 6: CVD Policy — Annex I, Part II

✔ Doc 3: Risk Assessment — Annex I (21 requirements)

✔ Doc 7: Art. 14 Notification — 3 phases (24h/72h/14d)

✔ Doc 4: User Information — Annex II (9 points)

✔ Doc 8: Obligations Calendar + Art. 64 Penalties

One-time payment · PDF yours forever · 100% in your browser · No subscription
More than 30 products or need corporate invoicing? hello@solidwaretools.com

What CRACheck guarantees and what it doesn’t

Commercial honesty about the product scope and how refunds work for downloadable digital content.

Guarantees and liability

CRACheck generates a set of structured documents per Art. 31 and Annex VII of Regulation (EU) 2024/2847, based on the information you, as the manufacturer, provide. The accuracy, precision and completeness of that information is your responsibility as the manufacturer.

We guarantee that the document structure follows Annex VII and that the legal references cited (articles, annexes, obligations) are correct as of the latest verification date. We do not guarantee that a specific dossier will be accepted by a market surveillance authority in a specific case or by a notified body in a conformity assessment procedure.

CRACheck is not legal advice. For specific situations (open inspection, initiated penalty proceedings, third-party conformity assessment), consult a lawyer or regulatory consultancy specialising in cybersecurity.

Refund policy

CRACheck is digital content delivered via download of the ZIP containing the 8 PDF documents generated in your browser. Per Art. 16(m) of Directive (EU) 2011/83 on consumer rights, the right of withdrawal does not apply to digital content whose performance has begun with the express consent of the buyer. The generation of the ZIP constitutes the act of delivery.

Refund for technical failure: if the software fails (generator error, PDF that won’t download, reproducible bug), we issue a full refund upon submission of an error screenshot to hello@solidwaretools.com within 14 days of purchase.

No refund for change of mind once the licence has been activated and the ZIP generated, per Art. 16(m) cited above.

Frequently asked questions

What is the Cyber Resilience Act?▼

The Cyber Resilience Act is Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements. It is the first EU law establishing mandatory cybersecurity requirements for all connected hardware and software products. It entered into force on 10 December 2024, with staggered application: reporting obligations from 11 September 2026 and full application from 11 December 2027.

Is my product affected by the CRA?▼

Regulation (EU) 2024/2847 applies to all products with digital elements made available on the EU market whose intended or reasonably foreseeable use includes a direct or indirect, logical or physical data connection to a device or network (Art. 2(1)). This includes software, connected hardware, IoT devices, components and their remote data processing solutions. Excluded: medical devices, motor vehicles, civil aviation, marine equipment, defence products and non-commercial FOSS.

What is a product with digital elements?▼

Under Art. 3(1) of Regulation (EU) 2024/2847, a product with digital elements is any software or hardware product and its remote data processing solutions, including software or hardware components placed on the market separately. The scope is enormous: from a mobile app to a router, from an operating system to a connected toy, from an industrial IoT sensor to a microcontroller firmware.

When do I need to comply?▼

The vulnerability and incident reporting obligations (Art. 14) apply from 11 September 2026. The rest of the Regulation, including the essential cybersecurity requirements of Annex I and the technical documentation of Annex VII, applies from 11 December 2027 per Art. 71 of Regulation (EU) 2024/2847. From that date, CRA compliance is a legal precondition for placing products on the EU market and affixing the CE marking.

What is the Annex VII technical documentation?▼

Annex VII of Regulation (EU) 2024/2847 details the 8 blocks of information that technical documentation must contain: general product description, description of design, development, production and vulnerability handling processes (including SBOM and CVD policy), cybersecurity risk assessment, support period information, applied harmonised standards, test reports and the EU declaration of conformity. Art. 31 establishes the manufacturer’s obligation to draw up and maintain this documentation before placing the product on the market.

Does CRACheck replace a notified body?▼

No. CRACheck generates the technical documentation that the manufacturer must draw up per Art. 31 of Regulation (EU) 2024/2847. For Default category products (~90% of the market), the manufacturer can perform internal self-assessment per Module A (Art. 32(1)). For Important Class II and Critical products requiring third-party assessment (Arts. 32(3) and 8), the generated documentation is a prerequisite that the notified body will review.

Is my data secure?▼

Yes. All processing happens 100% in your browser. No data about your company, your product, its technical characteristics or your risk assessment is transmitted to any SolidwareTools server or third party. You can disconnect from the internet after loading the page and the generator keeps working. When you close the tab, the information disappears. GDPR-native by design, not by declaration.

Does it work if I operate from outside the EU?▼

Yes. The CRA applies to any manufacturer that makes products with digital elements available on the EU market, regardless of their country of origin (Art. 2(1)). If you sell connected software or hardware to European buyers, or if an EU importer markets your products in Europe, you need to comply. Importers are required to verify that technical documentation exists before placing the product on the market (Art. 19(2)).

What about open-source software?▼

FOSS that is not marketed in the context of a commercial activity is excluded from the CRA (Recitals 17-18). If the software is monetised, used to process personal data or the manufacturer accepts donations exceeding costs, it is considered commercial activity and falls under the CRA. Open-source software stewards (Art. 24) have a light-touch regulatory regime: they must have a documented cybersecurity policy and cooperate with authorities, but do not need CE marking and are not subject to fines (Art. 64(10)).

Is there a subscription or recurring fees?▼

No. Each tool is a one-time payment per product with digital elements. No monthly fees, no automatic renewals, no commitment. The 8 downloaded PDF documents are permanent and yours forever. Each licence covers one product with a 30-day editing window and up to 10 regenerations to correct data or update details. After that period the licence closes, but the PDFs you already downloaded remain valid indefinitely.

Can I get a refund?▼

Digital products are governed by Art. 16(m) of Directive (EU) 2011/83 on consumer rights. By activating the licence in the generator and expressly confirming the generation of the documents, the buyer consents to the nature of downloadable digital content and waives the right of withdrawal. No refunds for change of mind once the licence has been activated. Refunds are accepted for reproducible technical failures (generator error, PDF that won’t download, verifiable bug) by sending an error screenshot to hello@solidwaretools.com within 14 calendar days of purchase.

What if the regulation changes?▼

If Regulation (EU) 2024/2847 or its delegated acts change during the validity of your licence (30 days), you can regenerate the documents with the updated version of the generator at no additional cost. Generator updates are free and the latest version is always available with the same licence key. If the regulation changes after your editing window, the documents you already downloaded reflect the version in force at the time of their generation.

Complete technical documentation for your product with digital elements under the Cyber Resilience Act Annex VII.