Does the CRA risk assessment replace ISO 27005 or NIST RMF?

No. Annex I of Regulation (EU) 2024/2847 defines product-specific cybersecurity requirements. ISO 27005 and NIST RMF are risk management frameworks at organisational level. They can inform your methodology, but the CRA requires a product-level assessment against the specific Annex I requirements.

How often must the risk assessment be updated?

Article 13(3) of Regulation (EU) 2024/2847 requires manufacturers to regularly review and update the risk assessment throughout the expected product lifetime or support period. At minimum, update when the product changes, when new threats emerge, or when the threat landscape relevant to the product shifts.

Does a risk assessment for one product variant cover all variants?

No. Each product variant with different functionality, connectivity, data handling, or user profile requires its own risk assessment.

What level of detail does Annex I expect?

Annex I does not prescribe a specific risk assessment methodology or level of granularity. However, the assessment must be sufficient to demonstrate that the essential requirements in Part I and Part II have been considered and addressed.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.

What if the regulation changes?

If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

Annex I of Regulation (EU) 2024/2847 sets out essential cybersecurity requirements in two parts: Part I for the product, Part II for vulnerability handling. Article 13(2) requires you to assess the cybersecurity risks and take them into account during design, development, and production. CRACheck structures a risk assessment against every Annex I requirement and outputs it as part of the 8-document CRA compliance package.

The cybersecurity risk assessment under the CRA is a product-level assessment, not an organisational information security audit. Annex I, Part I covers 13 essential requirements — from protection against unauthorised access to data integrity to secure default settings. Part II adds 8 vulnerability handling requirements — from vulnerability identification to security updates to SBOM maintenance. CRACheck maps your product's characteristics against each requirement and generates a structured risk assessment document. €149 per product. 15–25 minutes. 100% browser-side.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key figures

Part I

13 essential cybersecurity requirements for the product (confidentiality, integrity, availability, access control, secure defaults, etc.)

Part II

8 vulnerability handling requirements (identification, documentation, remediation, security updates, SBOM, CVD)

Art. 13(2)

Manufacturers must assess cybersecurity risks and take them into account during planning, design, development, production, and delivery

How CRACheck structures your risk assessment

Describe your product

Enter product type, connectivity, data processed, interfaces, intended use environment, and user profile.

Map Annex I, Part I

CRACheck walks through each essential requirement: protection against unauthorised access, data confidentiality, data integrity, availability, minimisation of negative impact, secure by default, protection against DoS, and more.

Map Annex I, Part II

CRACheck covers vulnerability handling: identification, documentation, timely remediation, security update delivery, SBOM maintenance, coordinated vulnerability disclosure, and support period commitment.

Generate structured Risk Assessment

The tool outputs a document with each Annex I requirement listed, your declared risk status, and the mitigation measures documented.

Integration with Technical Documentation

The Risk Assessment feeds directly into the Art. 31 + Annex VII Technical Documentation.

Download 8-document ZIP

Risk Assessment, Technical Documentation, Product Classifier, User Information, Declaration of Conformity, CVD Policy, Notification Template, Obligations Calendar.

Common mistakes

❌

ANNEX I

"Our ISO 27001 risk assessment covers the CRA."

ISO 27001 addresses organisational information security management — not product-level cybersecurity risk. Annex I of Regulation (EU) 2024/2847 requires assessing risks specific to the product's design, functionality, and intended use. An ISO 27001 certificate for your company does not satisfy the CRA's product-level risk assessment.

❌

ANNEX I, PART II

"We only need to assess Part I — Part II is about operations."

Part II is not operational — it defines essential requirements for how the product handles vulnerabilities throughout its lifecycle: from identification to remediation to update delivery. These requirements must be designed into the product, not bolted on after deployment.

❌

ART. 13(3)

"Risk assessment is a one-time exercise."

Article 13(3) of Regulation (EU) 2024/2847 requires manufacturers to regularly review and update the cybersecurity risk assessment during the expected product lifetime or the support period (minimum 5 years per Art. 13(8)). The risk assessment is a living document.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Category under Annex III / IV.

Technical Documentation

Art. 31 + Annex VII. The risk assessment is a core component.

Risk Assessment

Primary deliverable. Structured assessment against each Annex I, Part I requirement and Part II requirement.

User Information

Annex II. Communicates residual risks to the user.

Declaration of Conformity

Art. 28 + Annex V.

CVD Policy

Art. 13(6). Operationalises the vulnerability handling processes.

Notification Template

Art. 14. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Includes risk assessment review milestones.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 THIRD-PARTY ASSESSMENT

Product security risk assessment — €5,000–€20,000

4–10 weeks

Requires sharing product architecture and source code

Produces one report in the assessor's format

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history