CRA Cybersecurity Risk Assessment — Annex I Guide + Tool

Key figures

Part I

13 essential cybersecurity requirements for the product (confidentiality, integrity, availability, access control, secure defaults, etc.)

Part II

8 vulnerability handling requirements (identification, documentation, remediation, security updates, SBOM, CVD)

Art. 13(2)

Manufacturers must assess cybersecurity risks and take them into account during planning, design, development, production, and delivery

How CRACheck structures your risk assessment

Describe your product

Enter product type, connectivity, data processed, interfaces, intended use environment, and user profile.

Map Annex I, Part I

CRACheck walks through each essential requirement: protection against unauthorised access, data confidentiality, data integrity, availability, minimisation of negative impact, secure by default, protection against DoS, and more.

Map Annex I, Part II

CRACheck covers vulnerability handling: identification, documentation, timely remediation, security update delivery, SBOM maintenance, coordinated vulnerability disclosure, and support period commitment.

Generate structured Risk Assessment

The tool outputs a document with each Annex I requirement listed, your declared risk status, and the mitigation measures documented.

Integration with Technical Documentation

The Risk Assessment feeds directly into the Art. 31 + Annex VII Technical Documentation.

Download 8-document ZIP

Risk Assessment, Technical Documentation, Product Classifier, User Information, Declaration of Conformity, CVD Policy, Notification Template, Obligations Calendar.

Common mistakes

❌

ANNEX I

"Our ISO 27001 risk assessment covers the CRA."

ISO 27001 addresses organisational information security management — not product-level cybersecurity risk. Annex I of Regulation (EU) 2024/2847 requires assessing risks specific to the product's design, functionality, and intended use. An ISO 27001 certificate for your company does not satisfy the CRA's product-level risk assessment.

❌

ANNEX I, PART II

"We only need to assess Part I — Part II is about operations."

Part II is not operational — it defines essential requirements for how the product handles vulnerabilities throughout its lifecycle: from identification to remediation to update delivery. These requirements must be designed into the product, not bolted on after deployment.

❌

ART. 13(3)

"Risk assessment is a one-time exercise."

Article 13(3) of Regulation (EU) 2024/2847 requires manufacturers to regularly review and update the cybersecurity risk assessment during the expected product lifetime or the support period (minimum 5 years per Art. 13(8)). The risk assessment is a living document.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Category under Annex III / IV.

Technical Documentation

Art. 31 + Annex VII. The risk assessment is a core component.

Risk Assessment

Primary deliverable. Structured assessment against each Annex I, Part I requirement and Part II requirement.

User Information

Annex II. Communicates residual risks to the user.

Declaration of Conformity

Art. 28 + Annex V.

CVD Policy

Art. 13(6). Operationalises the vulnerability handling processes.

Notification Template

Art. 14. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Includes risk assessment review milestones.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 THIRD-PARTY ASSESSMENT

Product security risk assessment — €5,000–€20,000

4–10 weeks

Requires sharing product architecture and source code

Produces one report in the assessor's format

✓ CRACHECK

€149 — Risk assessment + 7 additional documents

15–25 minutes

100% browser-side. No data shared

Pack: €99/product (10), €79/product (30)

Two layers

● LAYER 1 — DOCUMENTATION · CRACHECK

Documentation layer

CRACheck generates a structured risk assessment mapping your product against every Annex I requirement. Integrated with the full 8-document CRA package.

∅ LAYER 2 — NOT INCLUDED

What CRACheck does not do

CRACheck does not perform penetration testing, threat modelling workshops, architecture reviews, or code audits. It does not discover vulnerabilities in your product. The risk assessment documents what you declare about your product.

Documentation without testing is incomplete. Testing without documentation is undocumented. CRACheck handles the documentation layer.

Enforcement regime

🔴

Art. 64(1) — Up to €15,000,000 or 2.5%

For non-compliance with essential cybersecurity requirements under Art. 6 + Annex I.

🟠

Art. 64(2) — Up to €10,000,000 or 2%

For failing to document the risk assessment as part of the technical file under Art. 31.

🟡

Art. 64(3) — Up to €5,000,000 or 1%

For providing incomplete or misleading risk assessment information to authorities.

Alternatives

Criterion	ISO 27001 risk register	Generic risk template	Security consultancy	CRACheck
CRA Annex I coverage	Organisational, not product	Partial	Full, but slow	Full (Part I + II)
CRA documentation integration	None	None	Separate deliverable	Integrated (8 docs)
Cost	Included in ISO audit (€10K+)	Free (template)	€5K–€20K	€149
Time	Part of ISO cycle	2–4 weeks	4–10 weeks	15–25 min
CRACheck	Full	Integrated	€149	15-25 min

Risk assessments for a product line?

Each product needs its own Annex I risk assessment. Pack pricing: €99/product (10), €79/product (30).

Request volume pricing

Commercial enquiries via hello@solidwaretools.com

What CRACheck guarantees and what it does not

CRACheck generates a structured risk assessment document according to Annex I of Regulation (EU) 2024/2847 based on the information you enter. The accuracy of your threat declarations, mitigation measures, and residual risk statements is your responsibility as the manufacturer.

We guarantee that the document structure follows Annex I (Part I + Part II) and that the legal references cited are correct. We do not guarantee that the risk assessment will be accepted by a market surveillance authority in a specific inspection.

CRACheck is not legal advice. For complex risk scenarios, consult a specialised product security or regulatory consultancy.

Frequently asked questions

Does the CRA risk assessment replace ISO 27005 or NIST RMF?

No. Annex I of Regulation (EU) 2024/2847 defines product-specific cybersecurity requirements. ISO 27005 and NIST RMF are risk management frameworks at organisational level. They can inform your methodology, but the CRA requires a product-level assessment against the specific Annex I requirements.

How often must the risk assessment be updated?

Article 13(3) of Regulation (EU) 2024/2847 requires manufacturers to regularly review and update the risk assessment throughout the expected product lifetime or support period. At minimum, update when the product changes, when new threats emerge, or when the threat landscape relevant to the product shifts.

Does a risk assessment for one product variant cover all variants?

No. Each product variant with different functionality, connectivity, data handling, or user profile requires its own risk assessment.

What level of detail does Annex I expect?

Annex I does not prescribe a specific risk assessment methodology or level of granularity. However, the assessment must be sufficient to demonstrate that the essential requirements in Part I and Part II have been considered and addressed.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.

What if the regulation changes?

If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

Official legal sources

Regulation (EU) 2024/2847 — Cyber Resilience Act — full text

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.