PROFESSIONAL PACKReg. (EU) 2024/2847Buy pack — €1,199
LIVEEnforcement tracker · Deadline dashboard · Transposition status — Updated weekly from EUR-Lex, Safety Gate, OEIL & 12 official sourcesView regulatory intelligence →

Your EU clients are starting to require CRA documentation as a project deliverable. Each Annex VII dossier takes 20 hours to draft from scratch. With 70 licenses, each one takes 20 minutes — and ships with the code.

You are a software development firm serving European clients — ERPs, SaaS platforms, IoT firmware, fintech applications, analytics tools. Regulation (EU) 2024/2847 requires your clients to exercise due diligence on third-party components (Article 13.5). The software you develop is that component. Contracts are beginning to include CRA Annex VII documentation as a mandatory deliverable. CRACheck Professional Pack: 70 licenses, €1,199 one-time. 8 structured PDF documents per project. Generated in your browser in 20 minutes.

Buy pack — €1,199See what each dossier includes

€1,199 · One-time · 70 dossiers · 8 PDFs each · Your data never leaves your browser

Built on Regulation (EU) 2024/2847 · Annex VII structure · Annex I Parts I & II mapped · Art. 13.5 due diligence · 100% browser-side — GDPR-native

The numbers that matter for your delivery pipeline

European clients are adding CRA compliance documentation to their RFPs and project contracts. The development firm that includes Annex VII documentation as a standard deliverable wins the contract. The one that treats it as out of scope loses it to a competitor that does not.

70
Dossiers per pack. One license per software product per client. Independent activation.
20 min
Per dossier — vs 20 hours of manual drafting per cybersecurity documentation package.
8 PDFs
Per product. Classification, Annex VII, risk assessment, vulnerability handling, DoC, CE marking, Art. 14 template.

Who uses the professional pack

CRACheck Professional Pack is built for software development firms that deliver products to European clients and need to include CRA documentation as part of the project handover.

💻
Offshore & nearshore dev firms
Developing software for EU manufacturers. CRA documentation as a competitive differentiator in proposals and tenders.
🏗️
Product development agencies
Building complete products — firmware, SaaS, embedded systems — for clients who market them under their own brand in the EU.
🔧
IoT & embedded systems firms
Developing connected products where the CRA applies directly. Documentation is part of the engineering deliverable.
📊
SaaS & platform developers
Building software products with remote data processing. Article 3(1) includes software and its remote data processing solutions.

What documenting 30 client projects costs — with and without the pack

Without the pack
€78,000+
Manual drafting: 30 projects × 20h × €130/h of senior architect time
Or hire a regulatory consultant per project:
30 projects × €2,000-4,000 = €60,000-€120,000

Or lose the contract to a competitor who includes it
✓ CRACheck Professional Pack
€1,199
One payment. 70 dossiers. 20 minutes each.
Total time: 30 × 20 min = 10 hours
No subscription. No regulatory expertise required.
Include in project scope — bill as part of the delivery.

What this pack actually changes in your delivery process

Three inputs. Four answers. No signup required.

One license per software product
Current time without the tool
Internal cost — not billing rate
×60
Capacity multiplier
Same person. Same hours. More output.
492h
Hours returned to development work
Time that goes back to billable engineering
€65,000
Cost of doing it manually
Senior architect time — documentation alone
First dossier delivered the same day. No setup. No onboarding. No integration project.
Ready on day one
Buy pack — €1,199
€1,199 one-time · No subscription · No vendor dependency · Enterprise SaaS alternative: €15,000–30,000/year + weeks of setup

What each dossier includes: 8 structured documents

Every license generates a complete Annex VII technical documentation package. Each document cites the specific article of Regulation (EU) 2024/2847 it complies with. The dossier ships alongside the code as part of the project deliverable.

1

Product Classification Report

Default / Important Class I / Important Class II / Critical. Annex III + Annex IV analysis.

2

Annex VII Technical Documentation

Complete technical file structure. Product description, design, development, cybersecurity risk assessment methodology.

3

Cybersecurity Risk Assessment

Systematic assessment against the 13 essential requirements of Annex I Part I. Article 13.2.

4

Vulnerability Handling Documentation

8 requirements of Annex I Part II. Coordinated vulnerability disclosure policy, SBOM reference. Article 13.6.

5

EU Declaration of Conformity

Per Annex V. Manufacturer identification, product identification, conformity assessment. Article 28.

6

Simplified EU Declaration of Conformity

Per Annex VI. Short-form declaration with URL reference. Article 13.20.

7

CE Marking Guidance Sheet

Printable label with CE marking, support period end date, manufacturer contact. Article 30.

8

Article 14 Notification Template

Pre-structured template for reporting vulnerabilities to CSIRT/ENISA within 24 hours. Article 14.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

How it works — four steps

1
Buy the pack
70 license codes delivered by email via Gumroad. One payment. No subscription.
2
Activate a license
Each license has its own code. Activate when a project enters the documentation phase. 30-day editing window per license from first activation.
3
Generate the dossier
15-20 minutes. Guided form with references to every article. Enter the software product data — architecture, connectivity, security features, vulnerability handling process. The client does not need access to the tool.
4
Deliver with the project
8 PDFs in a ZIP file. Ship alongside the codebase, the release notes, and the test reports. Structured, article-by-article. Ready for the client's conformity assessment or market surveillance inspection.

Three mistakes that cost development firms contracts and clients

Pattern 1 — Treating CRA documentation as the client's problem

The client's due diligence obligation flows down to the development partner

Article 13.5 of Regulation (EU) 2024/2847 requires manufacturers to exercise due diligence when integrating components sourced from third parties. The software you develop is that third-party component. EU clients are already adding contractual clauses requiring development partners to deliver cybersecurity risk assessments, SBOM documentation, and Annex VII technical files. The firm that says "compliance is your responsibility" loses the RFP to the one that includes it in the delivery.

Pattern 2 — Delivering code without structured cybersecurity documentation

A README and a test report are not Annex VII documentation

The CRA requires specific documentation: a cybersecurity risk assessment against 13 essential requirements (Annex I Part I), vulnerability handling procedures covering 8 requirements (Annex I Part II), an SBOM, a coordinated vulnerability disclosure policy, and a Declaration of Conformity (Annex V). Standard development artefacts — unit test reports, architecture diagrams, API documentation — do not map to this structure. The client needs CRA-specific documentation, and the development firm is in the best position to produce it.

Pattern 3 — Ignoring CRA as a competitive differentiator

The firm that includes CRA documentation wins the contract

When two development firms compete for the same EU client project and one includes CRA Annex VII documentation as a standard deliverable, the decision is straightforward. The client saves time, reduces risk, and gets a complete compliance package. CRA documentation capability is becoming a selection criterion in RFPs — not a bonus, but a requirement. The firm that builds this into its delivery process now establishes the standard that competitors will have to match later.

Documentation and implementation: two layers

● LAYER 1 — What CRACheck does

Annex VII technical documentation

8 structured PDF documents per product. Cybersecurity risk assessment, vulnerability handling, Declaration of Conformity, CE marking guidance, notification template. Generated from product data in 20 minutes. Article-by-article traceability to Regulation (EU) 2024/2847.

∅ LAYER 2 — What CRACheck does not do

Security engineering and code-level implementation

Secure coding practices, penetration testing, SAST/DAST scanning, SBOM generation from dependency trees, encrypted communications implementation, secure boot, OTA update infrastructure. These are engineering tasks performed during development. CRACheck documents the cybersecurity posture — it does not build it.

CRACheck structures and documents. The development team builds security into the product. The documentation reflects what was implemented — and together they form the complete compliance package the client needs.

What your clients face without documentation

These are the consequences under Article 64 of Regulation (EU) 2024/2847 for manufacturers who place products on the EU market without CRA compliance. These are your clients' risks — and your argument for including documentation in every delivery.

🇪🇺
Non-compliance with essential cybersecurity requirements (Annex I)
Up to €15,000,000 or 2.5% of global turnover

Article 64.2 of Regulation (EU) 2024/2847. Whichever is higher.

🇪🇺
Non-compliance with documentation, CE marking, reporting obligations
Up to €10,000,000 or 2% of global turnover

Article 64.3. Covers failure to produce Annex VII technical documentation, CE marking, and vulnerability reporting.

🇪🇺
Product withdrawal or recall by market surveillance
Market access blocked

Article 54. Corrective measures, withdrawal, or recall if documentation is insufficient.

The clients face these consequences. The development firm that delivers documentation prevents them — and secures the long-term relationship.

Alternatives for documenting 30+ client projects

OptionCost for 30 projectsTotal timeOutput quality
Manual drafting (internal team)Senior architect time only600+ hoursVariable, not CRA-structured
Hire a regulatory consultant per project€60,000-€120,000Depends on providerHigh, but erodes project margin
Enterprise SaaS platform€8,000-€20,000/year2-4 weeks setupHigh, requires integration
CRACheck Professional Pack€1,199 (one-time)~10 hours totalStructured, Annex VII, article-by-article

What CRACheck guarantees and what it does not

CRACheck generates a structured documentation package according to Annex VII of Regulation (EU) 2024/2847 from the information that the user enters. The truthfulness, accuracy and completeness of that information is the responsibility of the manufacturer — or of the development firm entering data on their behalf.

We guarantee that the document structure follows Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct as of the latest verification date. We do not guarantee that a specific document will be accepted by a market surveillance authority or by a client in a procurement or audit process.

CRACheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.

Frequently asked questions — professional pack

How do the 70 licenses work?
Each license is activated with a unique code and is associated with one specific product and manufacturer. One license equals one Annex VII dossier. The 70 licenses are used independently. They do not expire as a block — each one has its own 30-day editing window from its individual first activation.
Can I request a refund?
The pack is a digital product governed by Article 16(m) of Directive (EU) 2011/83 on consumer rights. By activating the first license and expressly confirming PDF generation, the buyer consents to the downloadable digital content nature of the product and waives the right of withdrawal. Refunds are accepted only for reproducible technical failures (generator error, PDF that does not download, verifiable bug) within 14 calendar days of purchase.
What if the regulation changes?
Unused licenses will generate the dossier using the updated version of the generator at no additional cost. CRACheck is updated within 48 hours of any regulatory change published in the Official Journal of the European Union.
Do I need legal expertise to use the tool?
No. The generator guides step by step with references to each article of Regulation (EU) 2024/2847. The user enters the product data — architecture, connectivity, security features, vulnerability handling process. The tool structures the dossier according to Annex VII. It does not replace legal advice but reduces documentation time from hours to minutes.
Is CRA documentation the development firm's responsibility or the client's?
Under Regulation (EU) 2024/2847, the manufacturer — the entity that markets the product under its name or trademark (Article 3.13) — bears the legal obligations. That is typically the EU client. However, Article 13.5 requires manufacturers to exercise due diligence on third-party components, and the software you develop is that component. In practice, EU clients are now contractually requiring their development partners to deliver CRA-compliant documentation — cybersecurity risk assessment, vulnerability handling documentation, SBOM, and Annex VII technical files — as part of the project deliverables. The legal obligation is the client's. The contractual obligation is increasingly the development firm's.
Does CRACheck cover software-only products without hardware?
Yes. Article 3(1) of Regulation (EU) 2024/2847 defines a product with digital elements as a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately. Software products — SaaS platforms, embedded firmware, standalone applications, APIs, libraries placed on the market — are explicitly within scope. CRACheck generates the full Annex VII documentation package for software products, including the cybersecurity risk assessment against the 13 essential requirements of Annex I Part I and the 8 vulnerability handling requirements of Annex I Part II.

Official legal sources

Regulation (EU) 2024/2847 — Cyber Resilience Act (EUR-Lex) European Commission — Cyber Resilience Act implementation
⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The documents are generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment, a notified body evaluation, or a formal cybersecurity certification.

Your EU clients will require CRA documentation as a project deliverable before December 2027. The development firm that includes it in every delivery wins the contract. The one that says "compliance is your responsibility" loses it.

70 licenses. 8 PDF documents per product. Annex VII structure. Browser-side. One payment.

€1,199 one-time
70 dossiers · 20 minutes per project · One payment · Regulation (EU) 2024/2847
Buy CRACheck Professional Pack — €1,199

Related

PROFESSIONAL PACK

CRA documentation tool for cybersecurity consultancies
PROFESSIONAL PACK

Offer CRA documentation as a service
INDIVIDUAL LICENSE

CRACheck — single license from €149