What exactly is the Cyber Resilience Act?

The Cyber Resilience Act is Regulation (EU) 2024/2847 of the European Parliament and of the Council, published in the Official Journal on 20 November 2024. It establishes horizontal cybersecurity requirements for products with digital elements placed on the EU market. It requires manufacturers to produce technical documentation under Article 31 and Annex VII, conduct a cybersecurity risk assessment under Article 13, and handle vulnerabilities throughout the product's support period under Annex I Part II.

Does the CRA apply to products manufactured outside the EU?

Yes. Article 2(1) of Regulation (EU) 2024/2847 applies to products with digital elements made available on the EU market, regardless of where they are manufactured. If you sell a product with digital elements to an EU customer, the CRA applies to you. Non-EU manufacturers may appoint an authorised representative under Article 18.

What is the difference between the CRA and NIS2?

Regulation (EU) 2024/2847 (CRA) applies to products with digital elements and targets manufacturers, importers, and distributors. Directive (EU) 2022/2555 (NIS2) applies to operators of essential and important services and targets the organisations using those products. The CRA regulates the product; NIS2 regulates the operator. Both are complementary.

How does CRACheck relate to the conformity assessment under Article 32?

CRACheck generates the technical documentation required by Article 31 and Annex VII — the documentary foundation. For Default category products, the conformity assessment can be performed internally under Module A (Annex VIII). For Important Class I products, Module A is also available unless the manufacturer does not apply harmonised standards. For Important Class II or Critical products, a notified body must be involved (Modules B+C or H). CRACheck covers the documentation; the assessment process is separate.

What is a 'product with digital elements' under the CRA?

Article 3(1) of Regulation (EU) 2024/2847 defines it as any software or hardware product and its remote data processing solutions, including software or hardware components placed on the market separately, whose intended purpose or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.

Is this a subscription?

No. One-time payment. The licence includes a 30-day editing window and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, by activating the licence you give express consent for the immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are accepted only for reproducible technical defects.

What if the regulation changes?

If the regulation is amended during the validity of your licence, you can regenerate the document with the updated version of the generator at no additional cost.

Your EU distributor forwarded an email mentioning "Cyber Resilience Act compliance". You searched the term. Regulation (EU) 2024/2847 is a horizontal cybersecurity law that applies to every product with digital elements sold in the European Union — and Article 31 requires you to produce technical documentation before you place it on the market.

The Cyber Resilience Act (CRA) was published in the Official Journal on 20 November 2024 as Regulation (EU) 2024/2847. It applies from 11 December 2027 to any hardware or software product with a direct or indirect data connection to a device or network, regardless of where the manufacturer is established (Article 2(1)). Non-compliance triggers administrative fines up to €15 million or 2.5% of worldwide annual turnover under Article 64(2). CRACheck generates the 8-document technical dossier required by Article 31 and Annex VII in 15–25 minutes, at €149 per product, entirely in your browser.

Generate CRA Dossier — €149 Free: check your product classification

€149 one-time payment per product · 8 PDF documents in ZIP · 15–25 minutes · 100% in your browser

Key facts about the Cyber Resilience Act

11 Dec 2027

Full enforcement date — Article 69 of Regulation (EU) 2024/2847

€15M

Maximum administrative fine — or 2.5% of worldwide annual turnover (Art. 64(2))

8 PDFs

Documents generated per product — Art. 31 + Annex VII technical documentation dossier

How to generate your CRA documentation

Determine product classification

CRACheck's Product Classifier identifies whether your product falls under Default, Important Class I (Annex III Part I), Important Class II (Annex III Part II), or Critical (Annex IV). The classification determines which conformity assessment module applies under Article 32.

Enter product and manufacturer data

Manufacturer name, address, product description, intended purpose, software version, support period. These fields map directly to Annex VII points 1(a) through 1(d) and Annex II.

Complete the cybersecurity risk assessment

Guided questionnaire covering the essential cybersecurity requirements of Annex I Part I and the vulnerability handling requirements of Part II. CRACheck structures your answers into the risk assessment required by Article 13(2)–(3).

Define vulnerability handling processes

Coordinated vulnerability disclosure policy, contact address, SBOM reference, update distribution mechanism. Required by Annex VII point 2(b) and Annex I Part II.

Generate and review the 8-document dossier

CRACheck produces all 8 PDFs as a single ZIP. Review each document in your browser before downloading.

Download, sign, and file

The EU Declaration of Conformity (Annex V) requires a signature. Sign it, store the dossier for at least 10 years after placing the product on the market (Article 13(18)), and provide it to market surveillance authorities on request.

Common misconceptions about the CRA

❌

WRONG ASSUMPTION

Thinking the CRA only applies to IoT devices

Article 2(1) of Regulation (EU) 2024/2847 covers any product with digital elements whose intended purpose or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network. This includes standalone software, firmware, embedded systems, and connected hardware across all sectors — not only IoT.

❌

DOCUMENTATION GAP

Assuming a CE mark covers cybersecurity

Existing CE marking under sector-specific directives (LVD 2014/35/EU, EMC 2014/30/EU, RED 2014/53/EU) does not address the cybersecurity requirements of Annex I of Regulation (EU) 2024/2847. The CRA introduces a separate, horizontal cybersecurity layer. Article 31 technical documentation is an additional obligation.

❌

TIMELINE ERROR

Waiting until 2027 to start preparing

Article 14 reporting obligations apply from 11 September 2026 — 15 months before full enforcement. Manufacturers must have vulnerability notification processes operational by that date. The 24-hour early warning requirement (Art. 14(2)(a)) cannot be implemented overnight.

What each ZIP contains: 8 documents

Each CRACheck licence generates a ZIP with 8 PDF documents for one product.

Product Classifier

Determines whether your product falls under Default, Important Class I (Annex III), Class II, or Critical (Annex IV). Defines the applicable conformity assessment module under Article 32.

Technical Documentation

The complete dossier required by Article 31 and Annex VII: product description, system architecture, design and development information, vulnerability handling processes, standards applied, and test reports.

Risk Assessment

Cybersecurity risk assessment pursuant to Article 13(2)–(3), covering the essential requirements of Annex I Part I and the vulnerability handling requirements of Part II.

User Information

The information and instructions to the user required by Annex II: manufacturer contact, vulnerability reporting point, support period end-date, commissioning instructions, secure decommissioning.

Declaration of Conformity

EU declaration of conformity as specified in Article 28 and Annex V, ready to sign. Includes manufacturer identification, product traceability data, and legal basis references.

CVD Policy

Coordinated vulnerability disclosure policy as required by Annex I Part II point (5). Includes contact address, acknowledgement timeline, and disclosure process.

Notification Template

Pre-structured template for the notifications to ENISA under Article 14: early warning (24h), vulnerability notification (72h), and final report (14 days).

Obligations Calendar

Timeline of key dates: Art. 14 reporting (11 Sept 2026), full enforcement (11 Dec 2027), support period milestones, documentation retention (10 years per Art. 13(18)).

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated in your browser. No data leaves your device.

The alternative vs CRACheck

🧾 REGULATORY CONSULTANT

€5,000–€20,000

Per product depending on complexity. 3–8 weeks delivery time. Your data sent to the consultant's infrastructure. Ongoing retainer for updates.

✓ Last regulatory check: 2 May 2026 · No substantive changes detected · View history