What Is the Cyber Resilience Act? EU Regulation Explained

Key facts about the Cyber Resilience Act

11 Dec 2027

Full enforcement date — Article 69 of Regulation (EU) 2024/2847

€15M

Maximum administrative fine — or 2.5% of worldwide annual turnover (Art. 64(2))

8 PDFs

Documents generated per product — Art. 31 + Annex VII technical documentation dossier

How to generate your CRA documentation

Determine product classification

CRACheck's Product Classifier identifies whether your product falls under Default, Important Class I (Annex III Part I), Important Class II (Annex III Part II), or Critical (Annex IV). The classification determines which conformity assessment module applies under Article 32.

Enter product and manufacturer data

Manufacturer name, address, product description, intended purpose, software version, support period. These fields map directly to Annex VII points 1(a) through 1(d) and Annex II.

Complete the cybersecurity risk assessment

Guided questionnaire covering the essential cybersecurity requirements of Annex I Part I and the vulnerability handling requirements of Part II. CRACheck structures your answers into the risk assessment required by Article 13(2)–(3).

Define vulnerability handling processes

Coordinated vulnerability disclosure policy, contact address, SBOM reference, update distribution mechanism. Required by Annex VII point 2(b) and Annex I Part II.

Generate and review the 8-document dossier

CRACheck produces all 8 PDFs as a single ZIP. Review each document in your browser before downloading.

Download, sign, and file

The EU Declaration of Conformity (Annex V) requires a signature. Sign it, store the dossier for at least 10 years after placing the product on the market (Article 13(18)), and provide it to market surveillance authorities on request.

Common misconceptions about the CRA

❌

WRONG ASSUMPTION

Thinking the CRA only applies to IoT devices

Article 2(1) of Regulation (EU) 2024/2847 covers any product with digital elements whose intended purpose or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network. This includes standalone software, firmware, embedded systems, and connected hardware across all sectors — not only IoT.

❌

DOCUMENTATION GAP

Assuming a CE mark covers cybersecurity

Existing CE marking under sector-specific directives (LVD 2014/35/EU, EMC 2014/30/EU, RED 2014/53/EU) does not address the cybersecurity requirements of Annex I of Regulation (EU) 2024/2847. The CRA introduces a separate, horizontal cybersecurity layer. Article 31 technical documentation is an additional obligation.

❌

TIMELINE ERROR

Waiting until 2027 to start preparing

Article 14 reporting obligations apply from 11 September 2026 — 15 months before full enforcement. Manufacturers must have vulnerability notification processes operational by that date. The 24-hour early warning requirement (Art. 14(2)(a)) cannot be implemented overnight.

What each ZIP contains: 8 documents

Each CRACheck licence generates a ZIP with 8 PDF documents for one product.

Product Classifier

Determines whether your product falls under Default, Important Class I (Annex III), Class II, or Critical (Annex IV). Defines the applicable conformity assessment module under Article 32.

Technical Documentation

The complete dossier required by Article 31 and Annex VII: product description, system architecture, design and development information, vulnerability handling processes, standards applied, and test reports.

Risk Assessment

Cybersecurity risk assessment pursuant to Article 13(2)–(3), covering the essential requirements of Annex I Part I and the vulnerability handling requirements of Part II.

User Information

The information and instructions to the user required by Annex II: manufacturer contact, vulnerability reporting point, support period end-date, commissioning instructions, secure decommissioning.

Declaration of Conformity

EU declaration of conformity as specified in Article 28 and Annex V, ready to sign. Includes manufacturer identification, product traceability data, and legal basis references.

CVD Policy

Coordinated vulnerability disclosure policy as required by Annex I Part II point (5). Includes contact address, acknowledgement timeline, and disclosure process.

Notification Template

Pre-structured template for the notifications to ENISA under Article 14: early warning (24h), vulnerability notification (72h), and final report (14 days).

Obligations Calendar

Timeline of key dates: Art. 14 reporting (11 Sept 2026), full enforcement (11 Dec 2027), support period milestones, documentation retention (10 years per Art. 13(18)).

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated in your browser. No data leaves your device.

The alternative vs CRACheck

🧾 REGULATORY CONSULTANT

€5,000–€20,000

Per product depending on complexity. 3–8 weeks delivery time. Your data sent to the consultant's infrastructure. Ongoing retainer for updates.

✓ CRACHECK

€149

15–25 minutes. 100% browser-side — data never leaves your device. One-time payment per product. 30-day edit window, 10 regenerations. Structured to Art. 31 + Annex VII.

Two layers of compliance

● LAYER 1

What CRACheck does — Documentation layer

CRACheck generates the 8-document technical dossier required by Article 31 and Annex VII of Regulation (EU) 2024/2847. It structures your input data into the format the regulation requires: product classification, technical documentation, cybersecurity risk assessment, user information, EU declaration of conformity, CVD policy, notification template, and obligations calendar. The output is a set of PDFs generated entirely in your browser.

∅ LAYER 2

What CRACheck does NOT do

CRACheck does not perform penetration testing, code audits, or vulnerability scanning. It does not act as a notified body under Article 32. It does not file notifications to ENISA on your behalf under Article 14. It does not appoint an authorised representative under Article 18. For products classified as Important Class II or Critical, CRACheck produces the documentation structure, but the conformity assessment itself must follow Module B+C or Module H through a notified body (Article 32(2)–(3)).

The documentation is one layer of compliance. CRACheck covers that layer. The operational, testing, and organisational layers remain your responsibility as manufacturer under Article 13.

Enforcement regime

⚖️

CRA: Annex I cybersecurity non-compliance

€15M / 2.5%

Art. 64(2) of Regulation (EU) 2024/2847.

⚖️

CRA: Documentation and conformity assessment failures

€10M / 2%

Art. 64(3) of Regulation (EU) 2024/2847.

⚖️

CRA: Misleading information to authorities

€5M / 1%

Art. 64(4) of Regulation (EU) 2024/2847.

Alternatives compared

Criterion	Law firm	In-house legal team	Generic template	CRACheck
Price	€8,000–€20,000	Salary + months of work	€0–€500	€149 per product
Time	4–8 weeks	2–6 months	Hours of adaptation	15–25 minutes
Legal basis accuracy	Depends on firm	Depends on team CRA knowledge	Outdated or generic	Art. 31 + Annex VII mapped
Data handling	Sent to external firm	Internal	Internal	100% browser-side

Multiple products in your portfolio? One dossier at a time is not a strategy.

For manufacturers with 10+ products requiring CRA documentation, volume pricing applies: €99 per product (pack 10) or €79 per product (pack 30). Contact us for commercial terms.

Request Volume Pricing

Commercial enquiries via hello@solidwaretools.com

What CRACheck guarantees and what it does not

CRACheck generates a structured document set according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy, completeness, and truthfulness of that information is your responsibility as the manufacturer.

We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct. We do not guarantee that a specific document will be accepted by a market surveillance authority in a particular case.

CRACheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.

Frequently asked questions — What is the CRA

What exactly is the Cyber Resilience Act?

The Cyber Resilience Act is Regulation (EU) 2024/2847 of the European Parliament and of the Council, published in the Official Journal on 20 November 2024. It establishes horizontal cybersecurity requirements for products with digital elements placed on the EU market. It requires manufacturers to produce technical documentation under Article 31 and Annex VII, conduct a cybersecurity risk assessment under Article 13, and handle vulnerabilities throughout the product's support period under Annex I Part II.

Does the CRA apply to products manufactured outside the EU?

Yes. Article 2(1) of Regulation (EU) 2024/2847 applies to products with digital elements made available on the EU market, regardless of where they are manufactured. If you sell a product with digital elements to an EU customer, the CRA applies to you. Non-EU manufacturers may appoint an authorised representative under Article 18.

What is the difference between the CRA and NIS2?

Regulation (EU) 2024/2847 (CRA) applies to products with digital elements and targets manufacturers, importers, and distributors. Directive (EU) 2022/2555 (NIS2) applies to operators of essential and important services and targets the organisations using those products. The CRA regulates the product; NIS2 regulates the operator. Both are complementary.

How does CRACheck relate to the conformity assessment under Article 32?

CRACheck generates the technical documentation required by Article 31 and Annex VII — the documentary foundation. For Default category products, the conformity assessment can be performed internally under Module A (Annex VIII). For Important Class I products, Module A is also available unless the manufacturer does not apply harmonised standards. For Important Class II or Critical products, a notified body must be involved (Modules B+C or H). CRACheck covers the documentation; the assessment process is separate.

What is a 'product with digital elements' under the CRA?

Article 3(1) of Regulation (EU) 2024/2847 defines it as any software or hardware product and its remote data processing solutions, including software or hardware components placed on the market separately, whose intended purpose or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.

Is this a subscription?

No. One-time payment. The licence includes a 30-day editing window and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, by activating the licence you give express consent for the immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are accepted only for reproducible technical defects.

What if the regulation changes?

If the regulation is amended during the validity of your licence, you can regenerate the document with the updated version of the generator at no additional cost.

Official legal sources

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.