How do I know if my microcontroller is Class I or Class II?

Annex III lists microcontrollers with security-related functionalities as Class I (item 14) and tamper-resistant microcontrollers as Class II (item 4). The distinction is tamper resistance: if your product is designed to resist physical attacks (decapping, probing, fault injection), it is Class II. CRACheck's classification module walks you through this determination.

Is a secure element the same as a Class II microcontroller?

Not necessarily. Annex IV (Critical products) separately lists "smartcards or similar devices, including secure elements" (item 3). A secure element may be classified as Critical rather than Important Class II. This distinction matters because Critical products may require European cybersecurity certification under Article 32(5).

What about chips already on the EU market before December 2027?

Products placed on the market before 11 December 2027 are not retroactively covered, unless a substantial modification is made (Art. 22). New production batches shipped after the deadline must comply.

Is this a subscription?

No. One-time payment. 30 days editing, 10 regenerations. PDF yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, licence activation constitutes express consent for immediate digital content generation. Refunds only for reproducible technical failures.

What if the regulation is amended?

Regenerate at no additional cost during your licence validity.

Annex III of Regulation (EU) 2024/2847 lists microcontrollers with security-related functionalities as Important Class I, tamper-resistant microcontrollers as Class II, and smartcards and secure elements as Critical products under Annex IV. Your conformity assessment obligations depend on where your product lands. CRACheck classifies and documents it.

Q: Can we use an existing Common Criteria certificate?

A CC certificate does not automatically satisfy CRA requirements. Article 32(2) allows Module A for Important Class I only if harmonised standards covering all essential requirements are applied, or if an EU cybersecurity certification at assurance level "substantial" or higher covers the requirements. Verify whether your CC evaluation maps to an adopted EU cybersecurity certification scheme under Regulation (EU) 2019/881.

The Cyber Resilience Act creates three tiers of scrutiny for security silicon. A standard microcontroller with a crypto engine is Important Class I (Annex III, item 14) — Module A self-assessment is available if harmonised standards apply. A tamper-resistant microcontroller is Important Class II (Annex III, item 4) — Module A is not available; third-party assessment is mandatory. A secure element or smartcard is Critical (Annex IV, item 3) — European cybersecurity certification may be required under Article 32(5). CRACheck walks you through classification and generates the documentation for whichever tier applies. €149 per product. 15–25 minutes.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

3 tiers

Class I · Class II · Critical — different assessment paths

Art. 32

Conformity assessment procedure for each tier

€149

Per product, one-time documentation

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Answer the classification questionnaire

CRACheck asks about security functions, tamper resistance, and intended use to determine Annex III or Annex IV category

Confirm your tier

The tool shows exactly which Annex item applies and explains the conformity assessment path (Module A, Module B+C, Module H, or EU certification)

Input technical specifications

Architecture, security functions, interfaces, firmware versioning

Complete the cybersecurity requirements mapping

How your product meets each applicable Annex I Part I requirement

Document vulnerability handling processes

PSIRT, CVE management, patch distribution, coordinated disclosure

Generate the 8-document dossier

Tailored to your classification tier, with correct conformity assessment references

Download and integrate

Ready for notified body submission (Class II), certification application (Critical), or internal file (Class I with standards)

Common mistakes

❌

TIER CONFUSION

"All microcontrollers have the same CRA obligations"

Regulation (EU) 2024/2847 distinguishes sharply. A microcontroller with security-related functionalities is Important Class I (Annex III, item 14) — self-assessment may suffice with harmonised standards. A tamper-resistant microcontroller is Important Class II (Annex III, item 4) — third-party conformity assessment is mandatory under Art. 32(3). Conflating the two means preparing for the wrong assessment path.

❌

CRITICAL PRODUCT OVERSIGHT

"Secure elements are treated the same as microcontrollers"

Annex IV separately lists "smartcards or similar devices, including secure elements" (item 3) as Critical products. Article 32(5) may require European cybersecurity certification for Critical products. This is a fundamentally different regime from Annex III Important products.

❌

STANDARD ASSUMPTION

"We follow Common Criteria, so CRA compliance is automatic"

Common Criteria certification is not automatically equivalent to CRA conformity. Article 32(2) allows Module A for Important Class I products only if harmonised standards covering all essential requirements are applied, or if an EU cybersecurity certification at assurance level "substantial" exists. A CC evaluation may support but does not replace CRA documentation and conformity assessment.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Maps your product against Annex III (items 13–14 Class I, items 3–4 Class II) and Annex IV (item 3 Critical). Documents classification rationale and applicable conformity assessment procedure under Art. 32.

Technical Documentation

Annex VII dossier structured for your tier. Silicon architecture, security function specs, design and development processes, production controls.

Risk Assessment

Annex I Part I analysis. Evaluates physical attacks, side channels, fault injection, supply chain compromise specific to security silicon.

User Information

Annex II information for downstream integrators. Secure deployment guidelines, configuration requirements, end-of-life procedures.

Declaration of Conformity

Art. 28 + Annex V, pre-structured with your Annex III/IV classification and applicable conformity module.

CVD Policy

Vulnerability disclosure framework: PSIRT, coordination with chip integrators, reporting protocols.

Notification Template

Art. 14 ENISA notification: 24h, 72h, 14-day timeline.

Obligations Calendar

Classification-specific milestones and enforcement dates.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 NOTIFIED BODY PRE-ENGAGEMENT CONSULTANT

€15,000–€30,000

8–16 weeks. Required for Class II and Critical anyway — but documentation must exist first. Scope often unclear until classification is confirmed.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history