The Critical tier is the narrowest classification in the CRA. Only 3 product categories appear in Annex IV: hardware devices with security boxes, smart meter gateways within smart metering systems as defined in Article 2(23) of Directive (EU) 2019/944, and smartcards or similar devices including secure elements. Under Article 8(1), the Commission may adopt delegated acts requiring these products to obtain European cybersecurity certification at assurance level "substantial" under a scheme adopted pursuant to Regulation (EU) 2019/881. Until such delegated acts are adopted, Article 32(4) allows Critical products to use the same procedures as Class II: Module B+C or Module H. In either path, the starting point is the technical documentation under Article 31 and Annex VII. CRACheck generates it. €149. 15–25 minutes. 8 PDFs.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
Whether the certification path is triggered by a delegated act under Article 8(1) or the fallback under Article 32(4) applies, the certification body or notified body will request the technical documentation described in Annex VII. CRACheck generates this documentation.
Article 8(1) of Regulation (EU) 2024/2847 empowers the Commission to adopt delegated acts requiring certification, but only if a European cybersecurity certification scheme under Regulation (EU) 2019/881 exists and covers the product category. Until such a delegated act is adopted, Article 32(4) allows Module B+C or Module H as fallback.
Annex IV category 1 refers to hardware devices with security boxes — specialised physical tamper-resistant enclosures for cryptographic operations. A consumer router with TLS support is not a "hardware device with a security box" under this definition.
Module A is never available for Critical products. Article 32(4) limits Critical products to European cybersecurity certification under Article 8(1) or, if that is not available, the procedures in Article 32(3): Module B+C, Module H, or European cybersecurity certification at assurance level "substantial."
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Confirms Critical classification under Annex IV. Documents which of the 3 categories applies and the certification path under Article 8(1) or Article 32(4).
Annex VII file structured for certification-body review. Includes system architecture, SBOM reference, vulnerability handling processes, and standards applied.
Cybersecurity risk assessment per Article 13(2)–(3). For Critical products, the risk assessment must demonstrate how the product addresses each applicable Annex I requirement at a level consistent with the certification assurance level.
Annex II information sheet. Includes support period, security update type, and vulnerability reporting contact.
EU Declaration per Article 28 and Annex V. For Critical products, references the European cybersecurity certification scheme or the Module B+C/H procedure applied.
Coordinated vulnerability disclosure policy per Annex I Part II point (5).
ENISA/CSIRT notification template per Article 14. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.
Key dates including certification renewal milestones.
See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.
Generated from your data, in your browser. No data leaves your device.