The Critical tier is the narrowest classification in the CRA. Only 3 product categories appear in Annex IV: hardware devices with security boxes, smart meter gateways within smart metering systems as defined in Article 2(23) of Directive (EU) 2019/944, and smartcards or similar devices including secure elements. Under Article 8(1), the Commission may adopt delegated acts requiring these products to obtain European cybersecurity certification at assurance level "substantial" under a scheme adopted pursuant to Regulation (EU) 2019/881. Until such delegated acts are adopted, Article 32(4) allows Critical products to use the same procedures as Class II: Module B+C or Module H. In either path, the starting point is the technical documentation under Article 31 and Annex VII. CRACheck generates it. €149. 15–25 minutes. 8 PDFs.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
Whether the certification path is triggered by a delegated act under Article 8(1) or the fallback under Article 32(4) applies, the certification body or notified body will request the technical documentation described in Annex VII. CRACheck generates this documentation.
Article 8(1) of Regulation (EU) 2024/2847 empowers the Commission to adopt delegated acts requiring certification, but only if a European cybersecurity certification scheme under Regulation (EU) 2019/881 exists and covers the product category. Until such a delegated act is adopted, Article 32(4) allows Module B+C or Module H as fallback.
Annex IV category 1 refers to hardware devices with security boxes — specialised physical tamper-resistant enclosures for cryptographic operations. A consumer router with TLS support is not a "hardware device with a security box" under this definition.
Module A is never available for Critical products. Article 32(4) limits Critical products to European cybersecurity certification under Article 8(1) or, if that is not available, the procedures in Article 32(3): Module B+C, Module H, or European cybersecurity certification at assurance level "substantial."
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Confirms Critical classification under Annex IV. Documents which of the 3 categories applies and the certification path under Article 8(1) or Article 32(4).
Annex VII file structured for certification-body review. Includes system architecture, SBOM reference, vulnerability handling processes, and standards applied.
Cybersecurity risk assessment per Article 13(2)–(3). For Critical products, the risk assessment must demonstrate how the product addresses each applicable Annex I requirement at a level consistent with the certification assurance level.
Annex II information sheet. Includes support period, security update type, and vulnerability reporting contact.
EU Declaration per Article 28 and Annex V. For Critical products, references the European cybersecurity certification scheme or the Module B+C/H procedure applied.
Coordinated vulnerability disclosure policy per Annex I Part II point (5).
ENISA/CSIRT notification template per Article 14. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.
Key dates including certification renewal milestones.
See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.
Generated from your data, in your browser. No data leaves your device.
CRACheck classifies your product against Annex IV, identifies the certification or conformity assessment path under Article 8 and Article 32(4), and generates the Annex VII technical documentation, risk assessment, Declaration of Conformity, and supporting documents. This is the documentation foundation for the certification or assessment process.
CRACheck does not perform the European cybersecurity certification. It does not act as a certification body under Regulation (EU) 2019/881. It does not issue certificates. The certification is performed by an accredited certification body, and the notified body assessment (Module B+C, Module H) is performed by a designated notified body under Article 39.
The documentation is step one. The certification builds on it. CRACheck covers step one.
Annex I non-compliance + Art. 13/14.
Non-compliance with Art. 32 conformity assessment procedures. Using the wrong conformity module for a Critical product falls here.
Misleading info to certification bodies or market surveillance authorities.
| Criterio | Certification consultancy | In-house preparation | CRACheck |
|---|---|---|---|
| Price | €20,000–50,000 | Headcount cost | €149/product |
| Scope | Documentation + certification support | Documentation only | Documentation (8 PDFs) |
| Delivery | 3–12 months | Months | 15–25 minutes |
| Certification | Not included (separate body) | Not included | Not included (separate body) |
| CRACheck | €149 | 15-25 min | Documentation layer |
If you manufacture a product line of secure elements or smart meter gateways, contact us for volume pricing. Pack of 10: €99 per product. Pack of 30: €79 per product.
Request volume pricingCRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847, based on the information you enter. The accuracy, completeness, and truthfulness of that information is your responsibility as manufacturer.
We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct. We do not guarantee that a specific document will be accepted by a market surveillance authority in a specific case.
CRACheck is not legal advice. For situations specific to your product or market, consult a qualified lawyer or specialised regulatory consultancy.
CRACheck classifies your product, identifies the certification path, and generates the Annex VII documentation. €149 per product. Browser-side.