What counts as "security-related functionality" for ASICs and FPGAs?

Annex III item 15 targets ASICs and FPGAs that implement functions directly related to cybersecurity: cryptographic processing, secure key storage, hardware root of trust, secure boot enforcement, tamper detection, anti-cloning measures. If your product datasheet lists any of these capabilities, it falls under this category.

Is a general-purpose FPGA without embedded security blocks covered?

If the FPGA does not have security-related functionalities as manufactured and marketed, it may not fall under Annex III item 15. However, it is still a product with digital elements under Article 3(1) if it contains firmware or establishes data connections — classified as Default. CRACheck evaluates this.

We sell our ASIC to a single customer under their spec. Are we still the manufacturer?

Article 3(13) defines the manufacturer as whoever develops or manufactures the product and markets it under their name or trademark. If you design and produce the ASIC and market it (even to a single customer) under your company name, you are the manufacturer. If the customer owns the design and you only fabricate, the analysis may differ — CRACheck's classifier helps determine this.

How does Annex III item 15 relate to tamper-resistant items in Class II?

Annex III Class I item 15 covers ASICs/FPGAs with security-related functionalities in general. Class II items 3 (tamper-resistant microprocessors) and 4 (tamper-resistant microcontrollers) are separate categories with stricter assessment requirements. If your ASIC is specifically designed for tamper resistance and functions as a microprocessor, it may fall under Class II instead. CRACheck distinguishes between these.

Is this a subscription?

No. One-time payment. 30 days editing, 10 regenerations. PDF yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, licence activation constitutes express consent. Refunds only for reproducible technical failures.

What if the regulation is amended?

Regenerate at no additional cost during licence validity.

Annex III of Regulation (EU) 2024/2847 classifies application-specific integrated circuits and field-programmable gate arrays with security-related functionalities as Important Class I products. Item 15 targets your product category directly. Your conformity assessment path is not Module A by default — it depends on whether harmonised standards cover your essential requirements. CRACheck documents the classification and generates the dossier.

If your ASIC implements a hardware root of trust, a crypto accelerator, a secure key storage vault, or a tamper-detection mesh, it has security-related functionalities under Annex III item 15. That classification as Important Class I means Module A self-assessment is available only if you apply harmonised standards covering all essential cybersecurity requirements of Annex I, or hold an EU cybersecurity certification at assurance level "substantial." Without either, Article 32(2) directs you to third-party assessment under Module B+C or Module H. CRACheck classifies your ASIC or FPGA, maps its security architecture to Annex I, and generates the 8-document dossier. €149. 15–25 minutes. Your design files stay on your machine.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

Item 15

Annex III Class I — ASICs and FPGAs with security functions

Art. 32(2)

Conformity assessment path for Important Class I

€149

Per ASIC/FPGA product family

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Confirm your Annex III classification

CRACheck validates that your ASIC or FPGA's security functions place it under item 15 and determines whether Class I or Class II (tamper-resistant) applies

Define your hardware security architecture

Crypto engines, key management, secure boot chain, debug port protection, side-channel countermeasures

Document your design and verification process

RTL review, formal verification of security properties, production testing, supply chain integrity

Map Annex I essential requirements

How your ASIC/FPGA meets each cybersecurity requirement at the hardware implementation level

Complete vulnerability handling

Hardware errata process, security advisory issuance, coordination with integrators, ENISA notification readiness

Generate the 8-document dossier

Structured for your Annex III Class I position with references to the applicable conformity assessment path

Prepare for conformity assessment

The dossier is the documentation input for Module A (if standards apply) or Module B+C/H (if not)

Common mistakes

❌

DEFAULT ASSUMPTION

"Our ASIC is custom silicon — it does not appear on any CRA list"

Annex III Class I item 15 explicitly lists "application specific integrated circuits (ASIC) and field-programmable gate arrays (FPGA) with security-related functionalities." The item targets the function, not the brand or specific product name. If your ASIC implements any security function — cryptographic processing, authentication, tamper detection, secure key storage — it matches this category.

❌

FPGA RECONFIGURABILITY

"FPGAs are blank slates — the CRA applies to the bitstream, not the chip"

If the FPGA is manufactured and marketed with security-related functionalities (e.g., embedded crypto blocks, secure boot support, anti-tamper features), the FPGA itself is the product with digital elements. The manufacturer who designs and markets the FPGA with these features carries obligations under Article 13. A downstream user who loads a custom bitstream may become a manufacturer of a modified product under Article 22 if the modification is substantial.

❌

COMMON CRITERIA SUBSTITUTION

"Our ASIC has a Common Criteria EAL4+ certificate — CRA conformity is covered"

A Common Criteria evaluation is not the same as CRA conformity assessment. Article 32(2) allows Module A for Important Class I products only with harmonised standards or an EU cybersecurity certification at assurance level "substantial" under the Cybersecurity Act (Regulation (EU) 2019/881). A CC certificate under a national scheme may support your case but does not automatically satisfy CRA requirements. A separate Annex VII dossier is still required.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Determines whether your ASIC/FPGA is Important Class I (item 15, security functions), Class II (items 3–4, tamper-resistant), or another category. Documents the rationale and conformity assessment path.

Technical Documentation

Art. 31 + Annex VII dossier covering hardware architecture, security function specifications, design verification, production integrity controls.

Risk Assessment

Annex I Part I analysis at the hardware level: physical attacks, side-channel analysis, fault injection, reverse engineering, supply chain tampering.

User Information

Annex II information for integrators: secure integration guidelines, debug interface controls, key provisioning procedures, configuration requirements.

Declaration of Conformity

Art. 28 + Annex V with Annex III Class I classification and applicable conformity module.

CVD Policy

Hardware vulnerability disclosure: errata notification process, security advisory format, coordination with integrator ecosystem.

Notification Template

Art. 14 ENISA notification for hardware-level vulnerabilities. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Enforcement milestones, silicon revision schedule, support period.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 SEMICONDUCTOR SECURITY COMPLIANCE SPECIALIST

€20,000–€40,000

10–20 weeks. Requires NDA + RTL-level design disclosure. Hardware-specific CRA expertise is rare — most consultants generalise. Output: consultant opinion, not structured regulatory dossier.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history