Our sensor has no processing — it only measures soil moisture and transmits a reading. Is that enough for CRA scope?

If the sensor contains firmware and transmits data over a network (LoRaWAN, NB-IoT, Zigbee), it is a product with digital elements under Art. 3(1) of Regulation (EU) 2024/2847. The simplicity of the measurement function does not affect scope — the data connection does.

We sell through agricultural equipment dealers. Are they distributors under the CRA?

If the dealer makes your product available on the EU market without modifying it, they are a distributor under Art. 3(17) with Art. 20 obligations. If the dealer rebrands or substantially modifies the product, Art. 21 reclassifies them as manufacturer.

Our field gateway aggregates data from 200 sensors. Is it one product or 200?

The gateway is one product with digital elements. Each sensor is a separate product if placed on the market independently. If sensors are sold only as part of an integrated system with the gateway, the system may be treated as a single product. Classification follows market placement, not field deployment topology.

Farm equipment typically has no cybersecurity. Will market surveillance authorities enforce against agriculture IoT?

Art. 52 of Regulation (EU) 2024/2847 assigns market surveillance to national authorities. Enforcement prioritisation is at their discretion, but the CRA makes no sector exemption. As agriculture IoT adoption grows and incidents occur, enforcement attention will follow. Early documentation positions your products ahead of enforcement cycles.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.

What if the regulation changes?

If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

You manufacture soil sensors, weather stations, irrigation controllers or livestock monitoring devices with LoRaWAN, NB-IoT or cellular connectivity, deployed on farms across the EU. The Cyber Resilience Act does not have an agriculture exemption. Article 3(1) of Regulation (EU) 2024/2847 covers any product with a data connection. If your sensor transmits data over a network, Article 13 manufacturer obligations apply — from cybersecurity risk assessment to technical documentation to vulnerability handling.

Precision agriculture has moved from standalone equipment to cloud-connected IoT platforms. Soil sensors report moisture and nutrient data over LoRaWAN. Weather stations upload microclimate readings via cellular. Irrigation controllers receive cloud-based commands over NB-IoT. Livestock tags transmit location and health data via satellite. Every one of these is a product with digital elements under Art. 3(1). The CRA does not distinguish between enterprise IT and agricultural IoT. Art. 2(1) covers any product with a logical or physical data connection. Most agritech devices fall under Default classification — but if your product includes a gateway with routing functionality, it may be Important Class I under Annex III item 12. Art. 13(8) requires a support period proportionate to expected use — and farm equipment is typically deployed for 7-15 years. CRACheck generates the 8-document technical file. €149 per product. 15-25 minutes. Field data architecture stays in your browser.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key figures

Art. 2(1)

No agriculture exemption — any product with a data connection is in scope

7-15 years

Typical deployment lifecycle for farm IoT — support period must be proportionate (Art. 13(8))

€15M

Maximum fine under Art. 64(2) for manufacturer non-compliance

How to proceed

Inventory every connected product

Soil sensors, weather stations, drone controllers, irrigation actuators, livestock tags, GPS guidance modules, field gateways. Each device with a data connection is separately in scope.

Classify against Annex III

Standard sensors and actuators: Default. Field gateways with routing capability: Important Class I (Annex III item 12). Devices with VPN: Important Class I (item 5). Most farm sensors and controllers are Default.

Conduct the cybersecurity risk assessment

Art. 13(2)-(3): agriculture-specific risks include irrigation system manipulation, crop data integrity attacks, livestock tracking disruption, GPS guidance spoofing for autonomous machinery, and lateral movement from field gateways to farm management platforms.

Account for harsh environment deployment

Annex I Part I point (2)(b) requires secure by default configuration. Farm IoT operates in uncontrolled environments with intermittent connectivity, outdoor exposure, and minimal physical security. Secure defaults must account for these conditions.

Define a long support period

Art. 13(8): farm equipment runs for 7-15 years. A soil sensor deployed in 2028 may still be in the field in 2040. The support period must reflect this. Free security updates (Art. 13(9)) must be deliverable over low-bandwidth, intermittent connections.

Prepare ENISA reporting

Art. 14 from September 2026. A vulnerability in an irrigation controller network affecting thousands of farms has food production implications. The 24h early warning applies regardless of the agricultural context.

Common mistakes

❌

SECTOR EXEMPTION MYTH

Assuming agriculture or farming equipment is exempt from the CRA

Art. 2 of Regulation (EU) 2024/2847 lists specific exclusions: medical devices (2017/745), IVDs (2017/746), motor vehicles (2019/2144), aviation (2018/1139), marine equipment (2014/90). Agriculture is not on the exclusion list. Any connected farm device placed on the EU market is within scope.

❌

CONNECTIVITY UNDERESTIMATION

Treating LoRaWAN sensors as passive devices without CRA obligations

A LoRaWAN sensor that transmits data to a gateway has a logical data connection under Art. 2(1). It contains firmware. It processes data. It connects to a network. Even minimal connectivity creates CRA scope. The low-power, low-bandwidth nature of LoRaWAN does not create an exemption.

❌

UPDATE LOGISTICS FAILURE

No firmware update mechanism for sensors deployed across 500 hectares

Art. 13(9) of Regulation (EU) 2024/2847 requires free security updates throughout the support period. For thousands of sensors deployed across farms, OTA update capability is not optional — it is a CRA requirement. A product without any update mechanism cannot fulfil Art. 13(9) and is non-compliant.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Identifies Default (sensors, actuators, controllers) or Important Class I (field gateways with routing per Annex III item 12).

Technical Documentation

Art. 31 and Annex VII documentation: device architecture, LPWAN protocol specifications, cloud integration, OTA update mechanism, power management impact on security.

Risk Assessment

Cybersecurity risk assessment covering agriculture vectors: irrigation manipulation, crop data integrity, GPS spoofing for autonomous machinery, livestock data disruption, gateway-to-platform lateral movement.

User Information

Annex II information for farmers, cooperatives and integrators: secure deployment in field conditions, connectivity provisioning, firmware update procedures, vulnerability reporting, support period aligned with equipment lifecycle.

Declaration of Conformity

EU Declaration per Art. 28 and Annex V.

CVD Policy

Coordinated vulnerability disclosure policy for agricultural technology research community.

Notification Template

ENISA notification template per Art. 14.

Obligations Calendar

Key dates with agricultural procurement cycles: Art. 14 from September 2026, full enforcement December 2027, seasonal deployment windows.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 AGRITECH IoT SECURITY ASSESSMENT

Cybersecurity review for agriculture device portfolio

€6,000-15,000 per product family

6-12 weeks

Firmware and architecture shared with consultant

Report-based — not Art. 31 documentation

Re-engagement per hardware revision

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history