CRA Compliance China IoT Manufacturer

Key numbers

Art. 31

Technical documentation obligation. Annex VII defines 8 mandatory content sections.

€15M

Maximum fine under Art. 64.2 for non-compliance with essential cybersecurity requirements. Or 2.5% of global turnover.

15 min

Time to generate a complete 8-document CRA dossier. Compare with 3-6 months of consultancy.

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Classify your product

Use the free CRACheck classifier to determine whether your IoT device is Default, Important Class I, Important Class II or Critical under Annex III. Most IoT sensors and gateways are Default products eligible for self-assessment under Module A.

Gather your product data

Internal product specifications, firmware version, network interfaces, update mechanism, known vulnerability list, intended purpose, expected support period.

Enter data in CRACheck

The generator guides you through each section of Annex VII. 15-25 minutes per product. All processing runs in your browser — no product data is transmitted to any server.

Download 8 PDF documents

Product Classifier, Technical Documentation, Risk Assessment, User Information, Declaration of Conformity, CVD Policy, ENISA Notification Template, Obligations Calendar. One ZIP file.

Review with your compliance team

Your quality or compliance officer reviews the documentation. CRACheck includes 10 regenerations per licence for adjustments.

Deliver to your EU importer

Attach the documentation to the product file alongside your existing CE dossier. Under Art. 19.2, the EU importer must verify this documentation exists before placing the product on the market.

Common mistakes

❌

COMPLIANCE GAP

"We already have CE marking — that covers cybersecurity"

CE marking under the EMC Directive (2014/30/EU) or RED (2014/53/EU) covers electromagnetic compatibility and radio spectrum. Regulation (EU) 2024/2847 introduces a separate set of essential cybersecurity requirements under Annex I and a separate technical documentation obligation under Article 31 and Annex VII. Your existing CE dossier does not contain vulnerability handling processes, cybersecurity risk assessment, SBOM or coordinated vulnerability disclosure policy. These are Annex VII requirements.

❌

ART. 19

"Our European distributor handles the compliance"

The distributor has obligations under Article 20 of Regulation (EU) 2024/2847, but they are verification obligations — they must check that the product bears CE marking and that documentation exists. The obligation to produce the technical documentation under Article 31 and Annex VII falls on the manufacturer. Article 3(13) defines the manufacturer as the entity who develops or manufactures the product and places it on the market under their name or trademark. That is you.

❌

ART. 14

"Enforcement starts in December 2027 — we have time"

Full enforcement of the CRA starts on 11 December 2027. However, Article 14 — the obligation to report actively exploited vulnerabilities to ENISA within 24 hours — applies from 11 September 2026. If a vulnerability in your IoT device is actively exploited after that date and you fail to notify, you are already in breach. The documentation obligation gives you the framework to handle vulnerability reporting. Starting late means starting unprepared.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Determines whether your IoT device falls under Default, Important Class I, Important Class II or Critical category per Annex III. Defines which conformity assessment procedure applies under Art. 32.

Technical Documentation

Complete technical documentation structured per Art. 31 and Annex VII. Covers product description, design and development information, vulnerability handling processes, cybersecurity risk assessment, standards applied, test reports, EU declaration of conformity, and SBOM.

Risk Assessment

Cybersecurity risk assessment as required by Art. 13.2 and Art. 13.3, covering analysis of cybersecurity risks based on intended purpose, foreseeable use and operational environment. Mapped against essential cybersecurity requirements in Annex I Part I.

User Information

Information and instructions for the user as required by Annex II. Covers product identification, manufacturer contact, security properties, support period, installation guidance, vulnerability reporting mechanism and secure disposal.

Declaration of Conformity

EU declaration of conformity per Art. 28 and Annex V. Identifies the product, states conformity with the applicable requirements, lists the conformity assessment procedure applied and the standards or specifications used.

CVD Policy

Coordinated Vulnerability Disclosure policy. Part of the vulnerability handling requirements under Annex I Part II. Establishes the process for external researchers to report vulnerabilities and the timeline for remediation.

Notification Template

Pre-structured template for vulnerability and incident notification to ENISA and the designated CSIRT under Art. 14. Covers the three-step reporting timeline: 24h early warning, 72h notification, 14-day final report.

Obligations Calendar

Timeline of all CRA obligations with key dates: Art. 14 reporting from 11 September 2026, full enforcement from 11 December 2027, support period obligations per Art. 13.8.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 EUROPEAN COMPLIANCE CONSULTANCY

€10,000–€25,000

Per product. 3-6 months. Requires NDA, data transfer, multiple meetings.

✓ CRACHECK

€149

8 documents. 15-25 min. One-time payment. No data transfer. Pack 10: €99/product. Pack 30: €79/product.

Two layers

● LAYER 1

What CRACheck does

Generates the technical documentation required under Article 31 and Annex VII. 8 documents. 15-25 minutes. €149. This is the manufacturer's documentation obligation.

∅ LAYER 2

What CRACheck does NOT do

If your product is Important Class I without harmonised standards, Important Class II or Critical, you need a notified body for conformity assessment under Article 32.2, 32.3 or 32.4. CRACheck generates the documentation the notified body will review — but the assessment decision is theirs. For Default products (90% of IoT devices), Module A self-assessment under Art. 32.1(a) applies and no notified body is required.

We document. You assess conformity.

Enforcement regime

Article 64 of Regulation (EU) 2024/2847.

🔴

Non-compliance with essential cybersecurity requirements (Annex I) and Art. 13/14 obligations (Art. 64(2))

€15,000,000 / 2.5%

Up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher.

🟠

Non-compliance with technical documentation (Art. 31), authorised representative (Art. 18), conformity assessment (Art. 32) (Art. 64(3))

€10,000,000 / 2%

Up to €10 million or 2% of total worldwide annual turnover. Includes failure to produce Annex VII documentation.

🟡

Supply of incorrect, incomplete or misleading information to authorities (Art. 64(4))

€5,000,000 / 1%

Up to €5 million or 1% of total worldwide annual turnover, whichever is higher.

Alternatives

Criterion	European consultancy	Draft internally using Annex VII text	Ignore the obligation	CRACheck
Cost	€10,000–€25,000	Free + engineering time	€0 now	€149
Result	Full audit + docs. 3-6 months. Requires data transfer.	Weeks per product. High risk of gaps.	Up to €10M fine or 2% turnover. EU importer may refuse.	8 documents. 15-25 min. Structured per Annex VII. No data leaves your device.

You manufacture more than one IoT product for the EU market?

Each CRACheck licence documents one product. If you export 10, 20 or 50 connected devices to European distributors, each product needs its own Annex VII dossier. Contact us for volume pricing: €99 per product (10-pack) or €79 per product (30-pack).

Request Volume Pricing

Response within one business day.

What CRACheck guarantees and what it does not

CRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy, completeness and truthfulness of that information is your responsibility as the manufacturer.

We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct as of the last verification date. We do not guarantee that a specific document will be accepted by a market surveillance authority in a specific case or by a commercial buyer in a procurement process.

CRACheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.

Frequently asked questions

Does the CRA apply to manufacturers outside the EU?

Yes. Article 2.1 of Regulation (EU) 2024/2847 applies to products with digital elements made available on the EU market. It does not require the manufacturer to be established in the EU. If you manufacture in Shenzhen and your product is sold by a distributor in Germany, the CRA applies to your product. The obligation to produce technical documentation under Article 31 falls on you as the manufacturer.

Do I need an authorised representative in the EU?

Article 18 of Regulation (EU) 2024/2847 allows manufacturers to appoint an authorised representative by written mandate. The authorised representative can keep your EU declaration of conformity and technical documentation at the disposal of market surveillance authorities. Consult a lawyer to determine whether you need one — CRACheck generates the documentation, not the representation.

Is my smart sensor Default or Important Class I?

Annex III of Regulation (EU) 2024/2847 lists the categories of Important products. Most basic IoT sensors, gateways and smart plugs are Default products eligible for self-assessment under Module A (Art. 32.1(a)). Products with security functionalities (smart locks, cameras, baby monitors) fall under Class I (Annex III point 17). Use the free CRACheck classifier to determine your category.

What is the SBOM requirement?

Annex VII point 2(b) of Regulation (EU) 2024/2847 requires the technical documentation to include the software bill of materials. The SBOM documents all software components integrated in the product, including third-party and open-source components. CRACheck generates the SBOM section as part of the Technical Documentation document.

When does the CRA enter into force?

Regulation (EU) 2024/2847 applies fully from 11 December 2027. However, Article 14 — reporting obligations for actively exploited vulnerabilities and severe incidents — applies from 11 September 2026. Chapter IV on conformity assessment bodies applies from 11 June 2026.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours to keep.

Can I request a refund?

Pursuant to Art. 16(m) of Directive (EU) 2011/83 on consumer rights, by activating the licence you give express consent for the immediate generation of the digital content, waiving the 14-day withdrawal period. Refunds are accepted only for reproducible technical failures.

What if the regulation changes?

If the regulation changes during the validity of your licence, you can regenerate the document with the updated version of the generator at no additional cost.

Official legal sources

Regulation (EU) 2024/2847 — Cyber Resilience Act — full text

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.