Reg (EU) 2024/2847Generate dossier — €149
LIVE — Enforcement tracker · Deadline dashboard · Transposition status — Updated weekly from EUR-Lex, Safety Gate, OEIL & 12 official sourcesView regulatory intelligence →

You manufacture smart meters, smart meter gateways or grid management equipment deployed by European utilities. Smart meter gateways are classified as Critical products in Annex IV of Regulation (EU) 2024/2847 — the highest CRA classification. Article 32(4) requires conformity assessment through a European cybersecurity certification scheme or, if unavailable, EU-type examination or full quality assurance. Every paragraph of Article 13 applies. ENISA reporting under Art. 14 starts in September 2026.

The energy sector faces the CRA's most demanding classification. Annex IV item 2 explicitly lists "smart meter gateways within smart metering systems as defined in Article 2, point (23) of Directive (EU) 2019/944 and other devices for advanced security purposes, including for secure cryptoprocessing." This is a Critical product — above Important Class I and II. Art. 32(4) limits conformity assessment to a European cybersecurity certification scheme under Art. 8(1) or, where that scheme is not yet available, EU-type examination (Module B+C) or full quality assurance (Module H). Beyond the CRA, NIS2 classifies energy operators as essential entities, and Directive (EU) 2019/944 mandates smart meter deployment across the EU. Your product sits at the intersection of all three. CRACheck generates the 8-document Art. 31 technical file. €149 per product. 15-25 minutes. Grid architecture data stays in your browser.

Generate CRA dossier — €149Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Built on Regulation (EU) 2024/2847 · Art. 31 + Annex VII · 8 PDF documents · 100% browser-side

Key figures

Annex IV item 2
Smart meter gateways are Critical products — highest CRA classification
Art. 32(4)
Critical products require certification scheme, EU-type examination (B+C) or full QA (Module H)
€15M
Maximum fine under Art. 64(2) for non-compliance with Art. 13 and Annex I

How to proceed

1
Confirm Critical classification for smart meter gateways
Annex IV item 2 of Regulation (EU) 2024/2847 explicitly lists smart meter gateways per Directive (EU) 2019/944 Art. 2(23). Other grid equipment (monitoring, DER controllers) may fall under Important Class I or Default depending on functionality. Smart meter gateways are unambiguously Critical.
2
Determine the conformity assessment route
Art. 32(4): Critical products must use a European cybersecurity certification scheme (Art. 8(1)) if available. If no scheme is available, Art. 32(4)(b) allows EU-type examination (Module B+C) or full quality assurance (Module H) per Art. 32(3). Monitor the Commission's certification scheme adoption timeline.
3
Conduct the cybersecurity risk assessment
Art. 13(2)-(3): energy-sector risks include grid stability manipulation, mass smart meter compromise, data integrity attacks on consumption readings, cryptographic key management for gateway authentication, and supply chain attacks on firmware.
4
Align with NIS2 and Electricity Directive requirements
NIS2 (Directive (EU) 2022/2555) classifies energy operators as essential entities. Your CRA documentation feeds into their supply chain risk management. Directive (EU) 2019/944 mandates smart meter deployment — your product enables regulatory compliance for the utility.
5
Compile Art. 31 technical documentation
Annex VII: system architecture, cryptographic module specifications, firmware update mechanisms, secure boot chain, key management infrastructure, SBOM.
6
Prepare ENISA reporting with energy-sector urgency
Art. 14 from September 2026. A vulnerability in smart meter gateways has grid-level systemic impact. The 24h early warning is critical infrastructure-grade urgent.

Common mistakes

CLASSIFICATION DENIAL

Treating a smart meter gateway as Default or Important Class I

Annex IV item 2 of Regulation (EU) 2024/2847 explicitly classifies smart meter gateways as Critical. This is the highest CRA classification. Internal control (Module A) is not available. Attempting to classify your gateway as Default to avoid notified body involvement or certification scheme requirements is non-compliant from the classification step.

CONFORMITY ASSESSMENT SHORTCUT

Assuming internal control suffices because no certification scheme exists yet

Art. 32(4)(b) of Regulation (EU) 2024/2847 allows EU-type examination (Module B+C) or full quality assurance (Module H) when no European cybersecurity certification scheme under Art. 8(1) is available. These involve notified body assessment. Internal control (Module A) is never available for Critical products regardless of harmonised standard availability.

LIFECYCLE UNDERESTIMATION

Setting a 5-year support period for equipment deployed in utility grids for 15-20 years

Art. 13(8) of Regulation (EU) 2024/2847 requires the support period to reflect expected use time. Smart meter gateways are deployed in utility infrastructure for 15-20 years. A 5-year support period leaves a decade of unsupported, connected, critical infrastructure — precisely the scenario the CRA was designed to prevent.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

1

Product Classifier

Identifies Critical classification for smart meter gateways (Annex IV item 2). Other grid products classified as Important Class I or Default based on functionality.

2

Technical Documentation

Art. 31 and Annex VII documentation for energy sector equipment: system architecture, cryptographic specifications, secure boot, key management, grid integration protocols.

3

Risk Assessment

Cybersecurity risk assessment covering energy-sector vectors: grid manipulation, mass meter compromise, consumption data integrity, cryptographic key extraction, firmware supply chain.

4

User Information

Annex II information for utility deployment: secure installation in metering infrastructure, key provisioning, firmware update procedures, vulnerability reporting, support period aligned with grid lifecycle.

5

Declaration of Conformity

EU Declaration per Art. 28 and Annex V for Critical product.

6

CVD Policy

Coordinated vulnerability disclosure policy aligned with energy-sector CERT practices and ICS-CERT coordination.

7

Notification Template

ENISA notification template per Art. 14 with critical infrastructure urgency context.

8

Obligations Calendar

Key dates: Art. 14 from September 2026, full enforcement December 2027, Commission certification scheme adoption milestones, utility deployment windows.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 ENERGY SECTOR CYBERSECURITY CONSULTANCY
CRA + NIS2 compliance for smart grid equipment
€25,000-60,000 per product family
16-30 weeks
Requires sharing cryptographic architecture with consultant
Report-based — does not produce Art. 31 file
Separate engagement for certification scheme preparation
✓ CRACHECK — ART. 31 DOCUMENTATION
8-document technical file for energy sector products
€149 per product
15-25 minutes
Grid architecture and cryptographic data stay in your browser
Foundation for certification scheme submission
30-day edit window, 10 regenerations
Permanent PDF

Two layers

● LAYER 1 — DOCUMENTATION · CRACHECK

The CRA documentation foundation

CRACheck generates the Art. 31 and Annex VII technical documentation for your energy sector product. For Critical products like smart meter gateways, this documentation is the foundation for the conformity assessment dossier that a notified body or certification scheme will review. Eight documents covering classification, risk assessment, system architecture, vulnerability handling, SBOM, declaration of conformity, ENISA template and obligations calendar.

∅ LAYER 2 — NOT INCLUDED

What CRACheck does not replace

CRACheck does not perform the notified body assessment required for Critical products under Art. 32(4). It does not conduct penetration testing on smart meter gateways. It does not manage cryptographic key infrastructure. It does not submit ENISA notifications. It does not produce NIS2 documentation for your utility clients. For Critical products, CRACheck generates the documentation — the conformity assessment itself requires external expertise.

Critical classification demands the most rigorous conformity assessment. CRACheck provides the documentary foundation. The assessment itself requires external expertise.

Enforcement regime

📅
11 September 2026 — Art. 14 reporting for energy sector

A vulnerability in smart meter gateways triggers 24h ENISA notification. Grid-level systemic impact makes this the highest-urgency reporting category in the CRA.

⚖️
11 December 2027 — Full CRA enforcement

Smart meter gateways must carry CE marking based on Critical product conformity assessment and Art. 31 documentation. Utility procurement will not accept products without both.

🔒
Art. 64(2) — €15M or 2.5% of global turnover

For Critical product manufacturers non-compliant with Art. 13 or Annex I. The penalty tier is the same for Critical and Default, but enforcement scrutiny on Critical products is proportionately higher.

Alternatives

CriterioEnergy cybersecurity consultancyInternal compliance teamIgnore until certification schemeCRACheck
Price€25K-60KStaff timeDeferred risk€149 per product
Art. 31 documentationReportVariable qualityNone8-document file
Certification scheme foundationPossiblyDependsNoneYes — structured for dossier
Data privacyShared with consultantInternalN/A100% browser-side
CRACheck€1498-docDossier-readyBrowser-side

Smart meter portfolio across multiple hardware generations? Document them all.

Pack 10: €99 per product. Pack 30: €79 per product. For energy sector manufacturers with multi-generation product portfolios, contact us for enterprise pricing.

Request volume pricing
Commercial enquiries via hello@solidwaretools.com

What CRACheck guarantees and what it does not

CRACheck generates a structured document set according to Art. 31 and Annex VII of Regulation (EU) 2024/2847 based on the information you provide. The accuracy of cryptographic specifications, grid architecture data and component inventories is your responsibility as manufacturer.

We guarantee that the document structure follows Art. 31 and Annex VII and that the legal references cited are correct. We do not guarantee acceptance by a notified body, certification scheme, market surveillance authority or utility procurement process.

CRACheck is not legal advice. For Critical product conformity assessment, certification scheme selection and the interaction between CRA, NIS2 and Directive (EU) 2019/944, consult a qualified energy sector regulatory lawyer.

Frequently asked questions

Are all smart meters Critical, or only the gateways?
Annex IV item 2 of Regulation (EU) 2024/2847 specifies "smart meter gateways within smart metering systems." The gateway — the communication and security module that connects the metering infrastructure to the utility network — is explicitly Critical. The meter itself (the measurement device without the communication gateway) may be classified differently depending on its data connectivity and security functionality. If the meter and gateway are integrated, the integrated product falls under Critical.
Can we use internal control (Module A) if we apply harmonised standards?
No. Art. 32(4) of Regulation (EU) 2024/2847 does not allow internal control for Critical products. The options are: a European cybersecurity certification scheme (Art. 8(1)), or EU-type examination (Module B+C), or full quality assurance (Module H). Harmonised standard application does not unlock Module A for Critical products — it unlocks Module A only for Important Class I products under Art. 32(2).
When will the European cybersecurity certification scheme for smart meters be available?
Art. 8(1) of Regulation (EU) 2024/2847 empowers the Commission to require a European cybersecurity certification scheme for Critical products. As of the current date, no scheme specific to smart meter gateways has been adopted. Until one is adopted, Art. 32(4)(b) allows EU-type examination or full quality assurance as alternatives. CRACheck generates the documentation that feeds into either route.
Our product is deployed in Directive 2019/944 member state rollouts. Does this affect CRA scope?
Directive (EU) 2019/944 mandates smart meter deployment but does not impose horizontal cybersecurity requirements on the product. The CRA fills that gap. Your product's role in Directive 2019/944 rollouts confirms its intended purpose but does not exempt it from CRA. If anything, the regulatory mandate for deployment increases the expected use time — and therefore the support period requirement under Art. 13(8).
Is this a subscription?
No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.
Can I request a refund?
Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.
What if the regulation changes?
If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.
How does NIS2 interact with the CRA for smart meter manufacturers?
NIS2 (Directive (EU) 2022/2555) regulates energy operators as essential entities. The CRA regulates the products those operators deploy. As a manufacturer, you face CRA obligations. Your utility client faces NIS2 obligations. Your CRA Art. 31 documentation feeds into their NIS2 supply chain risk management under Art. 21 of NIS2. The two regulations target different entities (manufacturer vs. operator) but converge on the same product.

Official legal sources

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.

Critical classification. Highest conformity assessment. Start with the documentation.

Smart meter gateways are Annex IV Critical products. Art. 32(4) demands notified body or certification scheme assessment. CRACheck generates the Art. 31 documentation that feeds into that assessment. Eight documents. €149. Browser-side.

€149 one-time
8-document ZIP · 15-25 min · Art. 31 + Annex VII · 100% browser-side · Permanent PDF
Generate Technical Documentation

Related landings

🔗 Telecom

CRA compliance for telecom equipment and 5G infrastructure
🔗 Smart building

CRA for smart building BMS — building management systems
🔗 Manufacturers

CRA manufacturer obligations — complete Art. 13 breakdown
✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history