Are all smart meters Critical, or only the gateways?

Annex IV item 2 of Regulation (EU) 2024/2847 specifies "smart meter gateways within smart metering systems." The gateway — the communication and security module that connects the metering infrastructure to the utility network — is explicitly Critical. The meter itself (the measurement device without the communication gateway) may be classified differently depending on its data connectivity and security functionality. If the meter and gateway are integrated, the integrated product falls under Critical.

When will the European cybersecurity certification scheme for smart meters be available?

Art. 8(1) of Regulation (EU) 2024/2847 empowers the Commission to require a European cybersecurity certification scheme for Critical products. As of the current date, no scheme specific to smart meter gateways has been adopted. Until one is adopted, Art. 32(4)(b) allows EU-type examination or full quality assurance as alternatives. CRACheck generates the documentation that feeds into either route.

Our product is deployed in Directive 2019/944 member state rollouts. Does this affect CRA scope?

Directive (EU) 2019/944 mandates smart meter deployment but does not impose horizontal cybersecurity requirements on the product. The CRA fills that gap. Your product's role in Directive 2019/944 rollouts confirms its intended purpose but does not exempt it from CRA. If anything, the regulatory mandate for deployment increases the expected use time — and therefore the support period requirement under Art. 13(8).

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.

What if the regulation changes?

If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

How does NIS2 interact with the CRA for smart meter manufacturers?

NIS2 (Directive (EU) 2022/2555) regulates energy operators as essential entities. The CRA regulates the products those operators deploy. As a manufacturer, you face CRA obligations. Your utility client faces NIS2 obligations. Your CRA Art. 31 documentation feeds into their NIS2 supply chain risk management under Art. 21 of NIS2. The two regulations target different entities (manufacturer vs. operator) but converge on the same product.

You manufacture smart meters, smart meter gateways or grid management equipment deployed by European utilities. Smart meter gateways are classified as Critical products in Annex IV of Regulation (EU) 2024/2847 — the highest CRA classification. Article 32(4) requires conformity assessment through a European cybersecurity certification scheme or, if unavailable, EU-type examination or full quality assurance. Every paragraph of Article 13 applies. ENISA reporting under Art. 14 starts in September 2026.

Q: Can we use internal control (Module A) if we apply harmonised standards?

No. Art. 32(4) of Regulation (EU) 2024/2847 does not allow internal control for Critical products. The options are: a European cybersecurity certification scheme (Art. 8(1)), or EU-type examination (Module B+C), or full quality assurance (Module H). Harmonised standard application does not unlock Module A for Critical products — it unlocks Module A only for Important Class I products under Art. 32(2).

The energy sector faces the CRA's most demanding classification. Annex IV item 2 explicitly lists "smart meter gateways within smart metering systems as defined in Article 2, point (23) of Directive (EU) 2019/944 and other devices for advanced security purposes, including for secure cryptoprocessing." This is a Critical product — above Important Class I and II. Art. 32(4) limits conformity assessment to a European cybersecurity certification scheme under Art. 8(1) or, where that scheme is not yet available, EU-type examination (Module B+C) or full quality assurance (Module H). Beyond the CRA, NIS2 classifies energy operators as essential entities, and Directive (EU) 2019/944 mandates smart meter deployment across the EU. Your product sits at the intersection of all three. CRACheck generates the 8-document Art. 31 technical file. €149 per product. 15-25 minutes. Grid architecture data stays in your browser.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key figures

Annex IV item 2

Smart meter gateways are Critical products — highest CRA classification

Art. 32(4)

Critical products require certification scheme, EU-type examination (B+C) or full QA (Module H)

€15M

Maximum fine under Art. 64(2) for non-compliance with Art. 13 and Annex I

How to proceed

Confirm Critical classification for smart meter gateways

Annex IV item 2 of Regulation (EU) 2024/2847 explicitly lists smart meter gateways per Directive (EU) 2019/944 Art. 2(23). Other grid equipment (monitoring, DER controllers) may fall under Important Class I or Default depending on functionality. Smart meter gateways are unambiguously Critical.

Determine the conformity assessment route

Art. 32(4): Critical products must use a European cybersecurity certification scheme (Art. 8(1)) if available. If no scheme is available, Art. 32(4)(b) allows EU-type examination (Module B+C) or full quality assurance (Module H) per Art. 32(3). Monitor the Commission's certification scheme adoption timeline.

Conduct the cybersecurity risk assessment

Art. 13(2)-(3): energy-sector risks include grid stability manipulation, mass smart meter compromise, data integrity attacks on consumption readings, cryptographic key management for gateway authentication, and supply chain attacks on firmware.

Align with NIS2 and Electricity Directive requirements

NIS2 (Directive (EU) 2022/2555) classifies energy operators as essential entities. Your CRA documentation feeds into their supply chain risk management. Directive (EU) 2019/944 mandates smart meter deployment — your product enables regulatory compliance for the utility.

Compile Art. 31 technical documentation

Annex VII: system architecture, cryptographic module specifications, firmware update mechanisms, secure boot chain, key management infrastructure, SBOM.

Prepare ENISA reporting with energy-sector urgency

Art. 14 from September 2026. A vulnerability in smart meter gateways has grid-level systemic impact. The 24h early warning is critical infrastructure-grade urgent.

Common mistakes

❌

CLASSIFICATION DENIAL

Treating a smart meter gateway as Default or Important Class I

Annex IV item 2 of Regulation (EU) 2024/2847 explicitly classifies smart meter gateways as Critical. This is the highest CRA classification. Internal control (Module A) is not available. Attempting to classify your gateway as Default to avoid notified body involvement or certification scheme requirements is non-compliant from the classification step.

❌

CONFORMITY ASSESSMENT SHORTCUT

Assuming internal control suffices because no certification scheme exists yet

Art. 32(4)(b) of Regulation (EU) 2024/2847 allows EU-type examination (Module B+C) or full quality assurance (Module H) when no European cybersecurity certification scheme under Art. 8(1) is available. These involve notified body assessment. Internal control (Module A) is never available for Critical products regardless of harmonised standard availability.

❌

LIFECYCLE UNDERESTIMATION

Setting a 5-year support period for equipment deployed in utility grids for 15-20 years

Art. 13(8) of Regulation (EU) 2024/2847 requires the support period to reflect expected use time. Smart meter gateways are deployed in utility infrastructure for 15-20 years. A 5-year support period leaves a decade of unsupported, connected, critical infrastructure — precisely the scenario the CRA was designed to prevent.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Identifies Critical classification for smart meter gateways (Annex IV item 2). Other grid products classified as Important Class I or Default based on functionality.

Technical Documentation

Art. 31 and Annex VII documentation for energy sector equipment: system architecture, cryptographic specifications, secure boot, key management, grid integration protocols.

Risk Assessment

Cybersecurity risk assessment covering energy-sector vectors: grid manipulation, mass meter compromise, consumption data integrity, cryptographic key extraction, firmware supply chain.

User Information

Annex II information for utility deployment: secure installation in metering infrastructure, key provisioning, firmware update procedures, vulnerability reporting, support period aligned with grid lifecycle.

Declaration of Conformity

EU Declaration per Art. 28 and Annex V for Critical product.

CVD Policy

Coordinated vulnerability disclosure policy aligned with energy-sector CERT practices and ICS-CERT coordination.

Notification Template

ENISA notification template per Art. 14 with critical infrastructure urgency context.

Obligations Calendar

Key dates: Art. 14 from September 2026, full enforcement December 2027, Commission certification scheme adoption milestones, utility deployment windows.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 ENERGY SECTOR CYBERSECURITY CONSULTANCY

CRA + NIS2 compliance for smart grid equipment

€25,000-60,000 per product family

16-30 weeks

Requires sharing cryptographic architecture with consultant

Report-based — does not produce Art. 31 file

Separate engagement for certification scheme preparation

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history