European retail chains, hospitality groups and transport operators deploy thousands of POS terminals and self-service kiosks. Each device is a networked endpoint processing sensitive data. PCI-DSS certifies payment security. The CRA addresses the product's broader cybersecurity: firmware integrity, OTA update security, network exposure, authentication, vulnerability handling. POS terminals are not explicitly in Annex III — most are Default products under Module A. CRACheck generates 8 PDF documents per Annex VII. 15-25 minutes. €149 per terminal model. Browser-side.
€149 one-time · 8-document ZIP · 15-25 minutes · Browser-side
PCI-DSS is one layer. CRA is another. European retailers will require both.
PCI-DSS is one layer. CRA is another. European retailers will require both.
PCI-DSS covers the security of cardholder data environments. Regulation (EU) 2024/2847 covers the cybersecurity of the product with digital elements — including firmware integrity, OTA update security, authentication, vulnerability handling and SBOM. A POS terminal can be PCI-compliant but CRA-non-compliant if it lacks Annex VII documentation.
Annex I Part I point 1(d) requires secure by default configuration. If your kiosk ships with a universal admin password (admin/1234), it is not secure by default regardless of the login requirement. Each unit must have unique default credentials or require credential setup before first use.
POS terminals are deployed for 5-10 years in retail environments. Art. 13.8 requires the support period to reflect expected use. A 3-year support period for a product with a 7-year deployment leaves 4 years without security updates. EU retail chains will not accept this.
POS terminals and kiosks process payment and personal data. CRACheck generates 8 documents covering product cybersecurity — complementing your PCI-DSS certification.
Determines product category per Annex III. Defines conformity assessment route under Art. 32.
Complete technical documentation structured per Art. 31 and Annex VII. All 8 mandatory sections.
Cybersecurity risk assessment per Art. 13.2 and Art. 13.3. Mapped against Annex I Part I requirements.
Information and instructions per Annex II. Security properties, support period, vulnerability reporting.
EU declaration of conformity per Art. 28 and Annex V.
Coordinated Vulnerability Disclosure policy per Annex I Part II.
Pre-structured for 24h early warning, 72h notification, 14-day final report under Art. 14.
Key dates: Art. 14 from 11 Sep 2026, full enforcement 11 Dec 2027, support period per Art. 13.8.
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated in your browser. No product data is transmitted to any server.
Generates Annex VII documentation for your POS terminal or kiosk. Covers firmware, network security, OTA updates, USB management, vulnerability handling. The cybersecurity layer that PCI does not cover.
CRACheck does not perform PCI-DSS assessment, PA-DSS validation or payment transaction testing. PCI and CRA are complementary. CRACheck handles the CRA documentation.
We document product cybersecurity. Your PCI assessor handles payment security.
Article 64 establishes three tiers of administrative fines. Penalties are calculated per undertaking — but non-compliance on a single product can trigger inspection of your entire portfolio.
Art. 64.2. Up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher.
Art. 64.3. Up to €10 million or 2% of total worldwide annual turnover, whichever is higher. Includes failure to produce Annex VII documentation.
Art. 64.4. Up to €5 million or 1% of total worldwide annual turnover, whichever is higher.
Art. 64.5 accounts for the nature, gravity and duration of the infringement, and gives consideration to microenterprises, small and medium-sized enterprises, including start-ups.
| Alternative | Cost | What you get |
|---|---|---|
| PCI + CRA consultancy | €15,000–€30,000 | Combined. 4-8 months. |
| Rely on PCI certification alone | €0 additional | PCI covers payments. CRA covers the product. Separate. |
| Wait for retail buyer to enforce | €0 now | Lose EU procurement tenders. |
| CRACheck | €149 | 8 CRA docs. 15 min. Complement your PCI certification. |
Each terminal model with different hardware/firmware needs its own CRA dossier. Volume pricing: €99/model (10-pack), €79/model (30-pack).
Request volume pricingCRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy, completeness and truthfulness of that information is your responsibility as the manufacturer.
We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct as of the last verification date. We do not guarantee that a specific document will be accepted by a market surveillance authority in a specific case or by a commercial buyer in a procurement process.
CRACheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.