Does the CRA apply to a kiosk running Windows IoT?

Yes. A kiosk with Windows IoT, network connectivity and digital functionality is a product with digital elements under Art. 2.1. The OS vendor (Microsoft) provides the OS. You, as the manufacturer of the kiosk product, are responsible for the complete product's CRA documentation including the OS integration.

Our terminal processes payment card data — does CRA documentation expose security details?

The Annex VII documentation covers the product's cybersecurity architecture, not specific cardholder data flows. PCI-DSS restricts disclosure of cardholder data environment details. Your CRA documentation can describe the security measures without exposing PCI-sensitive implementation details.

Do digital signage screens without touch interaction need CRA documentation?

If the signage connects to a network (WiFi, Ethernet, LTE) for content updates and has digital firmware, it is a product with digital elements. A passive screen without network connectivity is not in scope.

What support period for a POS terminal?

POS terminals are deployed for 5-10 years. Art. 13.8 requires the support period to reflect expected use. For POS terminals, 7-10 years of security updates is consistent with retail deployment cycles.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours to keep.

Can I request a refund?

Pursuant to Art. 16(m) of Directive (EU) 2011/83 on consumer rights, by activating the licence you give express consent for the immediate generation of the digital content, waiving the 14-day withdrawal period. Refunds are accepted only for reproducible technical failures.

What if the regulation changes?

If the regulation changes during the validity of your licence, you can regenerate the document with the updated version of the generator at no additional cost.

Your POS terminal sits on the counter of a European restaurant. It connects to WiFi, processes card payments, runs Android and receives remote firmware updates. A cybersecurity breach in a POS terminal is not just a data leak — it is payment fraud at scale. Regulation (EU) 2024/2847 requires Annex VII technical documentation covering vulnerability handling, secure defaults and risk assessment. Your PCI-DSS certification covers payment security. The CRA covers product cybersecurity. CRACheck generates the CRA documentation.

European retail chains, hospitality groups and transport operators deploy thousands of POS terminals and self-service kiosks. Each device is a networked endpoint processing sensitive data. PCI-DSS certifies payment security. The CRA addresses the product's broader cybersecurity: firmware integrity, OTA update security, network exposure, authentication, vulnerability handling. POS terminals are not explicitly in Annex III — most are Default products under Module A. CRACheck generates 8 PDF documents per Annex VII. 15-25 minutes. €149 per terminal model. Browser-side.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15-25 minutes · Browser-side

Key numbers

PCI + CRA

PCI-DSS covers payment security. CRA covers product cybersecurity. Both required. Different scopes.

Default

POS terminals without Annex III functionality are Default products. Module A self-assessment.

€149

Per terminal model. 8 documents. 15 minutes.

CRA documentation for POS terminals and kiosks from China

PCI-DSS is one layer. CRA is another. European retailers will require both.

Classify your terminal

POS terminals are not in Annex III. Default products. Module A self-assessment.

Map digital interfaces

WiFi/LTE/Ethernet, NFC/EMV payment, touchscreen, USB, printer, barcode scanner, camera (if present), cloud management platform, OTA updates.

Generate CRA dossier

Enter specifications into CRACheck. 15-25 minutes.

Differentiate from PCI-DSS

PCI covers cardholder data. CRA covers the product's cybersecurity. Document both in your compliance package.

Deliver to EU retail buyers

Include CRA documentation alongside PCI-DSS certificates in procurement responses.

PCI-DSS is one layer. CRA is another. European retailers will require both.

POS terminal CRA mistakes

❌

SCOPE

PCI-DSS covers all cybersecurity requirements for payment terminals

PCI-DSS covers the security of cardholder data environments. Regulation (EU) 2024/2847 covers the cybersecurity of the product with digital elements — including firmware integrity, OTA update security, authentication, vulnerability handling and SBOM. A POS terminal can be PCI-compliant but CRA-non-compliant if it lacks Annex VII documentation.

❌

ANNEX I, PART I, 1(d)

Our kiosk requires admin login — it is secure by default

Annex I Part I point 1(d) requires secure by default configuration. If your kiosk ships with a universal admin password (admin/1234), it is not secure by default regardless of the login requirement. Each unit must have unique default credentials or require credential setup before first use.

❌

ART. 13.8

Our POS terminal has a 3-year warranty — support period covered

POS terminals are deployed for 5-10 years in retail environments. Art. 13.8 requires the support period to reflect expected use. A 3-year support period for a product with a 7-year deployment leaves 4 years without security updates. EU retail chains will not accept this.

What each CRACheck dossier contains: 8 documents

POS terminals and kiosks process payment and personal data. CRACheck generates 8 documents covering product cybersecurity — complementing your PCI-DSS certification.

Product Classifier

Determines product category per Annex III. Defines conformity assessment route under Art. 32.

Technical Documentation

Complete technical documentation structured per Art. 31 and Annex VII. All 8 mandatory sections.

Risk Assessment

Cybersecurity risk assessment per Art. 13.2 and Art. 13.3. Mapped against Annex I Part I requirements.

User Information

Information and instructions per Annex II. Security properties, support period, vulnerability reporting.

Declaration of Conformity

EU declaration of conformity per Art. 28 and Annex V.

CVD Policy

Coordinated Vulnerability Disclosure policy per Annex I Part II.

ENISA Notification Template

Pre-structured for 24h early warning, 72h notification, 14-day final report under Art. 14.

Obligations Calendar

Key dates: Art. 14 from 11 Sep 2026, full enforcement 11 Dec 2027, support period per Art. 13.8.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated in your browser. No product data is transmitted to any server.

What you pay for POS terminal CRA documentation

🧾 PAYMENT SECURITY CONSULTANCY (PCI + CRA)

€15,000–€30,000

Per terminal platform. 4-8 months.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history