CRA for Retail POS and Connected Inventory Systems

Key figures

Art. 3(1)

POS terminals, kiosks and inventory scanners with data connections are in scope

Annex III item 11

Operating systems are Important Class I — relevant if your POS runs a custom OS

€15M

Maximum fine under Art. 64(2) — separate from any PCI-DSS consequences

How to proceed

Identify connected retail products

POS terminals, self-checkout kiosks, cash register systems, barcode/RFID scanners with wireless connectivity, electronic shelf label controllers, digital signage with network management, back-office inventory terminals. Each device with a data connection is separately in scope.

Classify against Annex III

Standard POS terminals and scanners: Default. Devices with embedded operating systems: Important Class I (Annex III item 11). Devices with identity management or access control for store employees: Important Class I (item 1). Devices with network management for store infrastructure: Important Class I (item 6).

Conduct the cybersecurity risk assessment

Art. 13(2)-(3): retail-specific risks include payment data exposure from compromised POS firmware, store network lateral movement, inventory data manipulation, customer data interception from self-checkout kiosks, and supply chain attacks on POS firmware updates.

Address Annex I requirements in a retail context

Annex I Part I point (2)(e): data confidentiality — POS handles payment-adjacent data. Point (2)(d): access control for store employee terminals. Point (2)(h): availability — a POS outage is a revenue stoppage. Point (2)(j): minimised attack surfaces on customer-facing kiosks.

Compile Art. 31 technical documentation

Annex VII: device architecture, payment integration specifications, wireless protocol details, cloud inventory platform integration, firmware update mechanisms, SBOM.

Prepare ENISA reporting

Art. 14 from September 2026. A vulnerability in POS firmware deployed across a 2,000-store retail chain has immediate financial and customer data impact. The 24h early warning applies.

Common mistakes

❌

PCI SUBSTITUTION

Assuming PCI-DSS compliance covers CRA obligations

PCI-DSS is a payment card industry standard governing cardholder data environments. The CRA (Regulation (EU) 2024/2847) is an EU regulation governing product cybersecurity. PCI-DSS does not produce Art. 31 documentation, does not require ENISA reporting, does not mandate vulnerability handling processes per Annex I Part II, and does not cover non-payment retail hardware (inventory scanners, ESL systems, signage). The two frameworks are complementary, not substitutive.

❌

EMBEDDED OS BLINDNESS

Not classifying POS with custom operating systems as Important Class I

Annex III Class I item 11 of Regulation (EU) 2024/2847 lists "operating systems." If your POS terminal runs a custom or embedded operating system (Android-based, Linux-based, proprietary RTOS), that OS component may trigger Important Class I classification. This affects the conformity assessment route under Art. 32(2).

❌

STORE-SCALE RISK

Scoping the risk assessment to a single terminal rather than a retail network

Art. 13(2) of Regulation (EU) 2024/2847 requires the risk assessment to cover reasonably foreseeable use. A POS terminal is foreseeably deployed as one of dozens or hundreds across a retail chain. A vulnerability affecting the firmware of all terminals in a chain is a chain-wide risk — the risk assessment must account for aggregate deployment scale.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Identifies Default (standard scanners, ESL controllers) or Important Class I (POS with embedded OS per Annex III item 11, devices with identity management per item 1, network management per item 6).

Technical Documentation

Art. 31 and Annex VII documentation: device architecture, payment integration layer, wireless connectivity, cloud platform integration, firmware structure, SBOM.

Risk Assessment

Cybersecurity risk assessment covering retail vectors: POS firmware compromise, store network lateral movement, inventory data manipulation, customer data interception at kiosks, chain-scale firmware update attacks.

User Information

Annex II information for retail IT departments and franchisees: secure deployment, PCI environment integration, employee access provisioning, firmware update procedures, vulnerability reporting, support period.

Declaration of Conformity

EU Declaration per Art. 28 and Annex V.

CVD Policy

Coordinated vulnerability disclosure policy for retail technology research community.

Notification Template

ENISA notification template per Art. 14 with retail chain-scale context.

Obligations Calendar

Key dates with retail procurement cycles: Art. 14 from September 2026, full enforcement December 2027, retail store refresh windows.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 RETAIL IT SECURITY CONSULTANCY

POS security assessment + CRA gap analysis

€10,000-25,000 per product family

8-16 weeks

Requires sharing POS architecture with consultant

Report-based — no Art. 31 file

Separate from PCI-DSS assessment cost

✓ CRACHECK — ART. 31 DOCUMENTATION

8-document technical file per retail device

€149 per device

15-25 minutes

POS architecture stays in your browser

Covers CRA requirements PCI-DSS does not address

30-day edit window, 10 regenerations

Permanent PDF

Two layers

● LAYER 1 — DOCUMENTATION · CRACHECK

CRA documentation for retail hardware

CRACheck generates Art. 31 and Annex VII technical documentation for each connected retail device. Coverage includes cybersecurity risk assessment for retail deployment, vulnerability handling procedures, SBOM, coordinated disclosure, ENISA template and support period definition. The documentation covers the CRA layer that PCI-DSS does not address — and positions your product for retail chain procurement.

∅ LAYER 2 — NOT INCLUDED

What CRACheck does not cover

CRACheck does not perform PCI-DSS compliance assessments. It does not conduct penetration testing on POS terminals. It does not audit payment data flows. It does not manage firmware update delivery infrastructure. It does not certify EMV compliance. For POS terminals, CRACheck covers the CRA product cybersecurity layer — PCI-DSS, EMV and payment scheme requirements are separate workstreams.

PCI covers the card data. The CRA covers the product. CRACheck documents the product layer for every connected device in the store.

Enforcement regime

📅

11 September 2026 — Art. 14 reporting

A vulnerability in POS firmware deployed across a retail chain triggers 24h ENISA notification. Chain-scale deployment multiplies both urgency and impact.

⚖️

11 December 2027 — Full CRA enforcement

Retail hardware placed on the EU market must carry CE marking and Art. 31 documentation. Retail chain procurement will require CRA evidence alongside PCI.

🔒

Art. 64(2) — €15M or 2.5% of global turnover

For retail hardware manufacturers non-compliant with Art. 13 or Annex I. Separate from any PCI-DSS consequences — a compromised POS chain may trigger both.

Alternatives

Criterio	Retail IT security firm	Internal compliance	PCI-DSS only	CRACheck
Price	€10K-25K	Staff time	Does not cover CRA	€149 per device
CRA Art. 31 file	No — report	Variable	None	8-document ZIP
Retail chain procurement evidence	Audit report	Internal docs	PCI report	Standardised Art. 31 file
POS architecture stays with you	Shared	Internal	Shared with QSA	100% browser-side
CRACheck	€149	8-doc	Art. 31	Browser-side

Retail hardware portfolio with POS, kiosks and scanners? Document every device.

Pack 10: €99 per product. Pack 30: €79 per product. For retail technology manufacturers with broad EU product portfolios, contact us for enterprise pricing.

Request volume pricing

Commercial enquiries via hello@solidwaretools.com

What CRACheck guarantees and what it does not

CRACheck generates a structured document set according to Art. 31 and Annex VII of Regulation (EU) 2024/2847 based on the information you provide about your retail device. The accuracy of device architecture, payment integration details and connectivity specifications is your responsibility as manufacturer.

We guarantee that the document structure follows Art. 31 and Annex VII and that the legal references cited are correct. We do not guarantee acceptance by a retail chain procurement process, PCI QSA or market surveillance authority.

CRACheck is not legal advice. For the CRA/PCI-DSS interaction and embedded OS classification under Annex III item 11, consult a qualified retail technology compliance specialist.

Frequently asked questions

Does PCI-DSS compliance exempt us from the CRA?

No. PCI-DSS is a payment card industry standard, not an EU regulation. Art. 2 of Regulation (EU) 2024/2847 lists specific EU legislation exclusions (MDR, IVDR, motor vehicles, aviation, marine). Payment card industry standards are not on the list. The CRA applies to POS terminals regardless of PCI-DSS compliance status.

Our POS runs Android. Does the Android OS classify the terminal as Important Class I?

Annex III Class I item 11 of Regulation (EU) 2024/2847 lists "operating systems." If your POS terminal uses an Android-based embedded OS that you have modified and market as part of the terminal, the terminal's classification may be affected. If you use stock Android provided by Google, the OS classification would apply to Google as its manufacturer. Your product's classification depends on whether you are the manufacturer of the OS component or only of the hardware/application layer.

We sell the same POS terminal to convenience stores and to 500-store chains. Does the CRA apply differently?

The CRA applies per product placed on the market, not per deployment scale. However, Art. 13(2) requires the risk assessment to cover reasonably foreseeable use — and foreseeable use for a POS terminal includes chain-scale deployment. Your single risk assessment must account for the most demanding foreseeable use case.

Electronic shelf labels use e-ink and wireless. Are they in scope?

If the ESL system includes a wireless controller or gateway with a data connection (Wi-Fi, Zigbee, proprietary RF with network bridge), it is a product with digital elements under Art. 3(1). The e-ink display itself may not qualify if it has no independent firmware or data connection, but the controller/gateway that manages the ESL network does.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.

What if the regulation changes?

If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

Official legal sources

Regulation (EU) 2024/2847 — Cyber Resilience Act — full text

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.