Does PCI-DSS compliance exempt us from the CRA?

No. PCI-DSS is a payment card industry standard, not an EU regulation. Art. 2 of Regulation (EU) 2024/2847 lists specific EU legislation exclusions (MDR, IVDR, motor vehicles, aviation, marine). Payment card industry standards are not on the list. The CRA applies to POS terminals regardless of PCI-DSS compliance status.

Our POS runs Android. Does the Android OS classify the terminal as Important Class I?

Annex III Class I item 11 of Regulation (EU) 2024/2847 lists "operating systems." If your POS terminal uses an Android-based embedded OS that you have modified and market as part of the terminal, the terminal's classification may be affected. If you use stock Android provided by Google, the OS classification would apply to Google as its manufacturer. Your product's classification depends on whether you are the manufacturer of the OS component or only of the hardware/application layer.

We sell the same POS terminal to convenience stores and to 500-store chains. Does the CRA apply differently?

The CRA applies per product placed on the market, not per deployment scale. However, Art. 13(2) requires the risk assessment to cover reasonably foreseeable use — and foreseeable use for a POS terminal includes chain-scale deployment. Your single risk assessment must account for the most demanding foreseeable use case.

Electronic shelf labels use e-ink and wireless. Are they in scope?

If the ESL system includes a wireless controller or gateway with a data connection (Wi-Fi, Zigbee, proprietary RF with network bridge), it is a product with digital elements under Art. 3(1). The e-ink display itself may not qualify if it has no independent firmware or data connection, but the controller/gateway that manages the ESL network does.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.

What if the regulation changes?

If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

You manufacture point-of-sale terminals, self-checkout kiosks, inventory scanners or electronic shelf label systems deployed in retail stores across the EU. These devices connect to store networks, cloud inventory platforms and payment infrastructure. Article 3(1) of Regulation (EU) 2024/2847 covers any product with a data connection. PCI-DSS covers the payment card environment. The CRA covers the product itself — and every connected device in the store is in scope.

Retail technology manufacturers have operated under PCI-DSS for payment terminals and GDPR for customer data. The CRA adds a horizontal product cybersecurity layer. Art. 2(1) covers any product with a logical or physical data connection — POS terminals with Ethernet and Wi-Fi, self-checkout kiosks with network connectivity, RFID inventory scanners with cloud sync, electronic shelf labels with wireless gateways. Most retail hardware falls under Default classification. If your POS terminal includes identity management or access control functionality, Annex III Class I item 1 may apply. If it includes an embedded operating system, Annex III Class I item 11 applies. Art. 13 imposes manufacturer obligations regardless of PCI-DSS compliance status. CRACheck generates the 8-document technical file under Art. 31 and Annex VII. €149 per product. 15-25 minutes. Store network architecture stays in your browser.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key figures

Art. 3(1)

POS terminals, kiosks and inventory scanners with data connections are in scope

Annex III item 11

Operating systems are Important Class I — relevant if your POS runs a custom OS

€15M

Maximum fine under Art. 64(2) — separate from any PCI-DSS consequences

How to proceed

Identify connected retail products

POS terminals, self-checkout kiosks, cash register systems, barcode/RFID scanners with wireless connectivity, electronic shelf label controllers, digital signage with network management, back-office inventory terminals. Each device with a data connection is separately in scope.

Classify against Annex III

Standard POS terminals and scanners: Default. Devices with embedded operating systems: Important Class I (Annex III item 11). Devices with identity management or access control for store employees: Important Class I (item 1). Devices with network management for store infrastructure: Important Class I (item 6).

Conduct the cybersecurity risk assessment

Art. 13(2)-(3): retail-specific risks include payment data exposure from compromised POS firmware, store network lateral movement, inventory data manipulation, customer data interception from self-checkout kiosks, and supply chain attacks on POS firmware updates.

Address Annex I requirements in a retail context

Annex I Part I point (2)(e): data confidentiality — POS handles payment-adjacent data. Point (2)(d): access control for store employee terminals. Point (2)(h): availability — a POS outage is a revenue stoppage. Point (2)(j): minimised attack surfaces on customer-facing kiosks.

Compile Art. 31 technical documentation

Annex VII: device architecture, payment integration specifications, wireless protocol details, cloud inventory platform integration, firmware update mechanisms, SBOM.

Prepare ENISA reporting

Art. 14 from September 2026. A vulnerability in POS firmware deployed across a 2,000-store retail chain has immediate financial and customer data impact. The 24h early warning applies.

Common mistakes

❌

PCI SUBSTITUTION

Assuming PCI-DSS compliance covers CRA obligations

PCI-DSS is a payment card industry standard governing cardholder data environments. The CRA (Regulation (EU) 2024/2847) is an EU regulation governing product cybersecurity. PCI-DSS does not produce Art. 31 documentation, does not require ENISA reporting, does not mandate vulnerability handling processes per Annex I Part II, and does not cover non-payment retail hardware (inventory scanners, ESL systems, signage). The two frameworks are complementary, not substitutive.

❌

EMBEDDED OS BLINDNESS

Not classifying POS with custom operating systems as Important Class I

Annex III Class I item 11 of Regulation (EU) 2024/2847 lists "operating systems." If your POS terminal runs a custom or embedded operating system (Android-based, Linux-based, proprietary RTOS), that OS component may trigger Important Class I classification. This affects the conformity assessment route under Art. 32(2).

❌

STORE-SCALE RISK

Scoping the risk assessment to a single terminal rather than a retail network

Art. 13(2) of Regulation (EU) 2024/2847 requires the risk assessment to cover reasonably foreseeable use. A POS terminal is foreseeably deployed as one of dozens or hundreds across a retail chain. A vulnerability affecting the firmware of all terminals in a chain is a chain-wide risk — the risk assessment must account for aggregate deployment scale.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Identifies Default (standard scanners, ESL controllers) or Important Class I (POS with embedded OS per Annex III item 11, devices with identity management per item 1, network management per item 6).

Technical Documentation

Art. 31 and Annex VII documentation: device architecture, payment integration layer, wireless connectivity, cloud platform integration, firmware structure, SBOM.

Risk Assessment

Cybersecurity risk assessment covering retail vectors: POS firmware compromise, store network lateral movement, inventory data manipulation, customer data interception at kiosks, chain-scale firmware update attacks.

User Information

Annex II information for retail IT departments and franchisees: secure deployment, PCI environment integration, employee access provisioning, firmware update procedures, vulnerability reporting, support period.

Declaration of Conformity

EU Declaration per Art. 28 and Annex V.

CVD Policy

Coordinated vulnerability disclosure policy for retail technology research community.

Notification Template

ENISA notification template per Art. 14 with retail chain-scale context.

Obligations Calendar

Key dates with retail procurement cycles: Art. 14 from September 2026, full enforcement December 2027, retail store refresh windows.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 RETAIL IT SECURITY CONSULTANCY

POS security assessment + CRA gap analysis

€10,000-25,000 per product family

8-16 weeks

Requires sharing POS architecture with consultant

Report-based — no Art. 31 file

Separate from PCI-DSS assessment cost

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history