Are mesh WiFi nodes separate products or part of the router?

If each mesh node has its own firmware, own model number and is sold separately, each is a separate product and needs its own documentation. If the mesh system is sold as a single product (one SKU, one firmware), a single dossier may cover the system.

Does the CRA apply to LTE/5G routers with SIM slots?

Yes. Any product with digital elements placed on the EU market falls under Art. 2.1. Routers are Class I under Annex III point 12 regardless of the connectivity technology.

What support period is expected for routers?

Art. 13.8 requires the manufacturer to determine the support period reflecting expected time of use. Recital 59 references 5 years as a default. For routers, ISPs and consumers expect 5+ years.

Must we provide automatic firmware updates?

Annex I Part II point 8 requires security updates to be provided without delay and, where applicable, through automatic updates with a user opt-out. For routers, users expect automatic security updates.

Is this a subscription?

No. One-time payment. 30 days editing, 10 regenerations. PDF yours permanently.

Can I request a refund?

Pursuant to Art. 16(m) of Directive (EU) 2011/83, licence activation constitutes express consent. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate at no additional cost during licence validity.

Annex III point 12 of Regulation (EU) 2024/2847 lists "routers, modems intended for the connection to the internet, and switches" as Important Class I products. Your router is not a Default product. If harmonised standards are not fully applied, Article 32.2 requires conformity assessment by a notified body. CRACheck generates the technical documentation under Annex VII that the notified body will review.

Your router already carries CE marking under RED 2014/53/EU for radio and EMC. From 11 December 2027, it must also comply with the essential cybersecurity requirements of Annex I of Regulation (EU) 2024/2847. Routers are explicitly Class I — no classification doubt. The technical documentation obligation under Article 31 is separate from your RED technical file. European ISPs and distributors that carry your routers are adding CRA clauses to procurement contracts. CRACheck generates 8 PDF documents structured per Annex VII. 15-25 minutes. €149. 100% browser-side.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

Annex III.12

Routers, modems and switches explicitly listed as Important Class I products.

Art. 13.8

Support period obligation. Manufacturer must provide security updates for a defined period.

€149

Documentation per router model. 15 minutes. Compare with months of consultancy.

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Confirm classification

Annex III point 12. Routers = Class I. No ambiguity.

Map cybersecurity properties

Firmware update mechanism (OTA, manual), default credentials policy, network segmentation, encryption protocols, vulnerability disclosure channel.

Generate Annex VII documentation

CRACheck structures the 8 documents from your router's specifications. 15-25 minutes.

Engage notified body

If harmonised standards are not fully applied, submit documentation for Module B+C or Module H assessment under Art. 32.2.

Update Declaration of Conformity

Add Regulation (EU) 2024/2847 alongside RED.

Deliver to EU customers

ISPs, distributors and marketplace operators receive the updated documentation package.

Common mistakes

❌

ART. 13.6

"Our routers ship with admin/admin default credentials — we tell users to change them"

Annex I Part I point 1(d) of Regulation (EU) 2024/2847 requires products to be delivered with secure default configuration. Recital 57 specifies that products should not be made available with known exploitable vulnerabilities, including default passwords that are common or easily guessable. If your router ships with universal default credentials, it fails Annex I requirements.

❌

ANNEX I, PART II

"We handle firmware updates — vulnerability handling is covered"

Annex I Part II requires a documented vulnerability handling process: identify, document, address and remediate vulnerabilities without delay. This includes provision of security updates, SBOM, coordinated vulnerability disclosure policy and a contact address for reporting. A firmware update mechanism is one component. The CRA requires the full process to be documented.

❌

ART. 13.8

"Our router model has a 2-year warranty — that covers the support period"

Article 13.8 requires the manufacturer to determine a support period that reflects the expected time of use. For routers, users expect 5-7 years. A 2-year warranty covers hardware defects. The CRA support period covers security updates and vulnerability handling. They are different obligations.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Confirms Class I classification per Annex III point 12. No ambiguity for routers.

Technical Documentation

Art. 31 + Annex VII. Covers network interface documentation, encryption, default configuration, firmware update architecture.

Risk Assessment

Art. 13.2-13.3. Includes network exposure, unauthorized access, traffic interception scenarios.

User Information

Annex II. Secure configuration, admin credential change, firmware update instructions.

Declaration of Conformity

Art. 28 + Annex V. References CRA alongside RED.

CVD Policy

Coordinated Vulnerability Disclosure — critical for routers given high exposure.

Notification Template

Art. 14 ENISA notification. Pre-structured for the 24h/72h/14d timeline.

Obligations Calendar

CRA dates mapped to your router product lifecycle.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 EUROPEAN ROUTER CERTIFICATION CONSULTANCY

€12,000–€30,000

Per model. Includes security testing and documentation. 4-8 months.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history