Reg (EU) 2024/2847Generate dossier — €149
LIVE — Enforcement tracker · Deadline dashboard · Transposition status — Updated weekly from EUR-Lex, Safety Gate, OEIL & 12 official sourcesView regulatory intelligence →

Your industrial IoT gateway aggregates data from 50 sensors on a European factory floor and routes it to the cloud via LTE. Under Article 2.1 of Regulation (EU) 2024/2847, it is a product with digital elements. Your EU industrial integrator client has added a CRA Annex VII clause to the procurement contract. The gateway documentation must cover network security, MQTT/Modbus protocols, OTA updates and a 10-year support period. CRACheck generates it.

Industrial IoT devices operate in environments where cybersecurity has operational safety implications. A compromised temperature sensor in a pharmaceutical cold chain can cause product loss. A compromised gateway in a factory network can expose the entire OT environment. European industrial buyers — manufacturers, utilities, logistics companies — are adding CRA compliance clauses to procurement contracts for IoT equipment. Article 31 and Annex VII of Regulation (EU) 2024/2847 require technical documentation covering vulnerability handling, risk assessment and SBOM. CRACheck generates 8 PDF documents. 15-25 minutes. €149 per product. Browser-side.

Generate CRA dossier — €149Free: check your product classification

€149 one-time · 8-document ZIP · 15-25 minutes · Browser-side

Regulation (EU) 2024/2847 · Art. 31 + Annex VII · 8 documents · 100% browser-side

Key numbers

B2B = in scope
CRA applies to all products with digital elements on the EU market. B2B products are not exempt.
10-15 years
Industrial IoT device lifecycle. Art. 13.8 requires security updates for the declared support period.
€149
Per product model. Sensor, gateway, edge device — each documented separately.

CRA documentation for industrial IoT equipment from China

Your EU industrial client's procurement team has already added the CRA clause. Have the documentation ready.

1
Classify your devices
IoT sensors and gateways are typically Default products (not in Annex III). Edge devices with security functions may fall under Annex III depending on functionality.
2
Map the industrial attack surface
MQTT, Modbus, OPC-UA, LoRa, NB-IoT, LTE, Ethernet. Cloud connectivity, local storage, edge processing. OTA firmware updates. Default credentials.
3
Generate CRA dossier per product model
Enter specifications into CRACheck. 15-25 minutes per device model.
4
Deliver to EU industrial integrators
Include CRA documentation in the product specification package. Contract clauses are met.
5
Plan for long support period
Industrial devices have 10-15 year lifecycles. Declare a support period consistent with the product's expected operational life. Document your firmware update commitment.

Your EU industrial client's procurement team has already added the CRA clause. Have the documentation ready.

Industrial IoT CRA mistakes

ART. 2.1

Our sensors are sold B2B to integrators, not to consumers — CRA does not apply

Article 2.1 of Regulation (EU) 2024/2847 applies to products with digital elements made available on the EU market. It does not distinguish B2B from B2C. An industrial sensor sold to a German factory integrator is placed on the EU market. CRA applies.

ANNEX I, PART I, 1(d)

Our gateway ships with default MQTT credentials — the integrator changes them during deployment

Annex I Part I point 1(d) requires secure by default configuration. Default MQTT credentials (admin/admin, root/root) are the exact pattern the CRA targets. The product must ship with unique credentials or require credential setup before operation. The integrator's deployment process does not absolve the manufacturer.

ART. 13.8

We support the product for 3 years — then the integrator takes over

Article 13.8 requires the manufacturer to provide security updates for a support period reflecting expected use. Industrial IoT devices are deployed for 10-15 years. A 3-year support period means 7-12 years without manufacturer security updates. EU industrial buyers will not accept this. Document a support period aligned with industrial expectations.

What each CRACheck dossier contains: 8 documents

Industrial IoT devices have unique cybersecurity requirements: industrial protocols, long lifecycles, OT network exposure. CRACheck generates 8 documents covering these specifics.

1

Product Classifier

Determines product category per Annex III. Defines conformity assessment route under Art. 32.

2

Technical Documentation

Complete technical documentation structured per Art. 31 and Annex VII. All 8 mandatory sections.

3

Risk Assessment

Cybersecurity risk assessment per Art. 13.2 and Art. 13.3. Mapped against Annex I Part I requirements.

4

User Information

Information and instructions per Annex II. Security properties, support period, vulnerability reporting.

5

Declaration of Conformity

EU declaration of conformity per Art. 28 and Annex V.

6

CVD Policy

Coordinated Vulnerability Disclosure policy per Annex I Part II.

7

ENISA Notification Template

Pre-structured for 24h early warning, 72h notification, 14-day final report under Art. 14.

8

Obligations Calendar

Key dates: Art. 14 from 11 Sep 2026, full enforcement 11 Dec 2027, support period per Art. 13.8.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated in your browser. No product data is transmitted to any server.

What you pay for industrial IoT CRA documentation

🧾 INDUSTRIAL CYBERSECURITY CONSULTANCY (IEC 62443 + CRA)
€15,000–€40,000
Per product family. 4-8 months. IEC 62443 + CRA combined.
✓ CRACHECK
€149
8 CRA documents. 15 min. IEC 62443 certification handled separately.

CRA documentation vs. IEC 62443 certification

● LAYER 1

What CRACheck does

Generates Annex VII documentation for your industrial IoT device. Covers industrial protocols, edge processing, OTA updates, long support period declaration.

∅ LAYER 2

What CRACheck does NOT do

CRACheck does not perform IEC 62443 assessment, penetration testing of industrial protocols or OT network security audits. CRA documentation is one layer. Industrial cybersecurity certification (IEC 62443) is another.

We generate CRA documentation. You pursue IEC 62443 certification separately if needed.

CRA penalty regime — Article 64 of Regulation (EU) 2024/2847

Article 64 establishes three tiers of administrative fines. Penalties are calculated per undertaking — but non-compliance on a single product can trigger inspection of your entire portfolio.

🇪🇺
Non-compliance with essential cybersecurity requirements (Annex I) and Art. 13/14 obligations
€15M / 2.5%

Art. 64.2. Up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher.

🇪🇺
Non-compliance with technical documentation (Art. 31), authorised representative (Art. 18), conformity assessment (Art. 32)
€10M / 2%

Art. 64.3. Up to €10 million or 2% of total worldwide annual turnover, whichever is higher. Includes failure to produce Annex VII documentation.

🇪🇺
Supply of incorrect, incomplete or misleading information to authorities
€5M / 1%

Art. 64.4. Up to €5 million or 1% of total worldwide annual turnover, whichever is higher.

Art. 64.5 accounts for the nature, gravity and duration of the infringement, and gives consideration to microenterprises, small and medium-sized enterprises, including start-ups.

Alternatives

AlternativeCostWhat you get
Industrial cybersecurity consultancy€15,000–€40,000IEC 62443 + CRA. 4-8 months.
Provide product datasheet as documentation€0Datasheet is not Annex VII documentation.
Wait for procurement enforcement€0 nowLose tenders. Industrial integrators buy from compliant suppliers.
CRACheck€1498 CRA docs. 15 min. Per product model.

Your industrial IoT product line includes sensors, gateways and edge devices?

Each product model needs its own CRA dossier. Temperature sensor, humidity sensor, LoRa gateway, LTE gateway, edge controller — five products, five dossiers. Volume pricing: €99/product (10-pack), €79/product (30-pack).

Request volume pricing
Response within one business day.

What CRACheck guarantees and what it does not

CRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy, completeness and truthfulness of that information is your responsibility as the manufacturer.

We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct as of the last verification date. We do not guarantee that a specific document will be accepted by a market surveillance authority in a specific case or by a commercial buyer in a procurement process.

CRACheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.

Frequently asked questions

Does IEC 62443 compliance satisfy CRA requirements?
IEC 62443 is an industrial cybersecurity standard. It may be recognised as a harmonised standard under Regulation (EU) 2024/2847 if published in the Official Journal with a CRA reference. Even if recognised, you still need the Annex VII documentation — IEC 62443 certification supplements the CRA documentation, it does not replace it.
Is a passive sensor without network connectivity in scope?
Article 2.1 covers products with a direct or indirect data connection. A sensor that outputs an analog signal (4-20mA) without any digital data connection is not in scope. A sensor with a digital output (Modbus, HART, Bluetooth) has a data connection and is in scope.
What support period for an industrial gateway?
Industrial gateways are deployed for 10-15 years. Art. 13.8 requires the support period to reflect expected use. 10 years of security updates is a competitive baseline for industrial IoT.
Does the CRA cover our cloud platform (AWS/Azure IoT)?
Art. 3(1) includes "remote data processing solutions." If your sensor/gateway depends on a cloud platform you provide, it is part of the product. If the customer deploys on their own cloud, that is their responsibility. Document the cloud components you provide and the APIs you expose.
Our gateway runs Linux — do we list every Linux package in the SBOM?
Annex VII point 2(b) requires the SBOM. For embedded Linux, list the kernel version, critical userspace packages and security-relevant libraries. A full package manifest may be required upon market surveillance authority request under Annex VII point 8. Document at a level enabling vulnerability tracking.
Is this a subscription?
No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours to keep.
Can I request a refund?
Pursuant to Art. 16(m) of Directive (EU) 2011/83 on consumer rights, by activating the licence you give express consent for the immediate generation of the digital content, waiving the 14-day withdrawal period. Refunds are accepted only for reproducible technical failures.
What if the regulation changes?
If the regulation changes during the validity of your licence, you can regenerate the document with the updated version of the generator at no additional cost.

Official legal sources

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.

Your industrial IoT devices are deployed in European factories. CRA documentation is mandatory. Generate it — 15 minutes, €149 per device.

€149 one-time payment
8 professional documents · 15-25 minutes · No subscription · 100% in your browser
Generate CRA dossier — €149

Related landings

📡 WiFi/BLE Module

CRA requirements Zigbee Bluetooth WiFi module manufacturer China
⚡ Smart Meter

CRA compliance smart meter gateway manufacturer China
🏭 Shenzhen

CRA technical documentation IoT manufacturer Shenzhen EU
✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history