Your industrial IoT gateway aggregates data from 50 sensors on a European factory floor and routes it to the cloud via LTE. Under Article 2.1 of Regulation (EU) 2024/2847, it is a product with digital elements. Your EU industrial integrator client has added a CRA Annex VII clause to the procurement contract. The gateway documentation must cover network security, MQTT/Modbus protocols, OTA updates and a 10-year support period. CRACheck generates it.

Industrial IoT devices operate in environments where cybersecurity has operational safety implications. A compromised temperature sensor in a pharmaceutical cold chain can cause product loss. A compromised gateway in a factory network can expose the entire OT environment. European industrial buyers — manufacturers, utilities, logistics companies — are adding CRA compliance clauses to procurement contracts for IoT equipment. Article 31 and Annex VII of Regulation (EU) 2024/2847 require technical documentation covering vulnerability handling, risk assessment and SBOM. CRACheck generates 8 PDF documents. 15-25 minutes. €149 per product. Browser-side.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15-25 minutes · Browser-side

Key numbers

B2B = in scope

CRA applies to all products with digital elements on the EU market. B2B products are not exempt.

10-15 years

Industrial IoT device lifecycle. Art. 13.8 requires security updates for the declared support period.

€149

Per product model. Sensor, gateway, edge device — each documented separately.

CRA documentation for industrial IoT equipment from China

Your EU industrial client's procurement team has already added the CRA clause. Have the documentation ready.

Classify your devices

IoT sensors and gateways are typically Default products (not in Annex III). Edge devices with security functions may fall under Annex III depending on functionality.

Map the industrial attack surface

MQTT, Modbus, OPC-UA, LoRa, NB-IoT, LTE, Ethernet. Cloud connectivity, local storage, edge processing. OTA firmware updates. Default credentials.

Generate CRA dossier per product model

Enter specifications into CRACheck. 15-25 minutes per device model.

Deliver to EU industrial integrators

Include CRA documentation in the product specification package. Contract clauses are met.

Plan for long support period

Industrial devices have 10-15 year lifecycles. Declare a support period consistent with the product's expected operational life. Document your firmware update commitment.

Your EU industrial client's procurement team has already added the CRA clause. Have the documentation ready.

Industrial IoT CRA mistakes

❌

ART. 2.1

Our sensors are sold B2B to integrators, not to consumers — CRA does not apply

Article 2.1 of Regulation (EU) 2024/2847 applies to products with digital elements made available on the EU market. It does not distinguish B2B from B2C. An industrial sensor sold to a German factory integrator is placed on the EU market. CRA applies.

❌

ANNEX I, PART I, 1(d)

Our gateway ships with default MQTT credentials — the integrator changes them during deployment

Annex I Part I point 1(d) requires secure by default configuration. Default MQTT credentials (admin/admin, root/root) are the exact pattern the CRA targets. The product must ship with unique credentials or require credential setup before operation. The integrator's deployment process does not absolve the manufacturer.

❌

ART. 13.8

We support the product for 3 years — then the integrator takes over

Article 13.8 requires the manufacturer to provide security updates for a support period reflecting expected use. Industrial IoT devices are deployed for 10-15 years. A 3-year support period means 7-12 years without manufacturer security updates. EU industrial buyers will not accept this. Document a support period aligned with industrial expectations.

What each CRACheck dossier contains: 8 documents

Industrial IoT devices have unique cybersecurity requirements: industrial protocols, long lifecycles, OT network exposure. CRACheck generates 8 documents covering these specifics.

Product Classifier

Determines product category per Annex III. Defines conformity assessment route under Art. 32.

Technical Documentation

Complete technical documentation structured per Art. 31 and Annex VII. All 8 mandatory sections.

Risk Assessment

Cybersecurity risk assessment per Art. 13.2 and Art. 13.3. Mapped against Annex I Part I requirements.

User Information

Information and instructions per Annex II. Security properties, support period, vulnerability reporting.

Declaration of Conformity

EU declaration of conformity per Art. 28 and Annex V.

CVD Policy

Coordinated Vulnerability Disclosure policy per Annex I Part II.

ENISA Notification Template

Pre-structured for 24h early warning, 72h notification, 14-day final report under Art. 14.

Obligations Calendar

Key dates: Art. 14 from 11 Sep 2026, full enforcement 11 Dec 2027, support period per Art. 13.8.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated in your browser. No product data is transmitted to any server.

What you pay for industrial IoT CRA documentation

🧾 INDUSTRIAL CYBERSECURITY CONSULTANCY (IEC 62443 + CRA)

€15,000–€40,000

Per product family. 4-8 months. IEC 62443 + CRA combined.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history