Reg (EU) 2024/2847Generate dossier — €149
LIVE — Enforcement tracker · Deadline dashboard · Transposition status — Updated weekly from EUR-Lex, Safety Gate, OEIL & 12 official sourcesView regulatory intelligence →

You manufacture telecom equipment — 5G base stations, core network components, routers, switches, network management platforms — sold to European operators. RED covers the radio layer. The Cyber Resilience Act covers the cybersecurity layer. Routers and switches are Important Class I under Annex III item 12. Network management systems are Important Class I under item 6. The two regulations are additive, not substitutive.

Telecom equipment manufacturers face a regulatory stack: RED (2014/53/EU) for radio and EMC, including delegated cybersecurity requirements under Art. 3(3)(d)-(f). The CRA (Regulation (EU) 2024/2847) for horizontal cybersecurity covering vulnerability handling, support periods, SBOM, ENISA reporting and Art. 31 technical documentation. Art. 12 of the CRA addresses overlap with other Union law, and Art. 2(5) allows the Commission to limit or exclude CRA scope where sectoral rules achieve equivalent protection — but no delegated act has been adopted yet. Until then, both apply. Annex III classifies routers, modems and switches as Important Class I (item 12) and network management systems as Important Class I (item 6). For Important Class I products where harmonised standards are not fully applied, Art. 32(2) may require EU-type examination or full quality assurance instead of internal control alone. CRACheck generates the 8-document technical file. €149 per product. 15-25 minutes.

Generate CRA dossier — €149Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Built on Regulation (EU) 2024/2847 · Art. 31 + Annex VII · 8 PDF documents · 100% browser-side

Key figures

Annex III items 6, 12
Network management systems and routers/switches are Important Class I
Art. 32(2)
Important Class I may require EU-type examination if harmonised standards not fully applied
€15M
Maximum fine under Art. 64(2) for telecom equipment manufacturer non-compliance

How to proceed

1
Map your portfolio against Annex III
Routers, modems for internet connection, switches: Annex III Class I item 12. Network management systems: item 6. Firewalls and IDS/IPS: Annex III Class II items 1-2. Operating systems: item 11. Microprocessors/microcontrollers with security functions: items 13-15.
2
Assess conformity assessment route
Art. 32(1) allows internal control (Module A) for Default products. Art. 32(2) restricts Important Class I: if harmonised standards, common specifications or relevant cybersecurity certification schemes are not fully applied, EU-type examination (Module B+C) or full quality assurance (Module H) is required.
3
Conduct the CRA-specific risk assessment
Art. 13(2)-(3): telecom-specific risks include network infrastructure compromise, lateral movement in operator networks, supply chain attacks on firmware, and remote exploitation of management interfaces. The risk assessment must cover intended deployment in critical infrastructure.
4
Address the CRA layer beyond RED
RED covers radio spectrum, EMC and delegated cybersecurity acts. The CRA adds: vulnerability handling processes (Art. 13(6)-(8)), SBOM (Annex VII point 2(b)), ENISA reporting (Art. 14), coordinated vulnerability disclosure (Annex I Part II point (5)), and support period definition. CRACheck structures these elements.
5
Align with operator NIS2 requirements
NIS2 (Directive (EU) 2022/2555) classifies telecom operators as essential entities. Your CRA documentation feeds into their NIS2 supply chain risk management under Art. 21 of NIS2.
6
Prepare ENISA reporting
Art. 14 from September 2026. A vulnerability in 5G infrastructure has systemic implications — the 24h early warning is operationally critical for the entire operator ecosystem.

Common mistakes

REGULATORY SUBSTITUTION

Assuming RED delegated acts cover all CRA requirements

RED delegated cybersecurity requirements under Art. 3(3)(d)-(f) of Directive 2014/53/EU address specific security aspects of radio equipment. The CRA's Annex I requirements are broader: vulnerability handling, SBOM, support period, coordinated disclosure, ENISA reporting, technical documentation under Annex VII. Until the Commission adopts a delegated act under Art. 2(5) of the CRA, both regulatory layers coexist.

CONFORMITY ASSESSMENT UNDERESTIMATION

Using internal control for an Important Class I router without harmonised standards

Art. 32(2) of Regulation (EU) 2024/2847 restricts conformity assessment for Important Class I products. If harmonised standards applicable to the CRA have not been published or you have not fully applied them, internal control (Module A) is insufficient. EU-type examination (Module B+C) or full quality assurance (Module H) is required.

SYSTEMIC RISK UNDERSTATEMENT

Scoping the risk assessment to individual product rather than network impact

Art. 13(3) of Regulation (EU) 2024/2847 requires the risk assessment to cover intended purpose and reasonably foreseeable use. For telecom equipment deployed in 5G infrastructure, the foreseeable use includes integration into critical national infrastructure. A risk assessment scoped to the standalone device without addressing network-level impact is incomplete.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

1

Product Classifier

Identifies Important Class I (routers, switches per Annex III item 12; network management per item 6), Important Class II (firewalls, IDS/IPS per Annex III items 1-2), or Default for ancillary telecom products.

2

Technical Documentation

Art. 31 and Annex VII documentation for telecom equipment: network architecture, firmware structure, management interface security, protocol specifications, supply chain component data.

3

Risk Assessment

Cybersecurity risk assessment covering telecom-specific vectors: network infrastructure compromise, remote management exploitation, firmware supply chain attacks, protocol-level vulnerabilities.

4

User Information

Annex II information for telecom operator deployment: secure configuration, hardening guidelines, update mechanisms, vulnerability reporting, support period.

5

Declaration of Conformity

EU Declaration per Art. 28 and Annex V.

6

CVD Policy

Coordinated vulnerability disclosure policy aligned with telecom industry CERT practices.

7

Notification Template

ENISA notification template per Art. 14 with telecom infrastructure urgency context.

8

Obligations Calendar

Key dates: Art. 14 from September 2026, full enforcement December 2027, harmonised standards publication timeline.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 TELECOM COMPLIANCE CONSULTANCY
CRA + RED gap analysis for 5G equipment
€20,000-50,000 per product family
16-24 weeks
Requires sharing network architecture with consultant
Report-based — does not produce Art. 31 file
Re-engagement per hardware generation
✓ CRACHECK — CRA-SPECIFIC DOCUMENTATION
8-document Art. 31 file for the CRA layer RED does not cover
€149 per product
15-25 minutes
Network architecture stays in your browser
Feeds operator NIS2 supply chain assessments
30-day edit window, 10 regenerations
Permanent PDF

Two layers

● LAYER 1 — DOCUMENTATION · CRACHECK

The CRA documentation layer

CRACheck generates the Art. 31 and Annex VII documentation for the Cyber Resilience Act requirements that RED does not address. Vulnerability handling processes, SBOM, coordinated disclosure, ENISA notification template, support period definition, obligations calendar. Eight documents per product.

∅ LAYER 2 — NOT INCLUDED

What CRACheck does not cover

CRACheck does not perform RED testing (radio, EMC, safety). It does not conduct EU-type examination for Important Class I products under Art. 32(2). It does not engage notified bodies. It does not perform network security testing on your 5G infrastructure. It does not produce NIS2 documentation for your operator clients.

RED covers the radio. NIS2 covers the operator. The CRA covers the product. CRACheck documents the CRA layer.

Enforcement regime

📅
11 September 2026 — Art. 14 reporting

A vulnerability in 5G infrastructure components triggers 24h ENISA notification. For telecom, the systemic impact amplifies reporting urgency.

⚖️
11 December 2027 — Full CRA enforcement

Telecom equipment on the EU market must carry CRA-compliant CE marking and Art. 31 documentation. Operator procurement will require both RED and CRA evidence.

🔒
Art. 64(2) — €15M or 2.5% of global turnover

For telecom manufacturers non-compliant with Art. 13, Art. 14 or Annex I. Separate from any RED enforcement action.

Alternatives

CriterioTelecom compliance consultancyRED-only approachInternal regulatory teamCRACheck
Price€20K-50KDoes not cover CRAStaff time€149 per product
CRA Art. 31 coverageReportNoneDepends8-document technical file
Vulnerability handling documentedPossiblyNoPossiblyYes — CVD + ENISA template
Operator NIS2 evidenceIndirectNoPossiblyStructured for supply chain review
CRACheck€149YesCVD+ENISAStructured

Telecom product portfolio with 20+ SKUs? Document the entire range.

Pack 10: €99 per product. Pack 30: €79 per product. For telecom equipment manufacturers with broad EU product portfolios, contact us for enterprise pricing.

Request volume pricing
Commercial enquiries via hello@solidwaretools.com

What CRACheck guarantees and what it does not

CRACheck generates a structured document set according to Art. 31 and Annex VII of Regulation (EU) 2024/2847 based on the information you provide. The accuracy of network architecture, firmware data and component inventories is your responsibility as manufacturer.

We guarantee that the document structure follows Art. 31 and Annex VII and that the legal references cited are correct. We do not determine your conformity assessment route under Art. 32, nor do we guarantee acceptance by a notified body, market surveillance authority or telecom operator.

CRACheck is not legal advice. For the CRA/RED interaction, conformity assessment route selection for Important Class I products, and NIS2 supply chain implications, consult a qualified telecom regulatory lawyer.

Frequently asked questions

Does the CRA replace RED for telecom equipment?
No. Art. 12 of Regulation (EU) 2024/2847 addresses the relationship with other Union law. RED (Directive 2014/53/EU) and the CRA coexist. Art. 2(5) allows the Commission to limit or exclude CRA scope where sectoral rules achieve equivalent protection, but no such delegated act has been adopted. Both regulations apply to telecom equipment.
Our routers already have RED CE marking. Is CRA CE marking separate?
The CE marking is a single physical mark. It indicates conformity with all applicable Union legislation — including both RED and CRA when both apply. You do not affix a second mark. But the declaration of conformity under Art. 28 of the CRA must cite Regulation (EU) 2024/2847 separately from RED.
Is 5G core network software a product with digital elements?
If it is placed on the market as a standalone software product or as a component with a data connection, yes — Art. 3(1) of Regulation (EU) 2024/2847 covers it. Network management systems are explicitly listed as Important Class I (Annex III item 6).
Will the EU Cybersecurity Certification Scheme (EUCC) interact with CRA conformity assessment?
Art. 27(9) of Regulation (EU) 2024/2847 allows European cybersecurity certification schemes under Regulation (EU) 2019/881 to serve as a conformity assessment route. When such schemes become available and applicable, they may offer an alternative to Module B+C or Module H for Important and Critical products.
Is this a subscription?
No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.
Can I request a refund?
Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.
What if the regulation changes?
If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

Official legal sources

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.

RED covers the radio. The CRA covers the cybersecurity. Document the CRA layer.

Routers, switches, network management — Important Class I under Annex III. Eight documents per product. €149. Browser-side. Your network architecture never leaves your device.

€149 one-time
8-document ZIP · 15-25 min · Art. 31 + Annex VII · 100% browser-side · Permanent PDF
Generate Technical Documentation

Related landings

🔗 Energy

CRA compliance for energy sector — smart grid and smart meters
🔗 Manufacturers

CRA manufacturer obligations — complete Art. 13 breakdown
🔗 Supply chain

CRA supply chain obligations for component manufacturers
✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history