Our routers already have RED CE marking. Is CRA CE marking separate?

The CE marking is a single physical mark. It indicates conformity with all applicable Union legislation — including both RED and CRA when both apply. You do not affix a second mark. But the declaration of conformity under Art. 28 of the CRA must cite Regulation (EU) 2024/2847 separately from RED.

Is 5G core network software a product with digital elements?

If it is placed on the market as a standalone software product or as a component with a data connection, yes — Art. 3(1) of Regulation (EU) 2024/2847 covers it. Network management systems are explicitly listed as Important Class I (Annex III item 6).

Will the EU Cybersecurity Certification Scheme (EUCC) interact with CRA conformity assessment?

Art. 27(9) of Regulation (EU) 2024/2847 allows European cybersecurity certification schemes under Regulation (EU) 2019/881 to serve as a conformity assessment route. When such schemes become available and applicable, they may offer an alternative to Module B+C or Module H for Important and Critical products.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.

What if the regulation changes?

If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

You manufacture telecom equipment — 5G base stations, core network components, routers, switches, network management platforms — sold to European operators. RED covers the radio layer. The Cyber Resilience Act covers the cybersecurity layer. Routers and switches are Important Class I under Annex III item 12. Network management systems are Important Class I under item 6. The two regulations are additive, not substitutive.

Q: Does the CRA replace RED for telecom equipment?

No. Art. 12 of Regulation (EU) 2024/2847 addresses the relationship with other Union law. RED (Directive 2014/53/EU) and the CRA coexist. Art. 2(5) allows the Commission to limit or exclude CRA scope where sectoral rules achieve equivalent protection, but no such delegated act has been adopted. Both regulations apply to telecom equipment.

Telecom equipment manufacturers face a regulatory stack: RED (2014/53/EU) for radio and EMC, including delegated cybersecurity requirements under Art. 3(3)(d)-(f). The CRA (Regulation (EU) 2024/2847) for horizontal cybersecurity covering vulnerability handling, support periods, SBOM, ENISA reporting and Art. 31 technical documentation. Art. 12 of the CRA addresses overlap with other Union law, and Art. 2(5) allows the Commission to limit or exclude CRA scope where sectoral rules achieve equivalent protection — but no delegated act has been adopted yet. Until then, both apply. Annex III classifies routers, modems and switches as Important Class I (item 12) and network management systems as Important Class I (item 6). For Important Class I products where harmonised standards are not fully applied, Art. 32(2) may require EU-type examination or full quality assurance instead of internal control alone. CRACheck generates the 8-document technical file. €149 per product. 15-25 minutes.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key figures

Annex III items 6, 12

Network management systems and routers/switches are Important Class I

Art. 32(2)

Important Class I may require EU-type examination if harmonised standards not fully applied

€15M

Maximum fine under Art. 64(2) for telecom equipment manufacturer non-compliance

How to proceed

Map your portfolio against Annex III

Routers, modems for internet connection, switches: Annex III Class I item 12. Network management systems: item 6. Firewalls and IDS/IPS: Annex III Class II items 1-2. Operating systems: item 11. Microprocessors/microcontrollers with security functions: items 13-15.

Assess conformity assessment route

Art. 32(1) allows internal control (Module A) for Default products. Art. 32(2) restricts Important Class I: if harmonised standards, common specifications or relevant cybersecurity certification schemes are not fully applied, EU-type examination (Module B+C) or full quality assurance (Module H) is required.

Conduct the CRA-specific risk assessment

Art. 13(2)-(3): telecom-specific risks include network infrastructure compromise, lateral movement in operator networks, supply chain attacks on firmware, and remote exploitation of management interfaces. The risk assessment must cover intended deployment in critical infrastructure.

Address the CRA layer beyond RED

RED covers radio spectrum, EMC and delegated cybersecurity acts. The CRA adds: vulnerability handling processes (Art. 13(6)-(8)), SBOM (Annex VII point 2(b)), ENISA reporting (Art. 14), coordinated vulnerability disclosure (Annex I Part II point (5)), and support period definition. CRACheck structures these elements.

Align with operator NIS2 requirements

NIS2 (Directive (EU) 2022/2555) classifies telecom operators as essential entities. Your CRA documentation feeds into their NIS2 supply chain risk management under Art. 21 of NIS2.

Prepare ENISA reporting

Art. 14 from September 2026. A vulnerability in 5G infrastructure has systemic implications — the 24h early warning is operationally critical for the entire operator ecosystem.

Common mistakes

❌

REGULATORY SUBSTITUTION

Assuming RED delegated acts cover all CRA requirements

RED delegated cybersecurity requirements under Art. 3(3)(d)-(f) of Directive 2014/53/EU address specific security aspects of radio equipment. The CRA's Annex I requirements are broader: vulnerability handling, SBOM, support period, coordinated disclosure, ENISA reporting, technical documentation under Annex VII. Until the Commission adopts a delegated act under Art. 2(5) of the CRA, both regulatory layers coexist.

❌

CONFORMITY ASSESSMENT UNDERESTIMATION

Using internal control for an Important Class I router without harmonised standards

Art. 32(2) of Regulation (EU) 2024/2847 restricts conformity assessment for Important Class I products. If harmonised standards applicable to the CRA have not been published or you have not fully applied them, internal control (Module A) is insufficient. EU-type examination (Module B+C) or full quality assurance (Module H) is required.

❌

SYSTEMIC RISK UNDERSTATEMENT

Scoping the risk assessment to individual product rather than network impact

Art. 13(3) of Regulation (EU) 2024/2847 requires the risk assessment to cover intended purpose and reasonably foreseeable use. For telecom equipment deployed in 5G infrastructure, the foreseeable use includes integration into critical national infrastructure. A risk assessment scoped to the standalone device without addressing network-level impact is incomplete.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Identifies Important Class I (routers, switches per Annex III item 12; network management per item 6), Important Class II (firewalls, IDS/IPS per Annex III items 1-2), or Default for ancillary telecom products.

Technical Documentation

Art. 31 and Annex VII documentation for telecom equipment: network architecture, firmware structure, management interface security, protocol specifications, supply chain component data.

Risk Assessment

Cybersecurity risk assessment covering telecom-specific vectors: network infrastructure compromise, remote management exploitation, firmware supply chain attacks, protocol-level vulnerabilities.

User Information

Annex II information for telecom operator deployment: secure configuration, hardening guidelines, update mechanisms, vulnerability reporting, support period.

Declaration of Conformity

EU Declaration per Art. 28 and Annex V.

CVD Policy

Coordinated vulnerability disclosure policy aligned with telecom industry CERT practices.

Notification Template

ENISA notification template per Art. 14 with telecom infrastructure urgency context.

Obligations Calendar

Key dates: Art. 14 from September 2026, full enforcement December 2027, harmonised standards publication timeline.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 TELECOM COMPLIANCE CONSULTANCY

CRA + RED gap analysis for 5G equipment

€20,000-50,000 per product family

16-24 weeks

Requires sharing network architecture with consultant

Report-based — does not produce Art. 31 file

Re-engagement per hardware generation

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history