Is a smartwatch Class I or Default?

Annex III point 19 covers "personal wearable products with a health monitoring purpose." If your smartwatch tracks heart rate, SpO2, blood pressure or other health metrics, it is Class I. A smartwatch that only shows notifications and tracks steps (no health monitoring) may be Default.

Does the CRA cover our companion app?

Article 3(1) defines a product with digital elements as including "remote data processing solutions." If your tracker requires a companion app to function, the app is part of the product.

What about children's wearables?

Annex III point 19 also covers "personal wearable products intended for the use by and for children." A kids' GPS tracker is Class I regardless of health monitoring.

Do we need separate documentation for iOS and Android companion apps?

If both apps have the same functionality and security properties, one documentation set covers both. If they differ in security implementation, document the differences.

What support period for a fitness tracker?

Consumers typically use fitness trackers for 2-4 years. Art. 13.8 requires the support period to reflect expected use. 3-5 years is a reasonable range.

Is this a subscription?

No. One-time payment. 30 days editing, 10 regenerations. PDF yours permanently.

Can I request a refund?

Pursuant to Art. 16(m) of Directive (EU) 2011/83, licence activation constitutes express consent. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate at no additional cost during licence validity.

Annex III point 19 of Regulation (EU) 2024/2847 classifies "personal wearable products with a health monitoring purpose" as Important Class I — provided they are not medical devices under Regulation (EU) 2017/745. Your fitness tracker measures heart rate, blood oxygen and sleep patterns. It is not a medical device. It is Class I under CRA. CRACheck generates the Annex VII technical documentation.

A fitness tracker collects biometric data — heart rate, SpO2, movement patterns, sleep. This data is processed locally and transmitted to a companion app via Bluetooth. Annex I Part I point 1(c) requires protection of confidentiality of data. Annex III point 19 classifies health-monitoring wearables as Important Class I. If harmonised standards are not fully applied, conformity assessment by a notified body is required under Article 32.2. CRACheck generates 8 PDF documents per Annex VII. 15-25 minutes. €149. Browser-side.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

Class I

Health-monitoring wearables — Annex III point 19. Biometric data raises the cybersecurity classification.

Biometric data

Heart rate, SpO2, sleep. Annex I Part I point 1(c): confidentiality of data is mandatory.

€149

Per tracker model. Class I documentation ready for notified body review.

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Confirm classification

Health-monitoring wearable, not a medical device. Annex III point 19. Class I.

Map biometric data flow

Sensors → local processing → Bluetooth → companion app → cloud (if applicable). Document each stage.

Generate CRA dossier

Enter your tracker's specifications into CRACheck. 15-25 minutes.

Engage notified body

If harmonised standards are not fully applied, submit documentation for Module B+C or Module H.

Update companion app disclosures

Annex II requires user information on data handling, support period and vulnerability reporting.

Deliver to EU channels

Amazon, fitness retailers and distributors receive your compliance documentation.

Common mistakes

❌

ANNEX III.19

"Our fitness tracker is a consumer gadget — it is not regulated like medical devices"

Correct — your tracker is not a medical device. But that is precisely why it falls under CRA Annex III point 19: "personal wearable products with a health monitoring purpose to which Regulation (EU) 2017/745 does not apply." Being excluded from medical device regulation puts you inside CRA Class I.

❌

ANNEX I, PART I, 1(c)

"Heart rate data is not sensitive — it is just a number"

Annex I Part I point 1(c) requires protection of confidentiality of stored, transmitted and processed data without distinction by data type. Heart rate patterns, sleep data and SpO2 readings are personal health data under GDPR and must be protected from unauthorized access under CRA.

❌

ART. 13.5

"We use a third-party health sensor chip — the sensor vendor handles data security"

Article 13.5 requires due diligence on third-party components. The health sensor chip generates the biometric data, but your firmware processes, stores and transmits it. The security of the data pipeline is your responsibility.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Class I confirmation per Annex III point 19. Biometric data raises the classification.

Technical Documentation

Art. 31 + Annex VII. Covers BLE connectivity, companion app data flow, biometric sensor integration.

Risk Assessment

Art. 13.2-13.3. Biometric data interception, unauthorized access to health records, firmware tampering.

User Information

Annex II. Data privacy, pairing security, factory reset.

Declaration of Conformity

Art. 28 + Annex V.

CVD Policy

Vulnerability disclosure for biometric data vulnerabilities.

Notification Template

Art. 14 ENISA notification. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

CRA dates plus support period for the tracker.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 WEARABLE CERTIFICATION CONSULTANCY (EUROPE)

€8,000–€15,000

Per model. 3-5 months. Biometric data review.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history