CRA Wearable Fitness Tracker China Manufacturer

Key numbers

Class I

Health-monitoring wearables — Annex III point 19. Biometric data raises the cybersecurity classification.

Biometric data

Heart rate, SpO2, sleep. Annex I Part I point 1(c): confidentiality of data is mandatory.

€149

Per tracker model. Class I documentation ready for notified body review.

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Confirm classification

Health-monitoring wearable, not a medical device. Annex III point 19. Class I.

Map biometric data flow

Sensors → local processing → Bluetooth → companion app → cloud (if applicable). Document each stage.

Generate CRA dossier

Enter your tracker's specifications into CRACheck. 15-25 minutes.

Engage notified body

If harmonised standards are not fully applied, submit documentation for Module B+C or Module H.

Update companion app disclosures

Annex II requires user information on data handling, support period and vulnerability reporting.

Deliver to EU channels

Amazon, fitness retailers and distributors receive your compliance documentation.

Common mistakes

❌

ANNEX III.19

"Our fitness tracker is a consumer gadget — it is not regulated like medical devices"

Correct — your tracker is not a medical device. But that is precisely why it falls under CRA Annex III point 19: "personal wearable products with a health monitoring purpose to which Regulation (EU) 2017/745 does not apply." Being excluded from medical device regulation puts you inside CRA Class I.

❌

ANNEX I, PART I, 1(c)

"Heart rate data is not sensitive — it is just a number"

Annex I Part I point 1(c) requires protection of confidentiality of stored, transmitted and processed data without distinction by data type. Heart rate patterns, sleep data and SpO2 readings are personal health data under GDPR and must be protected from unauthorized access under CRA.

❌

ART. 13.5

"We use a third-party health sensor chip — the sensor vendor handles data security"

Article 13.5 requires due diligence on third-party components. The health sensor chip generates the biometric data, but your firmware processes, stores and transmits it. The security of the data pipeline is your responsibility.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Class I confirmation per Annex III point 19. Biometric data raises the classification.

Technical Documentation

Art. 31 + Annex VII. Covers BLE connectivity, companion app data flow, biometric sensor integration.

Risk Assessment

Art. 13.2-13.3. Biometric data interception, unauthorized access to health records, firmware tampering.

User Information

Annex II. Data privacy, pairing security, factory reset.

Declaration of Conformity

Art. 28 + Annex V.

CVD Policy

Vulnerability disclosure for biometric data vulnerabilities.

Notification Template

Art. 14 ENISA notification. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

CRA dates plus support period for the tracker.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 WEARABLE CERTIFICATION CONSULTANCY (EUROPE)

€8,000–€15,000

Per model. 3-5 months. Biometric data review.

✓ CRACHECK

€149

8 documents. 15 min. Class I documentation including biometric data handling. Pack 10: €99/product.

Two layers

● LAYER 1

What CRACheck does

Generates Annex VII documentation for your fitness tracker. Covers biometric sensors, BLE data transmission, companion app integration, cloud connectivity, data protection.

∅ LAYER 2

What CRACheck does NOT do

CRACheck does not perform GDPR compliance assessment, biometric data protection impact assessment or companion app security testing. CRA covers cybersecurity; GDPR covers data protection. Both apply to your tracker. CRACheck handles the CRA documentation.

We document cybersecurity. You handle GDPR separately.

Enforcement regime

Article 64 of Regulation (EU) 2024/2847.

🔴

Non-compliance with Annex I + Art. 13/14 (Art. 64(2))

€15,000,000 / 2.5%

Art. 64.2.

🟠

Non-compliance with Art. 31, Art. 28, Art. 32 (Art. 64(3))

€10,000,000 / 2%

Art. 64.3.

🟡

Incorrect or misleading information (Art. 64(4))

€5,000,000 / 1%

Art. 64.4.

Alternatives

Criterion	Wearable certification consultancy	Classify as Default and self-assess	GDPR compliance only	CRACheck
Cost	€8,000–€15,000	€0	Variable	€149
Result	Class I docs + assessment. 3-5 months.	Incorrect for health-monitoring wearables. Annex III point 19 = Class I.	GDPR covers data protection. CRA covers cybersecurity. You need both.	8 docs. 15 min. Class I documentation. Biometric data covered.

Your wearable line includes multiple tracker and watch models?

Each model with different sensors, firmware or connectivity needs its own dossier. Fitness band, GPS watch, kids tracker — three products, three dossiers. Volume pricing: €99/product (10-pack), €79/product (30-pack).

Request Volume Pricing

Response within one business day.

What CRACheck guarantees and what it does not

CRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy, completeness and truthfulness of that information is your responsibility as the manufacturer.

We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct. We do not guarantee that a specific document will be accepted by a market surveillance authority in a specific case or by a commercial buyer in a procurement process.

CRACheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.

Frequently asked questions

Is a smartwatch Class I or Default?

Annex III point 19 covers "personal wearable products with a health monitoring purpose." If your smartwatch tracks heart rate, SpO2, blood pressure or other health metrics, it is Class I. A smartwatch that only shows notifications and tracks steps (no health monitoring) may be Default.

Does the CRA cover our companion app?

Article 3(1) defines a product with digital elements as including "remote data processing solutions." If your tracker requires a companion app to function, the app is part of the product.

What about children's wearables?

Annex III point 19 also covers "personal wearable products intended for the use by and for children." A kids' GPS tracker is Class I regardless of health monitoring.

Do we need separate documentation for iOS and Android companion apps?

If both apps have the same functionality and security properties, one documentation set covers both. If they differ in security implementation, document the differences.

What support period for a fitness tracker?

Consumers typically use fitness trackers for 2-4 years. Art. 13.8 requires the support period to reflect expected use. 3-5 years is a reasonable range.

Is this a subscription?

No. One-time payment. 30 days editing, 10 regenerations. PDF yours permanently.

Can I request a refund?

Pursuant to Art. 16(m) of Directive (EU) 2011/83, licence activation constitutes express consent. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate at no additional cost during licence validity.

Official legal sources

Regulation (EU) 2024/2847 — Cyber Resilience Act — full text

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.