What does "data minimisation" mean under the CRA?

Annex I, Part I, point (2)(g) of Regulation (EU) 2024/2847 requires products to process only data — personal or otherwise — that is adequate, relevant, and limited to what is necessary in relation to the intended purpose of the product. This mirrors the GDPR principle but applies to all data processed by the product, not only personal data.

Does point (2)(e) require encryption for all data?

Annex I, Part I, point (2)(e) requires protection of the confidentiality of data 'stored, transmitted or otherwise processed' by the product, including 'by means of state of the art mechanisms such as encryption of relevant data at rest and in transit.' The word 'relevant' and 'such as' indicate that encryption is the expected mechanism but that the manufacturer must assess which data requires it based on the risk assessment per Art. 13.

Is the CRA data minimisation requirement the same as GDPR data minimisation?

Similar principle, different scope. GDPR Art. 5(1)(c) applies to personal data processing. CRA Annex I, Part I, point (2)(g) applies to all data processed by the product — personal, operational, telemetry, log, diagnostic. A product that minimises personal data under GDPR may still process excessive operational data under the CRA.

What encryption standard satisfies "state of the art"?

The regulation does not name a specific algorithm. 'State of the art' per Annex I, Part I, point (2)(e) means current best practice at the time of market placement. As of 2026, this typically means AES-256 for data at rest and TLS 1.3 for data in transit. The technical documentation under Annex VII should specify the algorithms and key management approach used.

Is this a subscription?

No. One-time payment. The licence includes a 30-day editing window and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Article 16(m) of Directive (EU) 2011/83 applies. Upon licence activation, you give express consent for immediate generation of the digital content, waiving the 14-day withdrawal right. Refunds are accepted only for a reproducible technical defect.

What if the regulation changes?

If the regulation is amended during your licence validity period, you can regenerate the documentation using the updated version of the generator at no additional cost.

Annex I, Part I, point (2)(e) of Regulation (EU) 2024/2847 requires your product to protect the confidentiality of data stored, transmitted, or otherwise processed, including by means of state-of-the-art mechanisms such as encryption. Point (2)(g) requires that the product processes only data that is adequate, relevant, and limited to what is necessary. Two requirements. One technical documentation file. CRACheck generates it.

Data protection under the CRA is not just a GDPR concern. Annex I, Part I, point (2)(e) covers all data the product handles — personal, operational, telemetry, configuration — and requires confidentiality protection including encryption at rest and in transit. Point (2)(g) adds a data minimisation requirement that applies beyond personal data: the product must not collect or process data beyond what its intended purpose requires. Both requirements feed into the risk assessment under Art. 13(2)–(3) and must be documented in the technical file per Annex VII. CRACheck structures both into the 8-document package. 15–25 minutes. €149.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Data protection requirements at a glance

Part I(2)(e)

Confidentiality — encryption at rest and in transit

Part I(2)(g)

Data minimisation — adequate, relevant, limited

Art. 13

Risk assessment must cover both requirements

How to implement and document data protection under the CRA

Map all data flows

Identify every type of data your product processes: user input, telemetry, logs, configuration, credentials, firmware updates, API calls, cached data.

Apply data minimisation

For each data type, assess whether it is adequate, relevant, and limited to what is necessary for the intended purpose per Annex I, Part I, point (2)(g). Remove or reduce data that exceeds the purpose.

Implement encryption

Annex I, Part I, point (2)(e): encrypt relevant data at rest and in transit using state-of-the-art mechanisms. Document the algorithms, key lengths, and key management approach.

Document in the risk assessment

Art. 13(2)–(3): the risk assessment must show how points (2)(e) and (2)(g) apply to your product and how the implemented measures address identified risks.

Document in user information

Annex II requires informing users about data processed by the product and security measures. If encryption can be configured by the user, document the options.

Run CRACheck

Input your product data, encryption details, and data flow analysis. CRACheck structures the documentation per Annex VII with the data protection requirements mapped to the risk assessment and user information documents.

Three mistakes manufacturers make with data protection

❌

GDPR ONLY

Treating CRA data minimisation as identical to GDPR data minimisation

GDPR Art. 5(1)(c) applies to personal data. CRA Annex I, Part I, point (2)(g) applies to all data the product processes — including operational telemetry, diagnostic logs, and device metadata that may not qualify as personal data under GDPR. A product compliant with GDPR data minimisation may still violate the CRA if it collects excessive non-personal data.

❌

PARTIAL ENCRYPTION

Encrypting data in transit but not at rest

Annex I, Part I, point (2)(e) explicitly mentions "data at rest and in transit." TLS for network communication without encryption for stored data (credentials, logs, configuration files, cached user data) leaves a compliance gap. The risk assessment must address both states.

❌

OUTDATED CRYPTO

Using deprecated encryption algorithms and claiming compliance

Point (2)(e) requires "state of the art mechanisms." SHA-1 for hashing, TLS 1.0/1.1 for transport, DES/3DES for symmetric encryption, and RSA-1024 for asymmetric encryption are not state of the art as of 2026. The technical documentation must specify current algorithms (AES-256, TLS 1.3, SHA-256/SHA-3, RSA-2048+ or ECDSA).

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Category per Annex III/IV. Products handling sensitive data (e.g., smart locks, health monitors) face higher scrutiny on encryption implementation.

Technical Documentation

Annex VII. Point 2(a) covers the design description including encryption architecture and data flow diagrams showing minimisation measures.

Risk Assessment

Per Art. 13(2)–(3). Maps points (2)(e) and (2)(g) against your product: which data requires encryption, which data flows have been minimised, residual risks.

User Information

Per Annex II. Informs users what data the product processes, how it is protected, and what encryption options are configurable.

Declaration of Conformity

Per Art. 28 and Annex V.

CVD Policy

Per Annex I, Part II, point (5). Cryptographic vulnerabilities are among the most commonly reported through CVD channels.

Notification Template

Per Art. 14. A vulnerability in encryption implementation triggers the 24h/72h/14-day reporting pipeline.

Obligations Calendar

Key dates including crypto algorithm review milestones through the support period.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 THE ALTERNATIVE

Hiring a data protection and cryptography consultant to audit data flows, assess encryption implementation, map against CRA Annex I, and produce the Annex VII documentation.

€10,000–€20,000

4–8 weeks. One product. One snapshot in time — crypto standards evolve.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history