What does the CRA require for factory reset?

Annex I, Part I, point (2)(b) of Regulation (EU) 2024/2847 requires the product to include 'the possibility to reset the product to its original state.' The original state must be the documented secure-by-default configuration. The reset must return the product to a secure state, not to a pre-hardening firmware or configuration.

Must data be securely erased during factory reset?

Annex I, Part I, point (2)(f) requires the product to 'protect the availability of essential and basic functions, including after the product has been decommissioned, by minimising the negative impact of other devices on the product or the network, and including the secure erasure of data.' The secure erasure applies to decommissioning, and best practice extends it to factory reset to prevent data leakage between users.

Does the reset have to be user-accessible?

Annex I, Part I, point (2)(b) says 'the possibility to reset the product to its original state.' This implies the user must be able to trigger it. The user information under Annex II, point (8) must include instructions on how to perform the reset. A reset that requires manufacturer intervention or special tools may not satisfy the accessibility requirement.

What about data on cloud-connected services?

The CRA applies to the product with digital elements. If the product stores data in a cloud backend, the manufacturer must consider whether factory reset should also trigger deletion of cloud-stored user data associated with that device. The risk assessment per Art. 13(2)-(3) should address this scenario.

Is this a subscription?

No. One-time payment. The licence includes a 30-day editing window and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Article 16(m) of Directive (EU) 2011/83 applies. Upon licence activation, you give express consent for immediate generation of the digital content, waiving the 14-day withdrawal right. Refunds are accepted only for a reproducible technical defect.

What if the regulation changes?

If the regulation is amended during your licence validity period, you can regenerate the documentation using the updated version of the generator at no additional cost.

Annex I, Part I, point (2)(b) of Regulation (EU) 2024/2847 requires your product to include the possibility to reset the product to its original state — the secure-by-default configuration. Point (2)(f) requires secure data erasure to protect availability and prevent data leakage upon decommissioning. Two requirements that intersect at the factory reset function. CRACheck documents how your product meets both.

Factory reset under the CRA is not just a convenience feature. It is a regulatory requirement tied to the secure-by-default configuration of point (2)(b). The reset must return the product to a documented secure state — not to a pre-hardening firmware, not to a state with residual user data, not to a state with disabled security features. Point (2)(f) adds the dimension of secure data erasure: when the product is decommissioned or changes hands, stored data must be securely erased to prevent exposure. The risk assessment per Art. 13(2)–(3) must address both the reset target state and the data erasure mechanism. CRACheck structures the documentation for both requirements within the 8-document Annex VII package. 15–25 minutes. €149.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Reset and erasure requirements at a glance

Part I(2)(b)

Reset to secure original state

Part I(2)(f)

Secure data erasure on decommissioning

Annex II(8)

User instructions must explain how to reset

How to implement and document factory reset

Define the secure reset state

Document what "original state" means for your product: which settings, credentials, services, ports, and protocols are restored. This state must match your documented secure-by-default configuration per point (2)(b).

Implement data erasure

Define what data is erased during reset: user credentials, configuration, logs, cached data, paired device information. Per point (2)(f), the erasure must be secure — not just file deletion but actual data overwriting or cryptographic erasure.

Make reset user-accessible

Point (2)(b) requires "the possibility" to reset. Annex II, point (8) requires user instructions. The reset must be accessible without manufacturer intervention or specialised tools.

Address cloud data

If the product stores data in cloud services, determine whether factory reset triggers cloud data deletion. Document the decision and rationale in the risk assessment.

Document in user information

Annex II, point (8): instructions on how to reset the product to its original state. Include what data will be erased and what steps the user should take before resetting.

Run CRACheck

Input your reset implementation details. CRACheck generates the documentation covering both the reset function (2)(b) and data erasure (2)(f), integrated into the risk assessment, user information, and technical documentation.

Three mistakes manufacturers make with factory reset

❌

INSECURE RESET STATE

Factory reset restores a pre-hardening configuration weaker than the secure default

Annex I, Part I, point (2)(b) ties the reset to the "original state" which must be the secure-by-default configuration. If reset restores an older firmware version, re-enables disabled services, or reverts to shared default credentials, it contradicts the secure-by-default requirement.

❌

RESIDUAL DATA

Factory reset deletes files but does not securely erase data from storage

Simple file deletion leaves data recoverable from flash storage. Point (2)(f) requires protection against data leakage. Secure erasure means cryptographic key deletion (for encrypted storage) or block-level overwriting. A factory reset that leaves recoverable user data violates the decommissioning protection requirement.

❌

NO USER ACCESS

Reset requires manufacturer tools, special cables, or service mode access

Point (2)(b) requires "the possibility to reset the product." If the user cannot perform the reset without contacting the manufacturer, using proprietary software, or connecting special hardware, the accessibility of the reset function is compromised. Annex II, point (8) requires clear instructions the user can follow independently.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Category per Annex III/IV. IoT devices with persistent storage face particular scrutiny on data erasure implementation.

Technical Documentation

Annex VII. Documents the reset mechanism, target state, data erasure method, and how they map to Annex I Part I(2)(b) and (2)(f).

Risk Assessment

Per Art. 13(2)–(3). Assesses risks of incomplete reset, residual data exposure, and cloud data persistence.

User Information

Per Annex II. Includes reset instructions per point (8): how to initiate, what data is erased, pre-reset backup recommendations.

Declaration of Conformity

Per Art. 28 and Annex V.

CVD Policy

Per Annex I, Part II, point (5). Incomplete reset or data erasure may be reported as a vulnerability through the CVD channel.

Notification Template

Per Art. 14. A vulnerability in the reset or erasure mechanism triggers the reporting pipeline.

Obligations Calendar

Key dates through the support period.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 THE ALTERNATIVE

Commissioning a security consultant to audit your factory reset implementation, verify data erasure completeness, and produce the Annex VII documentation.

€8,000–€18,000

4–8 weeks. One product revision.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history