My controller only connects via USB cable. Is it still in scope?

If the USB connection transmits data (input data, firmware updates, configuration), Art. 2(1) of Regulation (EU) 2024/2847 applies — any direct or indirect data connection brings the product into scope. A USB cable carrying only power without data transmission would not qualify.

We already have RED CE marking. Do we need separate CRA documentation?

RED (Directive 2014/53/EU) covers radio equipment requirements: spectrum use, EMC, safety, and delegated cybersecurity requirements under Art. 3(3)(d)/(e)/(f). The CRA covers broader cybersecurity: vulnerability handling, support periods, SBOM, ENISA reporting, technical documentation under Annex VII. These are additive requirements. You need CRA documentation separately.

Our gaming headset has a companion mobile app. Does the app need separate documentation?

If the companion app is a standalone software product placed on the market separately (e.g., downloadable from an app store), it is a separate product with digital elements requiring its own Art. 31 documentation. If it is bundled and inseparable from the hardware product's functionality, it can be documented as part of the hardware product's technical file.

Are gaming mice and keyboards in scope?

If they have a data connection (USB, Bluetooth, wireless dongle) and contain firmware capable of receiving updates, they are products with digital elements under Art. 3(1). Most gaming mice and keyboards with customisation software meet this threshold.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.

What if the regulation changes?

If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

You manufacture gaming controllers, headsets, streaming devices or connected peripherals sold to consumers in the EU. If the product has a data connection — USB, Bluetooth, Wi-Fi, proprietary wireless — it is a product with digital elements under Article 3(1) of Regulation (EU) 2024/2847. Gaming routers fall under Important Class I (Annex III item 12). Internet-connected toys with social interaction features fall under Annex III item 18. Standard controllers and headsets fall under Default.

The CRA applies to gaming peripherals the same way it applies to any connected consumer product. Art. 2(1) covers any product with a direct or indirect data connection. A wireless controller with Bluetooth and firmware update capability qualifies. A gaming headset with companion software qualifies. A streaming capture card with network connectivity qualifies. Classification determines your conformity assessment route: gaming routers are Important Class I under Annex III item 12. Internet-connected toys with social interactive features — speaking, filming, location tracking — are Important Class I under Annex III item 18. Standard peripherals without security-specific functionality are Default, allowing internal control under Art. 32(1)(a). CRACheck generates the 8-document technical file. €149 per product. 15-25 minutes. Hardware specifications stay in your browser.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key figures

Art. 3(1)

Any product with a data connection is a product with digital elements

Annex III item 12

Gaming routers are Important Class I

€15M

Maximum fine under Art. 64(2) for manufacturer non-compliance

How to proceed

Identify the data connection

Art. 2(1) covers direct or indirect logical or physical data connections. USB firmware updates, Bluetooth pairing, Wi-Fi companion apps, cloud sync — any of these qualifies. If your peripheral has no data connection of any kind, it is outside CRA scope.

Classify the product

Default for standard controllers, headsets, capture cards. Important Class I for gaming routers (Annex III item 12), network switches in gaming setups (Annex III item 12), and internet-connected toys with social features (Annex III item 18). Important Class II if the peripheral includes a firewall or IDS/IPS function.

Conduct the cybersecurity risk assessment

Art. 13(2)-(3): cover firmware integrity, Bluetooth/Wi-Fi attack surfaces, companion app data handling, cloud service dependencies, and foreseeable misuse by consumers.

Address Annex I consumer-specific requirements

Annex I Part I point (2)(b): secure by default configuration. Point (2)(c): security updates with clear opt-out. Point (2)(d): unauthorised access protection. Point (2)(j): minimised attack surfaces including external interfaces. These are directly relevant to consumer gaming hardware.

Compile Art. 31 technical documentation

Annex VII: product description, hardware/firmware architecture, wireless protocol specifications, vulnerability handling, SBOM, test reports.

Set the support period

Art. 13(8): gaming peripherals typically have a 3-5 year consumer lifecycle. The support period must be proportionate. Security updates must be free of charge (Art. 13(9)).

Common mistakes

❌

SCOPE DENIAL

Assuming gaming peripherals are consumer electronics exempt from the CRA

The CRA does not exempt consumer electronics. Art. 2(1) of Regulation (EU) 2024/2847 covers any product with a data connection. A Bluetooth controller receives firmware updates, transmits input data, and connects to a network-capable console. That is a data connection. The CRA applies.

❌

CLASSIFICATION ERROR

Treating a gaming router as a Default product

Annex III Class I item 12 of Regulation (EU) 2024/2847 explicitly lists "routers, modems intended for the connection to the internet, and switches." A gaming router marketed for low-latency connectivity is still a router. Important Class I classification means internal control alone (Module A) may not suffice if harmonised standards are not fully applied — Art. 32(2) may require EU-type examination.

❌

UPDATE OBLIGATION

Discontinuing firmware updates after 12 months

Art. 13(8) requires the support period to reflect expected product use time. Art. 13(9) mandates free security updates throughout the support period. For gaming peripherals with a 3-5 year expected lifecycle, a 12-month firmware update window is insufficient and non-compliant.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Identifies category: Default (standard controllers, headsets), Important Class I (gaming routers per Annex III item 12, connected toys with social features per item 18).

Technical Documentation

Art. 31 and Annex VII documentation for gaming hardware: hardware architecture, firmware structure, wireless protocols, companion app interfaces.

Risk Assessment

Cybersecurity risk assessment covering consumer gaming attack vectors: Bluetooth vulnerabilities, firmware tampering, cloud account compromise, companion app data exposure.

User Information

Annex II information for consumers: secure pairing, firmware update process, data collection disclosure, vulnerability reporting contact, support period end date.

Declaration of Conformity

EU Declaration per Art. 28 and Annex V.

CVD Policy

Coordinated vulnerability disclosure policy for gaming hardware research community.

Notification Template

ENISA notification template per Art. 14.

Obligations Calendar

Key CRA dates mapped to gaming product release cycles: Art. 14 from September 2026, enforcement December 2027.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 CE MARKING CONSULTANCY FOR GAMING HARDWARE

RED + CRA compliance mapping

€5,000-15,000 per product

6-12 weeks

Hardware samples shared with lab

One-time report per hardware revision

Re-engagement per new product

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history