Reg (EU) 2024/2847Generate dossier — €149
LIVE — Enforcement tracker · Deadline dashboard · Transposition status — Updated weekly from EUR-Lex, Safety Gate, OEIL & 12 official sourcesView regulatory intelligence →

Your electronics factory in India manufactures connected devices and exports them to European importers. From 11 December 2027, Article 19(2) of Regulation (EU) 2024/2847 requires importers to verify that the manufacturer has drawn up the technical documentation before placing the product on the EU market. If your Annex VII file does not exist, your European importer cannot legally import your product. CRACheck generates the documentation.

Indian electronics manufacturers have supplied European markets for decades. CE marking, RoHS, EMC — the compliance checklist is familiar. Regulation (EU) 2024/2847 adds a new requirement: cybersecurity documentation under Annex VII for any product with digital elements. Your European importer's obligations under Article 19(2)(b) are explicit: they must ensure the manufacturer has drawn up the technical documentation before placing the product on the market. If your product has firmware, connectivity, or remote data processing capability, this applies. CRACheck generates 8 PDF documents structured under Art. 31 + Annex VII in 15–25 minutes. €149 per product. 100% browser-side — no product data uploaded.

Generate CRA dossier — €149Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Regulation (EU) 2024/2847 · Art. 31 + Annex VII · 8 documents · 100% browser-side — your data never leaves your device

What the CRA means for your electronics export business

Art. 19(2)(b)
Importer must verify technical documentation exists before placing product on the EU market.
5 years
Minimum support period (Art. 13(8)). Security updates mandatory for the entire duration.
€149
Per product. A fraction of a CE marking consultancy.

How to generate the Annex VII dossier for your connected device

1
Identify which products are in scope
Any product with firmware, wireless connectivity (WiFi, Bluetooth, Zigbee, cellular), or remote data processing falls under Art. 2(1). Pure passive electronics without data connection are out of scope.
2
Classify each product
Use the free CRACheck classifier. Routers and modems are Important Class I (Annex III §12). Microcontrollers with security functions are Class I (Annex III §14). Smart meter gateways are Critical (Annex IV §2).
3
Determine conformity assessment path
Default products: Module A self-assessment (Art. 32(1)(a)). Class I without harmonised standards: Module B+C or H (Art. 32(2)). Class II: Module B+C, H, or certification (Art. 32(3)).
4
Complete CRACheck for each product
15–25 minutes per product. Hardware-specific questions: firmware update mechanism, physical interfaces, boot process security, component sourcing.
5
Download the 8-PDF ZIP
Structured Annex VII dossier per product.
6
Send to your EU importer
The importer verifies the documentation under Art. 19(2)(b). They keep a copy for 10 years (Art. 19(6)).
7
Prepare vulnerability handling
Art. 14 (ENISA notification) applies from 11 September 2026. Set up internal vulnerability tracking process using the CVD Policy and Notification Template in the ZIP.

Three mistakes electronics manufacturers make with the CRA

COMMON MISTAKE

"We have CE marking — that covers cybersecurity"

CE marking for EMC (Directive 2014/30/EU) and safety (Low Voltage Directive 2014/35/EU) does not cover cybersecurity. Regulation (EU) 2024/2847 adds cybersecurity as a separate requirement. After 11 December 2027, the CE marking on products with digital elements must also attest compliance with the CRA essential cybersecurity requirements (Art. 30). The marking is the same symbol — the obligations behind it are expanded.

COMMON MISTAKE

"Our importer handles all EU compliance — not our problem"

Article 19(1) of Regulation (EU) 2024/2847 states that importers shall place on the market only products that comply with Annex I cybersecurity requirements. Article 19(2)(b) requires the importer to verify that the manufacturer has drawn up the technical documentation. If the documentation does not exist, the importer cannot import. The bottleneck is at the manufacturer — you.

COMMON MISTAKE

"Cybersecurity documentation is only needed for IT products, not industrial electronics"

Article 2(1) applies to any product with a "direct or indirect logical or physical data connection to a device or network." An industrial IoT gateway, a connected controller, a smart meter with cellular connectivity — all qualify. There is no "industrial electronics" exemption. The scope is defined by data connection, not by industry.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

1

Product Classifier

Classification under Annex III/IV. Critical for hardware: routers (Class I §12), microcontrollers with security (Class I §14), smart meter gateways (Critical, Annex IV §2).

2

Technical Documentation

Annex VII including hardware-specific content: photographs/illustrations (§1(c)), internal layout, firmware versions (§1(b)), production monitoring (§2(c)).

3

Risk Assessment

Art. 13(2). Hardware threat model: physical tampering, firmware extraction, side-channel attacks, supply chain component integrity.

4

User Information

Annex II. Installation instructions, firmware update process, decommissioning, secure data erasure.

5

Declaration of Conformity

Art. 28 + Annex V. Manufacturer signs.

6

CVD Policy

Annex I Part II §5. Vulnerability disclosure for hardware/firmware.

7

Notification Template

Art. 14 ENISA notification. 24h/72h/14d process.

8

Obligations Calendar

Sept 2026 (Art. 14), Dec 2027 (full), product support period end dates.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 EUROPEAN CRA COMPLIANCE CONSULTANT FOR HARDWARE
€12,000–€20,000
3–6 months per product line.
✓ CRACHECK
€149
8 documents. 15–25 minutes. Per product.

Two layers: what CRACheck does and does not do

● What CRACheck does

Generates Annex VII documentation including hardware-specific sections

Product photographs, firmware versions, production processes, component sourcing. 8 PDFs. 15–25 minutes. €149.

∅ What CRACheck does NOT do

Physical testing and notified body interaction

Does not perform physical testing (EMC, safety). Does not interact with notified bodies for Class I/II conformity assessment (Art. 32(2)-(3)). Does not replace your existing CE marking process — it adds the cybersecurity layer.

We document the cybersecurity layer. You handle the physical testing and notified body involvement.

Enforcement regime

Article 64 of Regulation (EU) 2024/2847.

🇪🇺
Non-compliance with Annex I + Art. 13, 14
€15M / 2.5%

Art. 64(2). Applied to the manufacturer. Your EU importer cannot shield you.

🇪🇺
Missing documentation (Art. 31) or missing CE marking (Art. 30)
€10M / 2%

Art. 64(3).

🇪🇺
Incorrect information to authorities
€5M / 1%

Art. 64(4).

Alternatives

AlternativeCostWhat you get
European compliance consultant€12,000–€20,000Full CRA documentation + testing guidance. 3–6 months.
Add cybersecurity section to existing CE file yourselfFree + weeksCustom format. Risk of Annex VII gaps. Importer may reject.
Wait until the importer demands it€0 nowDecember 2027: scramble under deadline. Importer finds alternative supplier.
CRACheck€1498 documents. 15–25 min. Annex VII structured. Importer-ready.

Your factory exports multiple product lines to the EU?

Each product with digital elements needs its own Annex VII dossier. If you manufacture 10, 20 or 50 SKUs with connectivity for the EU market, contact us for factory volume pricing.

Request Volume Pricing
Response within one business day

What CRACheck guarantees and what it does not

CRACheck generates a structured document under Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy of the information — including hardware specifications, firmware versions, and component data — is your responsibility as the manufacturer.

We guarantee the document structure follows Annex VII and the legal references are correct. We do not guarantee acceptance by a market surveillance authority or by your EU importer in a specific case.

CRACheck is not legal advice. For hardware-specific conformity assessment questions — including notified body requirements for Class I/II products — consult a qualified regulatory consultant.

Frequently asked questions

Does the CRA apply to Indian electronics exported to the EU?
Article 2(1) of Regulation (EU) 2024/2847 applies to products with digital elements made available on the EU market, regardless of the manufacturer's location. If your Indian factory exports a connected device to a European importer who places it on the EU market, the CRA applies. Article 19 places specific verification obligations on the importer — including checking that you have prepared the technical documentation.
Our products already have CE marking. What changes?
CE marking after 11 December 2027 must also attest compliance with the CRA cybersecurity requirements (Art. 30). Your existing CE file for EMC and safety remains valid for those aspects. CRACheck generates the additional cybersecurity documentation layer under Annex VII that supplements your existing CE file.
Some of our products are routers. Does classification matter?
Yes. Routers and modems intended for internet connection are Important Class I under Annex III §12. This means self-assessment Module A is only available if you apply harmonised standards, common specifications, or a certified scheme at 'substantial' level (Art. 32(2)). Without these, you need a notified body (Module B+C or H). CRACheck classifies the product and documents the result.
What is the minimum support period for security updates?
Article 13(8) of Regulation (EU) 2024/2847 requires a minimum 5-year support period for security updates, unless the product's expected use time is shorter. Manufacturers must make security updates available free of charge (Annex I Part II §8) and keep them available for 10 years after issuance (Art. 13(9)).
Is it a subscription?
No. One-time payment. 30 days editing, 10 regenerations. PDF is yours.
Can I request a refund?
Art. 16(m) Directive (EU) 2011/83. Activation = express consent. Refunds only for reproducible technical failures.
What if the regulation changes?
Regenerate at no additional cost during your licence period.

Official legal sources

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.

Your EU importer needs Annex VII documentation before import. Generate it in 15 minutes per product.

8 professional documents. Structured under Article 31 and Annex VII of Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.

€149 one-time
8 documents · 15–25 min · Hardware-ready · 100% browser-side
Generate CRA dossier — €149

Related landings

🏢 IT company

CRA compliance Indian IT company — EU client
🏷️ White label

CRA white label software Indian company — EU brand
🔌 Components

CRA component manufacturer Taiwan — EU supply chain
✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history