Is there a formal exemption for products certified under IEC 62443?

No formal exemption exists today. Article 2(5) allows the Commission to limit or exclude CRA application for products covered by other EU rules achieving equivalent cybersecurity protection — but this requires a delegated act. No such act has been adopted for IEC 62443. Until it is, CRA obligations apply in parallel.

Which industrial products fall under Annex III?

Network management systems (Class I, item 6), firewalls and intrusion detection/prevention systems (Class II, item 2), and operating systems (Class I, item 11) are explicitly listed. A PLC with built-in firewall functionality or network management capabilities should be classified against these categories.

How does the 5-year support period work for industrial equipment with 15-year lifecycles?

Article 13(8) requires security updates for the expected product lifetime or a minimum of 5 years, whichever is shorter. For industrial equipment deployed for 10–15 years, the expected lifetime governs — you may need to provide security updates for longer than 5 years.

Can our EU subsidiary serve as authorised representative under Article 18?

If your EU subsidiary is a separate legal entity, it can serve as authorised representative under a written mandate per Article 18. However, if the subsidiary places the product on the EU market, it may already be the importer under Article 3(16) with its own obligations under Article 19.

Is this a subscription?

No. One-time payment. 30 days of editing, 10 regenerations. PDF yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, licence activation constitutes express consent for immediate digital content generation. Refunds only for reproducible technical failures.

What if the regulation is amended?

Regenerate with the updated CRACheck version at no additional cost.

You manufacture industrial IoT equipment in Japan and sell it to factories, utilities, and infrastructure operators across the European Union. Regulation (EU) 2024/2847 applies to your products independently of the Machinery Regulation and IEC 62443. Article 31 requires technical documentation structured under Annex VII. CRACheck generates it alongside your existing compliance dossier.

Japanese industrial manufacturers operate within rigorous quality frameworks — ISO 9001, IEC 62443, and the EU Machinery Regulation 2023/1230. The Cyber Resilience Act is not a replacement for any of these. It is a horizontal regulation that adds cybersecurity documentation requirements on top. Article 2(5) acknowledges overlap with sectoral rules but does not automatically exempt industrial products. Your EU subsidiary's compliance team needs an Annex VII dossier that stands on its own. CRACheck produces it in 15–25 minutes. €149 per product line. All processing stays in your browser.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

Art. 2(5)

CRA applies alongside sectoral rules unless formally excluded

5 years

Minimum security update support period (Art. 13(8))

€149

Per product line, one-time documentation

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Classify your industrial product

CRACheck determines Default or Important classification (network management systems are Annex III Class I, item 6)

Enter product specifications

PLC model, firmware version, communication protocols (OPC UA, MQTT, Modbus TCP), connectivity interfaces

Map existing cybersecurity measures

Leverage your IEC 62443 security levels, zone architecture, access controls, update mechanisms

Complete the CRA-specific vulnerability handling section

PSIRT procedures, ENISA notification readiness, coordinated disclosure

Define your support period

Align with your product's operational lifecycle in industrial environments (often 10–15 years)

Generate the 8-document CRA dossier

Output references your existing certifications while meeting Annex VII's distinct structure

Integrate with your quality system

The dossier complements your ISO 9001 and IEC 62443 files without duplicating them

Common mistakes

❌

EXEMPTION ASSUMPTION

"Industrial equipment is covered by the Machinery Regulation, so the CRA does not apply"

Article 2(5) of Regulation (EU) 2024/2847 allows limitation or exclusion for products covered by other EU rules achieving the same cybersecurity protection level — but only through a delegated act by the European Commission. No such delegated act exists for the Machinery Regulation. Until one is adopted, CRA obligations apply in parallel.

❌

STANDARD EQUIVALENCE

"Our IEC 62443 certification satisfies CRA requirements"

IEC 62443 is an international standard for industrial cybersecurity, not a harmonised standard under the CRA. The CRA's essential cybersecurity requirements (Annex I) and documentation structure (Annex VII) have their own scope. An IEC 62443 certificate demonstrates security maturity but does not automatically fulfil Art. 31 documentation obligations. You need a separate Annex VII dossier — which can reference your IEC 62443 work.

❌

SUBSIDIARY DELEGATION

"Our EU subsidiary handles all regulatory matters"

If your EU subsidiary is the importer under Article 3(16), their obligations under Article 19 are to verify that you — the manufacturer — have completed the conformity assessment and prepared technical documentation. The subsidiary verifies; the manufacturer produces. CRA documentation obligations under Article 13 remain with the entity that designs, develops, and manufactures the product.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Determines classification. Network management systems (Annex III Class I, item 6), firewalls and IDS/IPS (Class II, item 2) carry stricter assessment obligations. Default industrial products use Module A.

Technical Documentation

Art. 31 + Annex VII dossier structured for industrial products: design lifecycle, security architecture (zones, conduits), production processes, firmware management.

Risk Assessment

Annex I Part I analysis adapted for industrial environments. OT-specific threats: lateral movement, protocol exploitation, physical access, supply chain attacks on components.

User Information

Annex II documentation for industrial integrators and operators: secure commissioning, network segmentation requirements, update management, end-of-support communication.

Declaration of Conformity

Art. 28 + Annex V. Complements Declarations under Machinery Regulation, RED, or LVD as applicable.

CVD Policy

Industrial-grade coordinated vulnerability disclosure: ICS-CERT coordination, responsible disclosure timelines, customer notification procedures.

Notification Template

Art. 14 ENISA notification for OT vulnerabilities. 24h early warning, 72h notification, 14-day final report.

Obligations Calendar

Enforcement dates, support period milestones, patch cycle schedule aligned with industrial maintenance windows.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 EU INDUSTRIAL COMPLIANCE CONSULTANCY

€15,000–€35,000

8–16 weeks. Requires deep technical disclosure to external firm. Typically bundled with IEC 62443 re-certification — combined cost.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history