Our tracker only transmits GPS coordinates via NB-IoT. Is that enough for CRA scope?

Yes. Art. 2(1) of Regulation (EU) 2024/2847 covers any product with a direct or indirect data connection. NB-IoT is a data connection. The volume or type of data transmitted does not affect scope — a device that sends one GPS coordinate per hour over NB-IoT is as much within scope as a telematics unit streaming continuous vehicle data over 4G.

We sell the same tracker globally. Does the CRA apply only to EU-sold units?

Art. 2(1) of Regulation (EU) 2024/2847 applies to products placed on the EU market. If the same SKU is sold in the EU and outside it, the CRA obligations apply to the units placed on the EU market. Your Art. 31 documentation, CE marking and vulnerability handling obligations are triggered by EU market placement.

Our cold chain sensors have a 10-year deployment lifecycle. Does the support period need to match?

Art. 13(8) of Regulation (EU) 2024/2847 requires the support period to reflect expected use time, user expectations and product nature. A cold chain sensor deployed for 10 years in pharmaceutical logistics should have a support period proportionate to that lifecycle. If you define a shorter support period, you must disclose it in Annex II user information — and the procurement decision of pharmaceutical logistics operators will factor that limitation.

Does OBD-II integration in telematics create additional CRA obligations?

OBD-II integration means your telematics unit has physical and logical access to the vehicle's CAN bus. Art. 13(2) requires the risk assessment to cover reasonably foreseeable use. Vehicle bus access from a compromised telematics unit is a foreseeable attack vector. Your risk assessment under Art. 13(3) must address this — including the potential for lateral movement from the telematics device to vehicle control systems.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.

What if the regulation changes?

If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

You manufacture GPS trackers, fleet telematics units, cold chain sensors or warehouse management hardware deployed across European logistics networks. These devices connect via cellular, LoRaWAN or satellite. Article 3(1) of Regulation (EU) 2024/2847 covers any product with a direct or indirect data connection. If your device transmits location, temperature or status data over a network, it is a product with digital elements. Article 13 applies to you as manufacturer.

Logistics IoT operates in environments where cybersecurity has historically been an afterthought — containers, trucks, cold rooms, loading docks. The CRA changes that. Art. 2(1) does not distinguish between office IT and operational IoT. A GPS tracker with a cellular modem is a product with digital elements. A cold chain sensor with LoRaWAN connectivity is a product with digital elements. A fleet telematics unit with OBD-II integration and 4G uplink is a product with digital elements. Most logistics IoT falls under Default classification — but if your device includes network management functionality (Annex III item 6) or VPN capability (Annex III item 5), it may be Important Class I. Art. 13 imposes the full manufacturer obligation set: risk assessment, technical documentation, vulnerability handling, support period, ENISA reporting. CRACheck generates the 8-document technical file under Art. 31 and Annex VII. €149 per product. 15-25 minutes. Fleet data and device architecture stay in your browser.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key figures

Art. 3(1)

Any product with a data connection — cellular, LoRa, satellite — is in scope

Art. 13(8)

Support period must reflect deployment lifecycle — logistics devices run 5-10 years in the field

€15M

Maximum fine under Art. 64(2) for manufacturer non-compliance

How to proceed

Identify every connected device in your portfolio

GPS trackers, telematics units, cold chain sensors, RFID gateways, handheld scanners, warehouse robots with network connectivity. Each connected product is separately within CRA scope.

Classify against Annex III

Standard logistics sensors and trackers: Default. Devices with VPN functionality: Important Class I (Annex III item 5). Devices with network management capability: Important Class I (item 6). Devices with embedded routers or modems: Important Class I (item 12).

Conduct the cybersecurity risk assessment

Art. 13(2)-(3): logistics-specific risks include GPS spoofing, cellular modem hijacking, cold chain data integrity manipulation, fleet tracking data interception, OBD-II vehicle bus access from compromised telematics, and cloud platform compromise affecting entire fleet visibility.

Address operational environment constraints

Annex I Part I point (2)(b) requires secure by default configuration. For logistics IoT deployed in uncontrolled environments (truck cabs, containers, outdoor warehouses), secure defaults must account for physical accessibility, intermittent connectivity, and unsupervised firmware updates.

Define a proportionate support period

Art. 13(8): logistics IoT devices are deployed for 5-10 years. Cold chain sensors in pharmaceutical logistics may be in service even longer. The support period must reflect this. Security updates must be free (Art. 13(9)) and deliverable over intermittent connectivity.

Prepare ENISA reporting

Art. 14 from September 2026. A vulnerability in fleet telematics affecting thousands of trucks across the EU supply chain is a systemic logistics risk — the 24h early warning is operationally critical.

Common mistakes

❌

ENVIRONMENT EXEMPTION MYTH

Assuming logistics IoT is outside CRA scope because it operates in warehouses and trucks

Art. 2(1) of Regulation (EU) 2024/2847 covers any product with a data connection placed on the EU market. The operational environment — warehouse, truck, container, port — does not affect scope. If the device connects to a network and you market it in the EU, the CRA applies.

❌

UPDATE DELIVERY GAP

No over-the-air update mechanism for devices deployed in the field

Art. 13(8)-(9) of Regulation (EU) 2024/2847 require vulnerability handling and free security updates throughout the support period. For logistics IoT deployed across thousands of trucks or containers, this requires reliable OTA firmware update capability. A product without OTA cannot fulfil Art. 13(9) for field-deployed units.

❌

FLEET-SCALE LIABILITY

Underestimating the aggregate risk of a vulnerability across 50,000 deployed units

Art. 13(2) requires the risk assessment to cover reasonably foreseeable use. For logistics IoT, foreseeable use includes fleet-scale deployment. A vulnerability in a GPS tracker deployed in 50,000 trucks is not a single-device risk — it is a logistics network risk. The risk assessment must account for aggregate impact.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Identifies Default (standard trackers, sensors) or Important Class I (devices with VPN per Annex III item 5, embedded routers per item 12, network management per item 6).

Technical Documentation

Art. 31 and Annex VII documentation for logistics IoT: device architecture, cellular/LoRa/satellite modem specifications, cloud platform integration, OTA update mechanism, data transmission protocols.

Risk Assessment

Cybersecurity risk assessment covering logistics vectors: GPS spoofing, cellular interception, cold chain data manipulation, OBD-II bus access, cloud platform compromise, fleet-scale vulnerability impact.

User Information

Annex II information for fleet operators and 3PLs: secure deployment, SIM provisioning, firmware update procedures, data handling disclosure, vulnerability reporting contact, support period end date.

Declaration of Conformity

EU Declaration per Art. 28 and Annex V.

CVD Policy

Coordinated vulnerability disclosure policy for logistics technology research community.

Notification Template

ENISA notification template per Art. 14 with fleet-scale context.

Obligations Calendar

Key dates mapped to logistics procurement cycles: Art. 14 from September 2026, full enforcement December 2027, fleet hardware refresh windows.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 IoT SECURITY CONSULTANCY

Cybersecurity assessment for logistics device portfolio

€8,000-20,000 per product family

8-16 weeks

Requires sharing device firmware and architecture

One-time report — re-engagement per hardware revision

Does not produce Art. 31 file

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history