The CRA draws a clear line: components placed on the market separately are products with digital elements and must comply independently. If your ESP32-based WiFi module is sold on Mouser, Farnell or directly to EU OEMs as a standalone part, Article 3(1) applies. The module needs its own technical documentation under Annex VII. Your OEM customers will also ask for documentation to fulfil their Art. 13.5 due diligence obligation on third-party components. CRACheck generates 8 PDF documents per module. 15-25 minutes. €149 per module model. Browser-side.
€149 one-time · 8-document ZIP · 15-25 minutes · Browser-side
Your OEM customer's CRA compliance starts with your module's documentation. Provide it before they ask.
Your OEM customer's CRA compliance starts with your module's documentation. Provide it before they ask.
Article 3(1) of Regulation (EU) 2024/2847 explicitly includes "hardware components being placed on the market separately" in the definition of product with digital elements. If your WiFi module is sold as a standalone component, it is a product with digital elements. The CRA does not distinguish between finished products and components placed on the market separately.
Annex III points 13-15 list microprocessors, microcontrollers, ASICs and FPGAs "with security-related functionalities" as Class I. If your module integrates secure boot, hardware encryption, secure key storage or a trusted execution environment, it has security-related functionalities. A module with an ESP32's flash encryption or secure boot feature may fall under this classification.
When your module is integrated into an end product and not sold separately, the end-product manufacturer has the CRA obligation. But Art. 13.5 requires them to exercise due diligence on third-party components — your module. They will request your module's cybersecurity documentation. If you also sell the module separately on the market, it needs its own Annex VII documentation.
Wireless modules are the building blocks of IoT products. CRACheck generates 8 documents covering the module as a standalone product with digital elements.
Determines product category per Annex III. Defines conformity assessment route under Art. 32.
Complete technical documentation structured per Art. 31 and Annex VII. All 8 mandatory sections.
Cybersecurity risk assessment per Art. 13.2 and Art. 13.3. Mapped against Annex I Part I requirements.
Information and instructions per Annex II. Security properties, support period, vulnerability reporting.
EU declaration of conformity per Art. 28 and Annex V.
Coordinated Vulnerability Disclosure policy per Annex I Part II.
Pre-structured for 24h early warning, 72h notification, 14-day final report under Art. 14.
Key dates: Art. 14 from 11 Sep 2026, full enforcement 11 Dec 2027, support period per Art. 13.8.
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated in your browser. No product data is transmitted to any server.
Generates Annex VII documentation for your wireless module as a standalone product. Covers firmware, SDK, protocol stack, security features and vulnerability handling.
CRACheck does not perform RED radio testing, measure RF emissions or certify your module for specific frequency bands. CRA covers cybersecurity. RED covers radio compliance. Both needed for wireless modules.
We document cybersecurity. Your RED lab handles radio.
Article 64 establishes three tiers of administrative fines. Penalties are calculated per undertaking — but non-compliance on a single product can trigger inspection of your entire portfolio.
Art. 64.2. Up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher.
Art. 64.3. Up to €10 million or 2% of total worldwide annual turnover, whichever is higher. Includes failure to produce Annex VII documentation.
Art. 64.4. Up to €5 million or 1% of total worldwide annual turnover, whichever is higher.
Art. 64.5 accounts for the nature, gravity and duration of the infringement, and gives consideration to microenterprises, small and medium-sized enterprises, including start-ups.
| Alternative | Cost | What you get |
|---|---|---|
| Component certification consultancy | €8,000–€20,000 | RED + CRA. 3-6 months. |
| Provide only RED certification | €0 additional | RED covers radio. CRA covers cybersecurity. Separate. |
| Let OEM customers handle CRA | €0 | OEM customers will ask for your module's documentation. No docs = no design-in. |
| CRACheck | €149 | 8 CRA docs. 15 min. Per module model. |
WiFi module, Zigbee module, BLE module, combo WiFi+BLE — each module model needs its own CRA dossier. Volume pricing: €99/module (10-pack), €79/module (30-pack).
Request volume pricingCRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy, completeness and truthfulness of that information is your responsibility as the manufacturer.
We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct as of the last verification date. We do not guarantee that a specific document will be accepted by a market surveillance authority in a specific case or by a commercial buyer in a procurement process.
CRACheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.