"Secure by default" is not a marketing phrase under the CRA. Annex I, Part I, point (2)(b) makes it a legal requirement with enforceable consequences under Art. 64(2). The product must ship with secure defaults unless manufacturer and business user have explicitly agreed otherwise for a tailor-made product. The user must have an opt-out mechanism for automatic security updates, not an opt-in. Art. 13(1) makes you responsible for ensuring the product was "designed, developed and produced in accordance with the essential cybersecurity requirements." CRACheck structures your Annex I compliance documentation in 15–25 minutes. €149.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
Annex I, Part I, point (2)(d) requires protection from unauthorised access through "appropriate control mechanisms, including authentication." A shared default password across all units is not appropriate. Unique-per-device credentials or forced setup is the compliant approach.
Annex I, Part I, point (2)(c) requires automatic security updates "enabled as a default setting, with a clear and easy-to-use opt-out mechanism." The default must be ON. The user may turn it off. Shipping with auto-update off and asking the user to enable it inverts the regulatory requirement.
Annex I, Part I, point (2)(b) ties the reset function to the secure default configuration. If your reset restores a pre-hardening firmware or re-enables disabled services, it violates the requirement. The reset target must be the documented secure state.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Category per Annex III/IV. Smart home products with security functionalities (Class I, item 17) and IoT toys (item 18) face particular scrutiny on default configurations.
Annex VII, point 2(a): design and development description covering how the secure-by-default configuration was implemented. Point 3: risk assessment showing how defaults mitigate identified risks.
Per Art. 13(2)–(3). Maps each Annex I, Part I, point (2) sub-requirement to your product defaults: authentication (d), encryption (e), data minimisation (g), auto-updates (c), reset (b).
Annex II, point 8(a): instructions on "the necessary measures during initial commissioning and throughout the lifetime of the product to ensure its secure use." Point 8(e): how to turn off auto-updates.
Per Art. 28 and Annex V.
Per Annex I, Part II, point (5). Security defaults may be challenged by vulnerability reporters — the CVD policy handles that channel.
Per Art. 14. Vulnerability in default configurations triggers the 24h/72h/14-day reporting pipeline.
Key dates through the support period.
See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.
Generated from your data, in your browser. No data leaves your device.
Hiring a penetration testing firm to audit your default configurations and a compliance consultant to document the findings per Annex VII.
CRACheck generates the documentation that maps your product defaults against Annex I, Part I, point (2) requirements — secure configuration (b), auto-updates with opt-out (c), authentication (d), encryption (e), data minimisation (g), factory reset (b). It structures this mapping within the Annex VII technical file and the Risk Assessment.
CRACheck does not audit your product. It does not scan your firmware for insecure defaults. It does not perform penetration testing. It does not configure your product. You must implement the secure defaults in your product. CRACheck documents what you implemented and maps it to the regulatory requirements.
Implement first. Document with CRACheck. The regulation requires both — the secure product and the documentation proving it.
Art. 64(2).
Art. 64(3).
Art. 64(4).
| Criterion | Ship as-is | Pentest firm | Internal security audit | CRACheck |
|---|---|---|---|---|
| Annex I mapping | Non-compliant | Findings only, no Annex VII | Depends on CRA knowledge | Yes — structured |
| Annex VII integration | None | Separate report | Manual | Automatic |
| Time to documentation | — | 4–8 weeks | 3–6 weeks | 15–25 minutes |
| Cost | €0 (+ fine risk) | €8K–€18K | Internal headcount | €149 one-time |
Even products sharing a firmware base require separate technical documentation per Art. 31 if they carry different model numbers or product identifiers per Art. 13(15). Volume pricing: €99/product (10-pack) or €79/product (30-pack).
Request volume pricingCRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847, documenting your secure-by-default configuration per Annex I, Part I, point (2)(b), based on the information you provide. The accuracy of your configuration descriptions is your responsibility as manufacturer.
We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that all legal references cited are correct. We do not guarantee that a specific product configuration will be deemed compliant by a market surveillance authority in a specific case.
CRACheck is not legal advice. For specific questions about acceptable default configurations in your product category, consult with a qualified cybersecurity or regulatory professional.