Are all semiconductors classified as Important under Annex III?

No. Only microprocessors and microcontrollers with security-related functionalities (Annex III Class I, items 13–14), tamper-resistant microprocessors and microcontrollers (Class II, items 3–4), and ASICs/FPGAs with security-related functionalities (Class I, item 15) are listed. A general-purpose microcontroller without security functions may remain a Default product.

What does "security-related functionality" mean for classification?

Regulation (EU) 2024/2847 does not provide an exhaustive definition, but Annex III items 13–15 target chips implementing authentication, cryptographic processing, secure boot, key storage, or tamper detection. If your datasheet advertises any security function, classify under the relevant Annex III category.

Does CRACheck handle the SBOM requirement?

CRACheck includes a software bill of materials section in the Technical Documentation output. You enter firmware dependencies and CRACheck structures them per Annex VII requirements. The SBOM is part of the technical documentation under Annex VII point 2.

Is this a subscription?

No. One-time payment. 30 days of editing, 10 regenerations. The PDF is yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, licence activation constitutes express consent for immediate digital content generation. Refunds only for reproducible technical failures.

What if the regulation is amended?

Regenerate with the updated CRACheck version at no additional cost during your licence period.

Your semiconductor has embedded firmware and security-related functionality. Annex III of Regulation (EU) 2024/2847 classifies microprocessors and microcontrollers with security functions as Important Class I products. Your EU customers will require conformity evidence at the silicon level. CRACheck structures it.

Q: Can we use Module A for an Important Class I chip?

Yes, but only if you apply harmonised standards listed in the Official Journal covering all applicable essential cybersecurity requirements, or hold an EU cybersecurity certification at assurance level "substantial" or higher. Without either, Article 32(2)(a) requires EU-type examination (Module B) plus conformity to type (Module C), or full quality assurance (Module H).

Items 13 and 14 of Annex III explicitly list microprocessors and microcontrollers with security-related functionalities as Important Class I products. That classification changes your conformity assessment path under Article 32 — you cannot rely on self-assessment alone unless you follow harmonised standards or hold an EU cybersecurity certification at assurance level "substantial." Your EU customers' compliance teams already know this. CRACheck generates the 8-document technical dossier in 15–25 minutes. €149 per chip family. Your design data stays on your machine.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

Annex III

Class I classification for security-function chips

€15M

Maximum administrative fine under Art. 64(2)

8 PDFs

Complete dossier per chip family

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Classify your semiconductor

CRACheck maps your chip's functionality against Annex III categories (items 13–15) to confirm Default or Important classification

Define your silicon specifications

Architecture, firmware version tree, security functions (secure boot, crypto engine, key storage, authentication)

Document your development process

Secure design lifecycle, code review protocols, silicon validation, firmware signing

Map Annex I essential requirements

How your chip meets each cybersecurity requirement at the hardware and firmware level

Complete the vulnerability handling module

PSIRT procedures, CVE coordination, firmware patch distribution to integrators

Generate the 8-document dossier

Each PDF references your chip's specific classification and applicable conformity assessment path

Deliver to your customer

The dossier integrates into your EU buyer's technical file as component-level evidence

Common mistakes

❌

CLASSIFICATION ERROR

"Our chip is a passive component — it is not covered by the CRA"

If your chip contains embedded firmware, implements security functions (authentication, encryption, secure boot), or processes data, it is a product with digital elements under Article 3(1). Items 13 and 14 of Annex III specifically target microprocessors and microcontrollers with security-related functionalities. A chip with a crypto engine is not a passive component.

❌

ASSESSMENT PATH ERROR

"We can self-assess under Module A like any other product"

Important Class I products can use Module A (internal control, Annex VIII Part I) only if the manufacturer applies harmonised standards covering all essential cybersecurity requirements, or holds an EU cybersecurity certification at assurance level "substantial." Without either, Article 32(2) requires third-party assessment under Module B+C or Module H.

❌

RESPONSIBILITY TRANSFER

"Our integrator customer handles all CRA obligations for the final product"

Article 13 assigns obligations to the manufacturer — defined in Article 3(13) as whoever develops or manufactures the product and markets it under their name. If you sell your chip under your own brand to integrators, you are the manufacturer of that component. Your customer's conformity assessment for the final product does not relieve your own obligations for the chip.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Confirms classification under Annex III. Documents whether it qualifies as Default, Important Class I (items 13–14), or Class II (tamper-resistant variants, items 3–4). Determines conformity assessment obligations under Art. 32.

Technical Documentation

Art. 31 + Annex VII dossier covering silicon design, firmware architecture, security functions, production processes, and supply chain controls.

Risk Assessment

Annex I Part I cybersecurity risk analysis. Evaluates threats at the silicon level: side-channel attacks, firmware injection, key extraction, supply chain tampering.

User Information

Annex II-compliant package for integrators: secure integration guidelines, firmware update procedures, known limitations, end-of-support timeline.

Declaration of Conformity

Art. 28 + Annex V, pre-structured with semiconductor-specific fields: chip family identifier, firmware version matrix, applicable Annex III category.

CVD Policy

Coordinated vulnerability disclosure framework. Documents your PSIRT contact, acknowledgement timelines, and coordination protocol with downstream manufacturers.

Notification Template

ENISA notification structure for actively exploited vulnerabilities: 24h early warning, 72h notification, 14-day final report per Art. 14.

Obligations Calendar

Milestones: Art. 14 reporting from 11 September 2026, full enforcement 11 December 2027, firmware support commitment, patch cycle cadence.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 SPECIALISED SEMICONDUCTOR COMPLIANCE FIRM

€12,000–€25,000

6–12 weeks. Requires NDA + sharing design files. One-off engagement — repeat for next tape-out. Output: consultant report, not structured regulatory file.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history