ETSI EN 303 645 sets out 13 baseline cybersecurity provisions for consumer IoT devices, plus an additional set of data protection provisions. Annex I of Regulation (EU) 2024/2847 sets out 13 product requirements and 8 vulnerability handling obligations for all products with digital elements. There is significant overlap in substance — default passwords, secure updates, minimised attack surfaces — but the CRA adds mandatory documentation under Article 31 (Annex VII technical file), mandatory vulnerability notification under Article 14, and a mandatory EU Declaration of Conformity under Article 28. ETSI EN 303 645 conformity is valuable evidence for the "technical specifications applied" section of the Annex VII file, but it does not produce the file itself. CRACheck generates it.

ETSI EN 303 645 was published in 2020 as the European baseline for consumer IoT security. The UK Product Security and Telecommunications Infrastructure Act 2022 made parts of it mandatory in the UK. In the EU, the CRA supersedes and expands upon ETSI EN 303 645 for products with digital elements. The CRA's Annex I requirements are broader (they cover all products with digital elements, not just consumer IoT), deeper (they require an SBOM, a CVD policy, and ENISA notification), and enforceable (€15M / 2.5% under Article 64). If the European Commission publishes harmonised standards for the CRA that reference ETSI EN 303 645, conformity with the standard could create a presumption of conformity with the overlapping Annex I requirements. But the Annex VII documentation, the Declaration of Conformity, and the Article 14 notification template are CRA-specific and must be produced separately. CRACheck produces them. €149. 15–25 minutes.

Generate CRA Dossier — €149 Free: check your product classification

€149 one-time payment per product · 8 PDF documents in ZIP · 15–25 minutes · 100% in your browser

Key facts

13 vs 21

ETSI EN 303 645 provisions vs CRA Annex I requirements

Annex VII §5

CRA allows citing ETSI EN 303 645 as a relevant technical specification

€15M

Maximum CRA fine. ETSI EN 303 645 carries no penalty mechanism.

How CRACheck uses ETSI EN 303 645 as supporting evidence

Product identification

You enter your consumer IoT device type, connectivity, and ETSI EN 303 645 conformity status if applicable.

Provision mapping

CRACheck maps ETSI EN 303 645 provisions to CRA Annex I requirements where they overlap: Provision 5.1 (no universal default passwords) ↔ Annex I (2)(b) secure-by-default; Provision 5.3 (keep software updated) ↔ Annex I (2)(c) security updates; Provision 5.4 (securely store credentials) ↔ Annex I (2)(d) access control; Provision 5.5 (communicate securely) ↔ Annex I (2)(e) encryption; Provision 5.6 (minimise attack surfaces) ↔ Annex I (2)(j) attack surface reduction.

Gap identification

CRA requirements not addressed by ETSI EN 303 645: SBOM (Annex I Part II point 1), ENISA notification (Article 14), structured Annex VII documentation, EU Declaration of Conformity (Article 28 + Annex V), user information (Annex II).

Documentation output

8 PDFs. The Annex VII §5 section references ETSI EN 303 645 as a technical specification applied. CRA-specific requirements are documented independently.

ETSI EN 303 645 conformity strengthens your Annex VII file. It does not replace it.

Common mistakes with ETSI EN 303 645 and CRA

❌

SCOPE

Assuming ETSI EN 303 645 conformity satisfies the CRA

ETSI EN 303 645 is a voluntary standard with 13 baseline provisions for consumer IoT. The CRA is a mandatory EU regulation with 21 requirements, mandatory documentation, and enforceable penalties. Conformity with the standard is supporting evidence, not compliance with the regulation.

❌

CRA ANNEX I PART II

Overlooking CRA vulnerability handling requirements absent from ETSI EN 303 645

The CRA requires: SBOM in machine-readable format (Part II point 1), coordinated vulnerability disclosure policy (Part II point 5), ENISA notification within 24 hours (Article 14), and free security updates throughout the support period (Part II point 8). ETSI EN 303 645 Provisions 5.2 and 5.3 partially address vulnerability disclosure and software updates, but not at the specificity or enforcement level of the CRA.

❌

UK PSTI vs CRA

Confusing UK PSTI Act compliance with EU CRA compliance

The UK PSTI Act references ETSI EN 303 645 for certain requirements. The EU CRA is a separate regulation with its own documentation requirements. UK market compliance does not produce EU CRA documentation. If you sell in both markets, you need both compliance sets.

8 CRA documents — with ETSI referencing in Annex VII §5

CRACheck generates CRA documentation, referencing ETSI EN 303 645 where applicable. Covers all CRA-specific requirements.

Product Classifier

Annex III / Annex IV classification. Conformity assessment module.

Technical Documentation

Art. 31 + Annex VII. Complete dossier.

Risk Assessment

Art. 13(2)–(3). Cybersecurity risk assessment against Annex I.

User Information

Annex II. 9 required information points.

Declaration of Conformity

Art. 28 + Annex V. Ready for signature.

CVD Policy

Annex I Part II point (5). Coordinated vulnerability disclosure.

Notification Template

Art. 14. ENISA 24h/72h/14d notification.

Obligations Calendar

Key dates and milestones.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated in your browser. No data leaves your device.

ETSI conformity + CRA documentation: cost comparison

🧾 ETSI EN 303 645 CONFORMITY ASSESSMENT + CRA CONSULTANCY

€8,000–€25,000

ETSI test lab: €3,000–€10,000. CRA consultancy: €5,000–€15,000. Total: €8,000–€25,000.

✓ CRACHECK

€149

References ETSI EN 303 645 conformity in Annex VII §5. Fills CRA-specific gaps. Full 8-document dossier.

Two layers of compliance

● LAYER 1

What CRACheck does

CRACheck generates CRA documentation, referencing ETSI EN 303 645 where applicable. Covers all CRA-specific requirements: Annex VII file, cybersecurity risk assessment, Declaration of Conformity, CVD policy, ENISA notification template, user information, obligations calendar.

∅ LAYER 2

What CRACheck does NOT do

CRACheck does not perform ETSI EN 303 645 testing or assessment. It does not issue ETSI conformity statements. ETSI testing is performed by accredited test laboratories. CRACheck references the results in the CRA documentation.

ETSI EN 303 645 is evidence. The CRA file is the obligation. CRACheck generates the obligation.

Enforcement regime

⚖️

CRA: Annex I cybersecurity non-compliance

€15M / 2.5%

Art. 64(2) of Regulation (EU) 2024/2847.

⚖️

CRA: Documentation and conformity assessment failures

€10M / 2%

Art. 64(3) of Regulation (EU) 2024/2847.

⚖️

CRA: Misleading information to authorities

€5M / 1%

Art. 64(4) of Regulation (EU) 2024/2847.

ETSI EN 303 645 has no penalty mechanism — the CRA does.

CRA vs ETSI EN 303 645 — comparison

Criterion	ETSI EN 303 645	CRA (Reg. 2024/2847)	CRACheck scope
Nature	Voluntary European standard	Mandatory EU Regulation	Mandatory documentation
Scope	Consumer IoT devices	All products w/ digital elements	Per product
Requirements	13 baseline provisions	21 requirements (13+8)	Maps all 21
Documentation	Test report / conformity statement	Art. 31 + Annex VII file	Generates Annex VII
Penalties	None	€15M / 2.5% (Art. 64)	Documentation to reduce risk
SBOM	Not required	Annex I Part II point (1)	Documented

Consumer IoT product family?

Each IoT device variant needs its own CRA file. Volume pricing: Pack of 10: €99. Pack of 30: €79.

Request Volume Pricing

Commercial enquiries via hello@solidwaretools.com

What CRACheck guarantees and what it does not

CRACheck generates a structured document set according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy, completeness, and truthfulness of that information is your responsibility as the manufacturer.

We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct. We do not guarantee that a specific document will be accepted by a market surveillance authority in a particular case.

CRACheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.

Frequently asked questions — CRA and ETSI EN 303 645

Will ETSI EN 303 645 become a CRA harmonised standard?

The European Commission has issued standardisation requests to CEN/CENELEC for harmonised standards supporting the CRA. ETSI EN 303 645 concepts may inform the resulting European standards. Once published in the Official Journal, these harmonised standards would create a presumption of conformity with the relevant CRA Annex I requirements. This process is ongoing.

My product has ETSI EN 303 645 conformity. Which CRA Annex I requirements does it help cover?

ETSI EN 303 645 provisions align with several CRA requirements: default password elimination (CRA Annex I (2)(b)), secure update mechanisms (2)(c)), access control (2)(d)), encrypted communications (2)(e)), attack surface minimisation (2)(j)). The CRA adds: SBOM, CVD policy, ENISA notification, structured Annex VII documentation, and EU Declaration of Conformity — none of which are addressed by ETSI EN 303 645.

Does ETSI EN 303 645 cover CRA vulnerability handling (Part II)?

Partially. ETSI Provision 5.2 (vulnerability disclosure policy) and Provision 5.3 (software updates) align conceptually with CRA Part II points (5) and (7). But the CRA is more specific: it requires an SBOM in machine-readable format (point 1), ENISA notification within 24 hours (Article 14), free security updates without delay (point 8), and public disclosure of fixed vulnerabilities (point 4).

I sell in both the UK (PSTI Act) and the EU. Do I need separate compliance?

Yes. The UK PSTI Act references ETSI EN 303 645 for UK market compliance. The EU CRA requires CRA-specific documentation under Regulation (EU) 2024/2847. They are separate jurisdictions with separate regulatory frameworks. CRACheck generates the EU CRA documentation.

Is this a subscription?

No. One-time payment. The licence includes a 30-day editing window and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, by activating the licence you give express consent for the immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are accepted only for reproducible technical defects.

What if the regulation changes?

If the regulation is amended during the validity of your licence, you can regenerate the document with the updated version of the generator at no additional cost.

Official legal sources

Regulation (EU) 2024/2847 — Cyber Resilience Act — full text

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.