The regulatory geometry for connected radio equipment in the EU is now three-layered: Directive 2014/53/EU (RED) covers radio spectrum access, electromagnetic compatibility, and safety. Delegated Regulation (EU) 2022/30 added cybersecurity requirements under RED Article 3(3)(d)(e)(f) for internet-connected radio equipment. Regulation (EU) 2024/2847 (CRA) covers cybersecurity for all products with digital elements, including radio equipment. Recital 30 of the CRA explicitly states that the CRA's essential cybersecurity requirements "include all the elements of the essential requirements referred to in Article 3(3), points (d), (e) and (f), of Directive 2014/53/EU." The CRA does not replace the RED — it absorbs the cybersecurity layer and adds Article 31 technical documentation, Article 14 vulnerability notification, and Article 13 manufacturer obligations. CRACheck generates the CRA documentation. €149. 15–25 minutes. 8 PDFs.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
If your product is radio equipment under Directive 2014/53/EU and also a product with digital elements under Regulation (EU) 2024/2847, you need RED conformity for radio/EMC/safety AND CRA documentation for cybersecurity. CRACheck covers the CRA layer.
Recital 30 of the CRA states that the CRA includes all elements of RED Article 3(3)(d)(e)(f). But the CRA adds significantly more: Article 31 technical documentation (Annex VII), Article 14 vulnerability notification to ENISA, Article 13 manufacturer obligations including risk assessment, and Annex I Part II vulnerability handling requirements. RED does not require an SBOM, a CVD policy, or ENISA notifications.
Annex III Class I category 12 lists "routers, modems intended for the connection to the internet, and switches." If your radio equipment is a router or internet-connected modem, it is Important Class I, not Default. The classification determines whether Module A self-assessment is available (only if harmonised standards are applied in full under Article 32(2)).
Article 13(4) of the CRA states that for products subject to other Union legal acts requiring technical documentation, "the cybersecurity risk assessment may be part of the risk assessment required by those Union legal acts." Article 31(3) allows a single technical documentation set. The two files can coexist in one document, reducing duplication.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Classification under CRA Annex III (many radio equipment products fall under Class I category 10 or 12). Documents the dual RED + CRA applicability.
CRA Annex VII file. Can reference the existing RED technical file for shared elements. Adds cybersecurity-specific content: system architecture, SBOM, CVD policy, vulnerability handling.
CRA cybersecurity risk assessment per Article 13(2)–(3). Complementary to — not a replacement for — any RED-specific risk analysis.
Annex II sheet. Includes support period, vulnerability reporting contact, and security instructions for firmware updates.
CRA Declaration per Article 28 + Annex V. Article 28(3) allows combining CRA and RED declarations in a single document, but both regulations must be cited.
Required by Annex I Part II point (5). Not required by the RED.
ENISA notification per Article 14. Not required by the RED.
CRA dates (11 Sept 2026 for Article 14, 11 Dec 2027 for full enforcement) alongside RED timeline.
See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.
Generated from your data, in your browser. No data leaves your device.