Is a WiFi module a "network interface" under Annex III?

Annex III Class I item 10 lists "physical and virtual network interfaces." A WiFi module that enables a device to connect to a network meets this definition. CRACheck's classifier evaluates your module's primary function against all applicable Annex III categories to determine the correct classification.

Who is the CRA manufacturer — us or the OEM using our module?

Both. Article 3(13) defines the manufacturer as whoever develops or manufactures the product and markets it under their name. If you sell the module under your brand, you are the manufacturer of the module. Your customer is the manufacturer of the final product. Each has independent obligations under Article 13.

Does RED compliance reduce our CRA obligations?

No. The Radio Equipment Directive and the CRA are separate legal instruments with distinct requirements. RED covers radio spectrum, EMC, and specific cybersecurity requirements for radio equipment. The CRA adds broader cybersecurity documentation (Annex VII), vulnerability handling (Art. 14), and essential requirements (Annex I) that RED does not fully address.

Do we need SBOM for a wireless module?

The technical documentation under Annex VII point 2 requires description of the design, development, and production processes. This includes identifying software components and dependencies. CRACheck structures the SBOM information within the Technical Documentation output.

Is this a subscription?

No. One-time payment. 30 days editing, 10 regenerations. PDF yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, licence activation constitutes express consent for immediate digital content generation. Refunds only for reproducible technical failures.

What if the regulation is amended?

Regenerate at no additional cost during licence validity.

You manufacture WiFi, Bluetooth, and Zigbee modules in Taiwan that end up inside consumer and industrial products sold across the European Union. Under Regulation (EU) 2024/2847, your module is a product with digital elements — it contains firmware, processes data, and establishes network connections. Article 3(1) makes no distinction between a final product and a component placed on the market separately. CRACheck documents it.

Wireless modules sit at the centre of the CRA's supply chain model. Your module contains firmware, implements authentication and encryption protocols, and connects to networks — that places it within Article 2(1). Physical and virtual network interfaces are listed as Important Class I in Annex III (item 10). Routers, modems, and switches are Class I (item 12). If your module functions as a network interface or routing component, it faces the corresponding conformity assessment obligations. CRACheck classifies your module, maps its security features to Annex I, and generates the 8-document dossier. €149 per module family. 15–25 minutes. Browser-side processing.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

Annex III

Network interfaces are Class I (item 10)

Art. 3(1)

Components placed on market separately are in scope

€149

Per module family, one-time payment

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Classify your module

CRACheck evaluates whether it qualifies as a network interface (Annex III item 10), router/switch component (item 12), or Default product

Enter module specifications

Wireless protocol stack, firmware version, security features (WPA3, BLE pairing, Zigbee trust centre)

Document firmware development process

Secure coding, code signing, OTA update capability, regression testing

Map Annex I cybersecurity requirements

Authentication, encryption, data minimisation, secure defaults, factory reset

Complete vulnerability handling

Module-level PSIRT, CVE coordination with integrator customers, firmware patch distribution

Generate the 8-document dossier

Classified and structured for your module's Annex III position

Distribute to OEM customers

The dossier supports their own Annex VII technical file as component-level evidence

Common mistakes

❌

RED OVERLAP CONFUSION

"We already comply with the Radio Equipment Directive — the CRA adds nothing"

The RED (Directive 2014/53/EU) and the CRA (Regulation (EU) 2024/2847) are separate legal instruments. The RED's delegated acts on cybersecurity (Article 3(3)(d)(e)(f)) address specific radio equipment risks. The CRA's essential requirements (Annex I) are broader, covering vulnerability handling, secure updates, data protection, and documentation. RED compliance does not satisfy CRA documentation obligations under Art. 31 + Annex VII.

❌

COMPONENT EXEMPTION MYTH

"We sell modules B2B, not to consumers — the CRA does not apply"

Article 2(1) applies to products with digital elements made available on the EU market. "Made available" includes B2B transactions. A module sold to an OEM customer for integration is placed on the market. The CRA does not distinguish between B2C and B2B channels for scope.

❌

INTEGRATOR RESPONSIBILITY

"Our OEM customer is the manufacturer — documentation is their problem"

If you market the module under your own brand and sell it as a separate product to integrators, you are the manufacturer under Article 3(13). Your OEM customer is the manufacturer of the final product, with separate obligations. Both carry documentation duties. Your customer's compliance does not substitute for yours on the module.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Determines if your module is Default, Important Class I (Annex III item 10 or 12), or another category. Critical for OEM customers who need the component's classification for their conformity assessment.

Technical Documentation

Art. 31 + Annex VII dossier for the module: wireless stack architecture, firmware, security protocols, manufacturing quality controls.

Risk Assessment

Annex I Part I risk analysis for wireless modules: protocol-level attacks (deauthentication, MITM, replay), firmware injection, key compromise, side-channel leakage.

User Information

Annex II integrator documentation: secure integration checklist, antenna requirements, firmware update channel, security defaults, end-of-support date.

Declaration of Conformity

Art. 28 + Annex V. Sits alongside your RED Declaration.

CVD Policy

Module-level vulnerability disclosure framework: how integrators and researchers report vulnerabilities, acknowledgement timelines, patch distribution.

Notification Template

Art. 14 ENISA notification for module vulnerabilities. Includes impact assessment template for downstream products. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Enforcement dates, firmware support period, patch cycle milestones.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 EU REGULATORY CONSULTANT FOR WIRELESS MODULES

€8,000–€18,000

4–10 weeks. Requires sharing firmware binaries and RF design. RED and CRA often scoped separately — double cost.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history