Are all baby monitors Class I?

Annex III point 17 lists "baby monitoring systems" as Class I. This includes video baby monitors, audio baby monitors with WiFi connectivity and smart baby monitors with sensor pads. A standalone audio monitor without internet connectivity may not be a product with digital elements at all.

Does a connected toy without a camera or microphone fall under Annex III.18?

Annex III point 18 specifies "social interactive features (e.g. speaking or filming) or location tracking features." A connected toy that only plays pre-programmed content without voice interaction, camera or GPS is not covered by this point. It may still be a Default product if it has a data connection.

What if a security researcher finds a vulnerability and goes public?

Article 15 addresses voluntary reporting. Article 14 covers your obligation to report actively exploited vulnerabilities. Your CVD policy (Doc 6) establishes the channel for responsible disclosure. If a researcher goes public before you patch, you must still report to ENISA.

Does the CRA require camera activity indicators (LED)?

Annex I Part I point 1(h) requires security-relevant event logging. A camera activity LED is best practice but not explicitly mandated. Annex II requires informing users about security features — if your monitor has a camera LED, document it.

Is this a subscription?

No. One-time payment. 30 days editing, 10 regenerations. PDF yours permanently.

Can I request a refund?

Pursuant to Art. 16(m) of Directive (EU) 2011/83, licence activation constitutes express consent. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate at no additional cost during licence validity.

Baby monitoring systems are Important Class I under Annex III point 17 of Regulation (EU) 2024/2847. Internet-connected toys with speaking or filming features are Class I under Annex III point 18. A cybersecurity vulnerability in a baby monitor means a stranger can watch and listen to a child. European retailers and market surveillance authorities treat this product category with maximum scrutiny. CRACheck generates the Annex VII technical documentation.

The RAPEX/Safety Gate database already records incidents involving connected baby monitors and toys with security vulnerabilities. Regulation (EU) 2024/2847 formalises the cybersecurity requirements. Annex III point 17 lists "baby monitoring systems" as Class I. Annex III point 18 lists internet-connected toys with social interactive features or location tracking as Class I. If your product falls in either category, conformity assessment by a notified body may be required under Art. 32.2. CRACheck generates 8 PDF documents per Annex VII. 15-25 minutes. €149. Browser-side.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

Class I

Baby monitors (Annex III.17) and connected toys with speaking/filming/tracking (Annex III.18).

Child safety

A vulnerability in a baby monitor = unauthorized audio/video access to a child. Maximum regulatory scrutiny.

€149

Per product model. Class I documentation for notified body review.

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Classify

Baby monitor = Class I (Annex III.17). Connected toy with speaking/filming/tracking = Class I (Annex III.18). Connected toy without these features = Default.

Document the data exposure

Camera resolution, microphone sensitivity, WiFi/Bluetooth connectivity, cloud storage, parent app data flow, user authentication.

Generate CRA dossier

CRACheck structures the 8 documents from your product specifications. 15-25 minutes.

Engage notified body

Class I without harmonised standards requires Module B+C or Module H under Art. 32.2.

Verify Toy Safety Directive compliance

Connected toys must comply with both Directive 2009/48/EC and Regulation (EU) 2024/2847. CRA documentation is separate.

Deliver to EU retailers

Include CRA documentation in the product compliance file. Major toy retailers will require it.

Common mistakes

❌

ANNEX III.18

"Our toy just plays music via Bluetooth — it is not a connected toy under CRA"

Annex III point 18 covers internet-connected toys with social interactive features (speaking, filming) or location tracking. A Bluetooth-only toy that plays pre-loaded music without internet connectivity may not fall under this point. But if the toy connects to the internet via a parent's phone, has a microphone that records speech or has GPS tracking, it is Class I.

❌

ANNEX I, PART I, 1(d)

"The baby monitor streams to the parent's phone — it is private by design"

Annex I Part I point 1(d) requires secure by default configuration. If your baby monitor is accessible without authentication during initial setup, uses universal default credentials or streams video over unencrypted channels, it is not secure by default.

❌

ART. 14

"We have never had a security incident — vulnerability reporting is not relevant"

Article 14 requires reporting of actively exploited vulnerabilities to ENISA within 24 hours. The absence of past incidents does not exempt you. The reporting mechanism must be in place from 11 September 2026. For baby monitors, a vulnerability disclosure can become international news overnight.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Class I confirmation per Annex III points 17 (baby monitors) or 18 (connected toys).

Technical Documentation

Art. 31 + Annex VII. Covers audio/video streaming architecture, encryption, access control, cloud storage.

Risk Assessment

Art. 13.2-13.3. Unauthorized camera access, audio interception, child tracking by unauthorized parties.

User Information

Annex II. Parental controls, credential management, camera/microphone status indicators, secure disposal.

Declaration of Conformity

Art. 28 + Annex V.

CVD Policy

Critical — vulnerabilities in baby monitors generate media attention. Clear reporting channel required.

Notification Template

Art. 14 ENISA notification pre-structured for child-safety incidents.

Obligations Calendar

CRA dates with child product surveillance milestones.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 CHILD PRODUCT SAFETY CONSULTANCY + CRA

€10,000–€25,000

Per product. 4-8 months. Toy Safety + CRA combined.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history