CRA Baby Monitor Connected Toy China EU

Key numbers

Class I

Baby monitors (Annex III.17) and connected toys with speaking/filming/tracking (Annex III.18).

Child safety

A vulnerability in a baby monitor = unauthorized audio/video access to a child. Maximum regulatory scrutiny.

€149

Per product model. Class I documentation for notified body review.

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Classify

Baby monitor = Class I (Annex III.17). Connected toy with speaking/filming/tracking = Class I (Annex III.18). Connected toy without these features = Default.

Document the data exposure

Camera resolution, microphone sensitivity, WiFi/Bluetooth connectivity, cloud storage, parent app data flow, user authentication.

Generate CRA dossier

CRACheck structures the 8 documents from your product specifications. 15-25 minutes.

Engage notified body

Class I without harmonised standards requires Module B+C or Module H under Art. 32.2.

Verify Toy Safety Directive compliance

Connected toys must comply with both Directive 2009/48/EC and Regulation (EU) 2024/2847. CRA documentation is separate.

Deliver to EU retailers

Include CRA documentation in the product compliance file. Major toy retailers will require it.

Common mistakes

❌

ANNEX III.18

"Our toy just plays music via Bluetooth — it is not a connected toy under CRA"

Annex III point 18 covers internet-connected toys with social interactive features (speaking, filming) or location tracking. A Bluetooth-only toy that plays pre-loaded music without internet connectivity may not fall under this point. But if the toy connects to the internet via a parent's phone, has a microphone that records speech or has GPS tracking, it is Class I.

❌

ANNEX I, PART I, 1(d)

"The baby monitor streams to the parent's phone — it is private by design"

Annex I Part I point 1(d) requires secure by default configuration. If your baby monitor is accessible without authentication during initial setup, uses universal default credentials or streams video over unencrypted channels, it is not secure by default.

❌

ART. 14

"We have never had a security incident — vulnerability reporting is not relevant"

Article 14 requires reporting of actively exploited vulnerabilities to ENISA within 24 hours. The absence of past incidents does not exempt you. The reporting mechanism must be in place from 11 September 2026. For baby monitors, a vulnerability disclosure can become international news overnight.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Class I confirmation per Annex III points 17 (baby monitors) or 18 (connected toys).

Technical Documentation

Art. 31 + Annex VII. Covers audio/video streaming architecture, encryption, access control, cloud storage.

Risk Assessment

Art. 13.2-13.3. Unauthorized camera access, audio interception, child tracking by unauthorized parties.

User Information

Annex II. Parental controls, credential management, camera/microphone status indicators, secure disposal.

Declaration of Conformity

Art. 28 + Annex V.

CVD Policy

Critical — vulnerabilities in baby monitors generate media attention. Clear reporting channel required.

Notification Template

Art. 14 ENISA notification pre-structured for child-safety incidents.

Obligations Calendar

CRA dates with child product surveillance milestones.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 CHILD PRODUCT SAFETY CONSULTANCY + CRA

€10,000–€25,000

Per product. 4-8 months. Toy Safety + CRA combined.

✓ CRACHECK

€149

8 CRA documents. 15 min. Toy Safety Directive compliance handled separately. Pack 10: €99/product.

Two layers

● LAYER 1

What CRACheck does

Generates Annex VII documentation for your baby monitor or connected toy. Covers camera/microphone security, data encryption, parental access control and vulnerability handling.

∅ LAYER 2

What CRACheck does NOT do

CRACheck does not assess compliance with the Toy Safety Directive (2009/48/EC), perform physical safety testing or assess GDPR compliance for children's data. CRA covers cybersecurity. Toy safety and data protection are separate obligations.

We document cybersecurity. You handle toy safety separately.

Enforcement regime

Article 64 of Regulation (EU) 2024/2847.

🔴

Non-compliance with Annex I + Art. 13/14 (Art. 64(2))

€15,000,000 / 2.5%

Art. 64.2.

🟠

Non-compliance with Art. 31, Art. 28, Art. 32 (Art. 64(3))

€10,000,000 / 2%

Art. 64.3.

🟡

Incorrect or misleading information (Art. 64(4))

€5,000,000 / 1%

Art. 64.4.

Alternatives

Criterion	Child product safety consultancy	Assume Toy Safety certification covers CRA	Wait for market surveillance action	CRACheck
Cost	€10,000–€25,000	€0	€0 now	€149
Result	CRA + Toy Safety. 4-8 months.	Toy Safety Directive does not cover cybersecurity. Separate obligation.	Baby monitor vulnerabilities generate immediate media and regulatory response.	8 CRA docs. 15 min. Class I documentation. Child-safety context.

You manufacture baby monitors and connected toys across multiple models?

Video monitor, audio monitor, connected doll, GPS tracker — each model needs its own CRA dossier. Volume pricing: €99/product (10-pack), €79/product (30-pack).

Request Volume Pricing

Response within one business day.

What CRACheck guarantees and what it does not

CRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy, completeness and truthfulness of that information is your responsibility as the manufacturer.

We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct. We do not guarantee that a specific document will be accepted by a market surveillance authority in a specific case or by a commercial buyer in a procurement process.

CRACheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.

Frequently asked questions

Are all baby monitors Class I?

Annex III point 17 lists "baby monitoring systems" as Class I. This includes video baby monitors, audio baby monitors with WiFi connectivity and smart baby monitors with sensor pads. A standalone audio monitor without internet connectivity may not be a product with digital elements at all.

Does a connected toy without a camera or microphone fall under Annex III.18?

Annex III point 18 specifies "social interactive features (e.g. speaking or filming) or location tracking features." A connected toy that only plays pre-programmed content without voice interaction, camera or GPS is not covered by this point. It may still be a Default product if it has a data connection.

What if a security researcher finds a vulnerability and goes public?

Article 15 addresses voluntary reporting. Article 14 covers your obligation to report actively exploited vulnerabilities. Your CVD policy (Doc 6) establishes the channel for responsible disclosure. If a researcher goes public before you patch, you must still report to ENISA.

Does the CRA require camera activity indicators (LED)?

Annex I Part I point 1(h) requires security-relevant event logging. A camera activity LED is best practice but not explicitly mandated. Annex II requires informing users about security features — if your monitor has a camera LED, document it.

Is this a subscription?

No. One-time payment. 30 days editing, 10 regenerations. PDF yours permanently.

Can I request a refund?

Pursuant to Art. 16(m) of Directive (EU) 2011/83, licence activation constitutes express consent. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate at no additional cost during licence validity.

Official legal sources

Regulation (EU) 2024/2847 — Cyber Resilience Act — full text

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.