Reg (EU) 2024/2847Generate dossier — €149
LIVE — Enforcement tracker · Deadline dashboard · Transposition status — Updated weekly from EUR-Lex, Safety Gate, OEIL & 12 official sourcesView regulatory intelligence →

Your drone connects to a controller via radio link, streams video over WiFi, logs flight data to the cloud and receives firmware updates over the air. It is a product with digital elements under Article 2.1 of Regulation (EU) 2024/2847. The EU drone regulation covers airworthiness and operations. The CRA covers cybersecurity. They are separate obligations. CRACheck generates the Annex VII technical documentation.

European agricultural companies, surveying firms and public safety agencies are adding CRA compliance clauses to drone procurement RFPs. A drone that cannot demonstrate cybersecurity documentation under Annex VII will not win tenders after 11 December 2027. Most consumer and commercial drones are Default products — not listed in Annex III — eligible for Module A self-assessment. Drones marketed for security surveillance may fall under Annex III point 17 (security cameras) as Class I. CRACheck generates 8 PDF documents per Article 31 and Annex VII. 15-25 minutes. €149 per drone model. Browser-side.

Generate CRA dossier — €149Free: check your product classification

€149 one-time · 8-document ZIP · 15-25 minutes · Browser-side

Regulation (EU) 2024/2847 · Art. 31 + Annex VII · 8 documents · 100% browser-side

Key numbers

Art. 2.1
Drones with data connections are products with digital elements. CRA applies regardless of EU drone regulation.
Default / Class I
Consumer drone = typically Default. Security surveillance drone = may be Class I (Annex III.17).
€149
Per drone model. 8 documents. 15 minutes. Covers radio link, video, GPS, OTA, companion app.

CRA compliance for a Chinese drone manufacturer exporting to Europe

The EU drone regulation covers the sky. The CRA covers the firmware. Document both.

1
Classify your drone
Consumer photography drone: typically Default. Commercial mapping drone: typically Default. Drone marketed for security surveillance: may be Class I under Annex III point 17. Use the CRACheck classifier.
2
Map the digital attack surface
Controller radio link, WiFi video stream, GPS module, companion app, cloud flight logs, OTA firmware updates, SD card data, geofencing database.
3
Generate Annex VII documentation
Enter your drone's cybersecurity specifications into CRACheck. 15-25 minutes.
4
Integrate with EU drone regulation dossier
Your drone already has documentation for Regulation (EU) 2019/947 and Delegated Regulation (EU) 2019/945. The CRA documentation is an additional layer. Art. 31.3 allows a single technical documentation set.
5
Deliver to EU channels
Distributors, agricultural cooperatives, surveying firms and Amazon receive the compliance package.

The EU drone regulation covers the sky. The CRA covers the firmware. Document both.

Drone CRA mistakes

ART. 2.5

EU drone regulation already covers our drone — CRA does not apply

Regulation (EU) 2019/947 and Delegated Regulation (EU) 2019/945 cover airworthiness, operations and operator obligations. Regulation (EU) 2024/2847 covers cybersecurity. Article 2.5 allows the Commission to limit CRA application where sectoral rules achieve the same level of cybersecurity protection — but no such delegated act has been adopted for drones as of this date. Until it is, both apply.

ANNEX I, PART I, 1(a)

Our drone's radio link is proprietary — it cannot be hacked

Annex I Part I point 1(a) of Regulation (EU) 2024/2847 requires protection against unauthorized access. A proprietary radio protocol does not equal security — security through obscurity is not a defense recognised by the CRA. The documentation must describe the authentication and encryption mechanisms of the radio link, not rely on protocol obscurity.

ART. 14

A drone firmware vulnerability is not a cybersecurity incident — it is a product defect

Article 14 of Regulation (EU) 2024/2847 covers actively exploited vulnerabilities and severe incidents impacting product security. If a vulnerability in your drone firmware allows unauthorized takeover, GPS spoofing or data exfiltration, it is a cybersecurity incident under Art. 14. The 24h/72h/14d reporting timeline applies from 11 September 2026.

What each CRACheck dossier contains: 8 documents

Drones combine multiple digital systems: radio, video, GPS, cloud, firmware. CRACheck generates 8 documents covering the full cybersecurity surface.

1

Product Classifier

Determines product category per Annex III. Defines conformity assessment route under Art. 32.

2

Technical Documentation

Complete technical documentation structured per Art. 31 and Annex VII. All 8 mandatory sections.

3

Risk Assessment

Cybersecurity risk assessment per Art. 13.2 and Art. 13.3. Mapped against Annex I Part I requirements.

4

User Information

Information and instructions per Annex II. Security properties, support period, vulnerability reporting.

5

Declaration of Conformity

EU declaration of conformity per Art. 28 and Annex V.

6

CVD Policy

Coordinated Vulnerability Disclosure policy per Annex I Part II.

7

ENISA Notification Template

Pre-structured for 24h early warning, 72h notification, 14-day final report under Art. 14.

8

Obligations Calendar

Key dates: Art. 14 from 11 Sep 2026, full enforcement 11 Dec 2027, support period per Art. 13.8.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated in your browser. No product data is transmitted to any server.

What you pay for drone CRA documentation

🧾 EUROPEAN DRONE CERTIFICATION + CRA CONSULTANCY
€12,000–€25,000
Per drone platform. 4-8 months. Covers airworthiness + CRA.
✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history