CRA Drone Manufacturer China EU Compliance

Key numbers

Art. 2.1

Drones with data connections are products with digital elements. CRA applies regardless of EU drone regulation.

Default / Class I

Consumer drone = typically Default. Security surveillance drone = may be Class I (Annex III.17).

€149

Per drone model. 8 documents. 15 minutes. Covers radio link, video, GPS, OTA, companion app.

CRA compliance for a Chinese drone manufacturer exporting to Europe

The EU drone regulation covers the sky. The CRA covers the firmware. Document both.

Classify your drone

Consumer photography drone: typically Default. Commercial mapping drone: typically Default. Drone marketed for security surveillance: may be Class I under Annex III point 17. Use the CRACheck classifier.

Map the digital attack surface

Controller radio link, WiFi video stream, GPS module, companion app, cloud flight logs, OTA firmware updates, SD card data, geofencing database.

Generate Annex VII documentation

Enter your drone's cybersecurity specifications into CRACheck. 15-25 minutes.

Integrate with EU drone regulation dossier

Your drone already has documentation for Regulation (EU) 2019/947 and Delegated Regulation (EU) 2019/945. The CRA documentation is an additional layer. Art. 31.3 allows a single technical documentation set.

Deliver to EU channels

Distributors, agricultural cooperatives, surveying firms and Amazon receive the compliance package.

The EU drone regulation covers the sky. The CRA covers the firmware. Document both.

Drone CRA mistakes

❌

ART. 2.5

EU drone regulation already covers our drone — CRA does not apply

Regulation (EU) 2019/947 and Delegated Regulation (EU) 2019/945 cover airworthiness, operations and operator obligations. Regulation (EU) 2024/2847 covers cybersecurity. Article 2.5 allows the Commission to limit CRA application where sectoral rules achieve the same level of cybersecurity protection — but no such delegated act has been adopted for drones as of this date. Until it is, both apply.

❌

ANNEX I, PART I, 1(a)

Our drone's radio link is proprietary — it cannot be hacked

Annex I Part I point 1(a) of Regulation (EU) 2024/2847 requires protection against unauthorized access. A proprietary radio protocol does not equal security — security through obscurity is not a defense recognised by the CRA. The documentation must describe the authentication and encryption mechanisms of the radio link, not rely on protocol obscurity.

❌

ART. 14

A drone firmware vulnerability is not a cybersecurity incident — it is a product defect

Article 14 of Regulation (EU) 2024/2847 covers actively exploited vulnerabilities and severe incidents impacting product security. If a vulnerability in your drone firmware allows unauthorized takeover, GPS spoofing or data exfiltration, it is a cybersecurity incident under Art. 14. The 24h/72h/14d reporting timeline applies from 11 September 2026.

What each CRACheck dossier contains: 8 documents

Drones combine multiple digital systems: radio, video, GPS, cloud, firmware. CRACheck generates 8 documents covering the full cybersecurity surface.

Product Classifier

Determines product category per Annex III. Defines conformity assessment route under Art. 32.

Technical Documentation

Complete technical documentation structured per Art. 31 and Annex VII. All 8 mandatory sections.

Risk Assessment

Cybersecurity risk assessment per Art. 13.2 and Art. 13.3. Mapped against Annex I Part I requirements.

User Information

Information and instructions per Annex II. Security properties, support period, vulnerability reporting.

Declaration of Conformity

EU declaration of conformity per Art. 28 and Annex V.

CVD Policy

Coordinated Vulnerability Disclosure policy per Annex I Part II.

ENISA Notification Template

Pre-structured for 24h early warning, 72h notification, 14-day final report under Art. 14.

Obligations Calendar

Key dates: Art. 14 from 11 Sep 2026, full enforcement 11 Dec 2027, support period per Art. 13.8.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated in your browser. No product data is transmitted to any server.

What you pay for drone CRA documentation

🧾 EUROPEAN DRONE CERTIFICATION + CRA CONSULTANCY

€12,000–€25,000

Per drone platform. 4-8 months. Covers airworthiness + CRA.

✓ CRACHECK

€149

8 CRA documents. 15 min. Drone regulation compliance handled separately.

Cybersecurity documentation vs. airworthiness

● LAYER 1

What CRACheck does

Generates the Annex VII cybersecurity documentation for your drone. Covers all digital systems: radio, video, GPS, OTA, cloud, companion app.

∅ LAYER 2

What CRACheck does NOT do

CRACheck does not assess compliance with EU drone regulations (2019/947, 2019/945), perform flight safety testing or evaluate geofencing compliance. CRA covers cybersecurity. Drone airworthiness is separate.

We document cybersecurity. You handle airworthiness.

CRA penalty regime — Article 64 of Regulation (EU) 2024/2847

Article 64 establishes three tiers of administrative fines. Penalties are calculated per undertaking — but non-compliance on a single product can trigger inspection of your entire portfolio.

🇪🇺

Non-compliance with essential cybersecurity requirements (Annex I) and Art. 13/14 obligations

€15M / 2.5%

Art. 64.2. Up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher.

🇪🇺

Non-compliance with technical documentation (Art. 31), authorised representative (Art. 18), conformity assessment (Art. 32)

€10M / 2%

Art. 64.3. Up to €10 million or 2% of total worldwide annual turnover, whichever is higher. Includes failure to produce Annex VII documentation.

🇪🇺

Supply of incorrect, incomplete or misleading information to authorities

€5M / 1%

Art. 64.4. Up to €5 million or 1% of total worldwide annual turnover, whichever is higher.

Art. 64.5 accounts for the nature, gravity and duration of the infringement, and gives consideration to microenterprises, small and medium-sized enterprises, including start-ups.

Alternatives

Alternative	Cost	What you get
European drone + CRA consultancy	€12,000–€25,000	Combined. 4-8 months.
Assume drone regulation covers cybersecurity	€0	It does not. No delegated act excluding drones from CRA.
Document internally	Free + weeks	Complex attack surface. High risk of structural gaps.
CRACheck	€149	8 CRA docs. 15 min. Covers radio, video, GPS, OTA, app.

Your drone lineup spans consumer, commercial and agricultural models?

Each drone platform with different firmware, connectivity or digital capabilities needs its own CRA dossier. Volume pricing: €99/product (10-pack), €79/product (30-pack).

Request volume pricing

Response within one business day.

What CRACheck guarantees and what it does not

CRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy, completeness and truthfulness of that information is your responsibility as the manufacturer.

We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct as of the last verification date. We do not guarantee that a specific document will be accepted by a market surveillance authority in a specific case or by a commercial buyer in a procurement process.

CRACheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.

Frequently asked questions

Is a consumer photography drone Default or Class I?

Consumer drones used for photography and recreation are not listed in Annex III. They are Default products eligible for Module A self-assessment. A drone explicitly marketed for security surveillance — perimeter monitoring, building inspection for security — may fall under Annex III point 17 as a product with security functionalities.

Does the CRA cover the drone's companion app and cloud platform?

Article 3(1) includes "remote data processing solutions" in the definition of product with digital elements. If your drone depends on a companion app and cloud platform for essential functionality (flight planning, firmware updates, flight log storage), these are part of the product and must be documented under Annex VII.

What support period for a consumer drone?

Consumers use drones for 3-5 years. Art. 13.8 requires a support period reflecting expected use. For drones, 3-5 years of firmware security updates is a reasonable range. Commercial/industrial drones may have longer expected lifetimes.

Our drone uses LTE connectivity via a SIM card — does that change anything?

No. LTE connectivity is a data connection under Art. 2.1. The CRA applies regardless of the connectivity technology: WiFi, Bluetooth, LTE, 5G, LoRa, proprietary radio. A drone with LTE is in scope. Document the LTE security measures (SIM authentication, data encryption) in the Technical Documentation.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours to keep.

Can I request a refund?

Pursuant to Art. 16(m) of Directive (EU) 2011/83 on consumer rights, by activating the licence you give express consent for the immediate generation of the digital content, waiving the 14-day withdrawal period. Refunds are accepted only for reproducible technical failures.

What if the regulation changes?

If the regulation changes during the validity of your licence, you can regenerate the document with the updated version of the generator at no additional cost.

Official legal sources

Regulation (EU) 2024/2847 — Cyber Resilience Act — full text

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.