Reg (EU) 2024/2847Generate dossier — €149
LIVE — Enforcement tracker · Deadline dashboard · Transposition status — Updated weekly from EUR-Lex, Safety Gate, OEIL & 12 official sourcesView regulatory intelligence →

Annex I Part II point 8 of Regulation (EU) 2024/2847 requires manufacturers to ensure that security updates are provided without delay and, where technically feasible, through automatic mechanisms with a user opt-out. Annex VII point 2(b) requires the technical documentation to describe "the technical solutions chosen for the secure distribution of updates." Your OTA architecture is not just engineering — it is a regulatory obligation. CRACheck documents it.

Many Chinese IoT manufacturers have OTA capability but have never documented it for regulatory purposes. The CRA changes this. Annex I Part II establishes detailed requirements: provide updates without delay (point 8), ensure the update mechanism is secure against manipulation, separate security updates from functionality updates where possible (point 8), and communicate updates to users (Annex II). Annex VII point 2(b) requires the documentation to describe the secure distribution of updates. CRACheck generates 8 PDF documents that include your OTA architecture documentation. 15-25 minutes. €149. Browser-side.

Generate CRA dossier — €149Free: check your product classification

€149 one-time · 8-document ZIP · 15-25 minutes · Browser-side

Regulation (EU) 2024/2847 · Art. 31 + Annex VII · 8 documents · 100% browser-side

Key numbers

Annex I.II.8
Security updates without delay. Automatic where technically feasible. User opt-out for automatic updates.
Annex VII.2(b)
Documentation must describe the technical solutions for secure distribution of updates.
€149
CRACheck documents your OTA architecture as part of the 8-document Annex VII dossier.

How to document your OTA architecture for CRA compliance

Document what you have. Fix what you need to fix. CRACheck handles the documentation.

1
Map your current OTA process
How updates are built, signed, distributed, verified and applied. HTTP/HTTPS, MQTT, CoAP, proprietary. Signed vs. unsigned. Delta vs. full image.
2
Assess against CRA requirements
Secure distribution (Annex VII.2(b)): is the update channel authenticated and encrypted? Automatic updates (Annex I.II.8): does your device support automatic security updates? Separation (Annex I.II.8): can you deliver security patches separately from feature updates?
3
Document in CRACheck
The OTA architecture is captured in Doc 2 (Technical Documentation) under Annex VII point 2(b) and in Doc 3 (Risk Assessment) under firmware integrity risks.
4
Generate the full dossier
CRACheck structures the OTA documentation within the 8-document package. 15-25 minutes.
5
Implement any gaps
If your OTA does not meet CRA requirements (e.g., unsigned updates, no automatic mechanism), fix the architecture first, then document.

Document what you have. Fix what you need to fix. CRACheck handles the documentation.

OTA documentation mistakes

ANNEX I.II.8

We provide firmware updates on our website — users download manually

Annex I Part II point 8 requires that, where technically feasible, security updates are provided through automatic mechanisms with user opt-out. A manual download from a website is not an automatic mechanism. If your product has network connectivity (WiFi, LTE, Ethernet), automatic OTA is technically feasible. Document your automatic update capability.

ANNEX VII.2(b)

Our OTA works — we do not need to document how

Annex VII point 2(b) explicitly requires description of "the technical solutions chosen for the secure distribution of updates." Having OTA capability is not enough. The documentation must describe: how updates are signed, how the device verifies authenticity, how the update channel is secured, how rollback is handled. The how, not just the that.

ANNEX I.I.1(a)

We send updates over HTTP — HTTPS is not necessary for firmware

Annex I Part I point 1(a) requires protection against unauthorized access. Firmware distributed over unencrypted HTTP can be intercepted and modified in transit (man-in-the-middle). The update mechanism must ensure integrity and authenticity of the update package. HTTPS, signed firmware images and certificate pinning are standard approaches.

What each CRACheck dossier contains: 8 documents

The OTA architecture is documented across multiple CRA documents. CRACheck generates 8 PDFs with consistent OTA documentation throughout.

1

Product Classifier

Determines product category per Annex III. Defines conformity assessment route under Art. 32.

2

Technical Documentation

Complete technical documentation structured per Art. 31 and Annex VII. All 8 mandatory sections.

3

Risk Assessment

Cybersecurity risk assessment per Art. 13.2 and Art. 13.3. Mapped against Annex I Part I requirements.

4

User Information

Information and instructions per Annex II. Security properties, support period, vulnerability reporting.

5

Declaration of Conformity

EU declaration of conformity per Art. 28 and Annex V.

6

CVD Policy

Coordinated Vulnerability Disclosure policy per Annex I Part II.

7

ENISA Notification Template

Pre-structured for 24h early warning, 72h notification, 14-day final report under Art. 14.

8

Obligations Calendar

Key dates: Art. 14 from 11 Sep 2026, full enforcement 11 Dec 2027, support period per Art. 13.8.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated in your browser. No product data is transmitted to any server.

What you pay for OTA documentation

🧾 OTA SECURITY AUDIT + CRA DOCUMENTATION
€10,000–€25,000
Per product platform. OTA architecture review + documentation. 2-4 months.
✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history