CRA Firmware Update OTA Obligation China

Key numbers

Annex I.II.8

Security updates without delay. Automatic where technically feasible. User opt-out for automatic updates.

Annex VII.2(b)

Documentation must describe the technical solutions for secure distribution of updates.

€149

CRACheck documents your OTA architecture as part of the 8-document Annex VII dossier.

How to document your OTA architecture for CRA compliance

Document what you have. Fix what you need to fix. CRACheck handles the documentation.

Map your current OTA process

How updates are built, signed, distributed, verified and applied. HTTP/HTTPS, MQTT, CoAP, proprietary. Signed vs. unsigned. Delta vs. full image.

Assess against CRA requirements

Secure distribution (Annex VII.2(b)): is the update channel authenticated and encrypted? Automatic updates (Annex I.II.8): does your device support automatic security updates? Separation (Annex I.II.8): can you deliver security patches separately from feature updates?

Document in CRACheck

The OTA architecture is captured in Doc 2 (Technical Documentation) under Annex VII point 2(b) and in Doc 3 (Risk Assessment) under firmware integrity risks.

Generate the full dossier

CRACheck structures the OTA documentation within the 8-document package. 15-25 minutes.

Implement any gaps

If your OTA does not meet CRA requirements (e.g., unsigned updates, no automatic mechanism), fix the architecture first, then document.

Document what you have. Fix what you need to fix. CRACheck handles the documentation.

OTA documentation mistakes

❌

ANNEX I.II.8

We provide firmware updates on our website — users download manually

Annex I Part II point 8 requires that, where technically feasible, security updates are provided through automatic mechanisms with user opt-out. A manual download from a website is not an automatic mechanism. If your product has network connectivity (WiFi, LTE, Ethernet), automatic OTA is technically feasible. Document your automatic update capability.

❌

ANNEX VII.2(b)

Our OTA works — we do not need to document how

Annex VII point 2(b) explicitly requires description of "the technical solutions chosen for the secure distribution of updates." Having OTA capability is not enough. The documentation must describe: how updates are signed, how the device verifies authenticity, how the update channel is secured, how rollback is handled. The how, not just the that.

❌

ANNEX I.I.1(a)

We send updates over HTTP — HTTPS is not necessary for firmware

Annex I Part I point 1(a) requires protection against unauthorized access. Firmware distributed over unencrypted HTTP can be intercepted and modified in transit (man-in-the-middle). The update mechanism must ensure integrity and authenticity of the update package. HTTPS, signed firmware images and certificate pinning are standard approaches.

What each CRACheck dossier contains: 8 documents

The OTA architecture is documented across multiple CRA documents. CRACheck generates 8 PDFs with consistent OTA documentation throughout.

Product Classifier

Determines product category per Annex III. Defines conformity assessment route under Art. 32.

Technical Documentation

Complete technical documentation structured per Art. 31 and Annex VII. All 8 mandatory sections.

Risk Assessment

Cybersecurity risk assessment per Art. 13.2 and Art. 13.3. Mapped against Annex I Part I requirements.

User Information

Information and instructions per Annex II. Security properties, support period, vulnerability reporting.

Declaration of Conformity

EU declaration of conformity per Art. 28 and Annex V.

CVD Policy

Coordinated Vulnerability Disclosure policy per Annex I Part II.

ENISA Notification Template

Pre-structured for 24h early warning, 72h notification, 14-day final report under Art. 14.

Obligations Calendar

Key dates: Art. 14 from 11 Sep 2026, full enforcement 11 Dec 2027, support period per Art. 13.8.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated in your browser. No product data is transmitted to any server.

What you pay for OTA documentation

🧾 OTA SECURITY AUDIT + CRA DOCUMENTATION

€10,000–€25,000

Per product platform. OTA architecture review + documentation. 2-4 months.

✓ CRACHECK

€149

8 documents including OTA documentation. 15 min. OTA security audit separate.

Documentation vs. implementation

● LAYER 1

What CRACheck does

Documents your OTA architecture within the Annex VII Technical Documentation. Covers signing, distribution, verification, rollback and automatic update capability.

∅ LAYER 2

What CRACheck does NOT do

CRACheck does not audit your OTA implementation, test firmware signing or verify update channel encryption. If your OTA has security gaps, the documentation will not hide them. Fix the implementation, then document it.

We document the architecture. You secure the implementation.

CRA penalty regime — Article 64 of Regulation (EU) 2024/2847

Article 64 establishes three tiers of administrative fines. Penalties are calculated per undertaking — but non-compliance on a single product can trigger inspection of your entire portfolio.

🇪🇺

Non-compliance with essential cybersecurity requirements (Annex I) and Art. 13/14 obligations

€15M / 2.5%

Art. 64.2. Up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher.

🇪🇺

Non-compliance with technical documentation (Art. 31), authorised representative (Art. 18), conformity assessment (Art. 32)

€10M / 2%

Art. 64.3. Up to €10 million or 2% of total worldwide annual turnover, whichever is higher. Includes failure to produce Annex VII documentation.

🇪🇺

Supply of incorrect, incomplete or misleading information to authorities

€5M / 1%

Art. 64.4. Up to €5 million or 1% of total worldwide annual turnover, whichever is higher.

Art. 64.5 accounts for the nature, gravity and duration of the infringement, and gives consideration to microenterprises, small and medium-sized enterprises, including start-ups.

Alternatives

Alternative	Cost	What you get
OTA security audit + documentation	€10,000–€25,000	Audit + docs. 2-4 months.
Document "OTA available" without details	€0	Insufficient. Annex VII.2(b) requires technical detail.
No OTA capability	€0	Non-compliant with Annex I.II.8 if automatic updates are technically feasible.
CRACheck	€149	8 docs with detailed OTA documentation. 15 min.

Multiple product platforms sharing the same OTA architecture?

If products share the same OTA infrastructure, the OTA documentation sections overlap. Each product still needs its own Annex VII dossier. Volume pricing: €99/product (10-pack), €79/product (30-pack).

Request volume pricing

Response within one business day.

What CRACheck guarantees and what it does not

CRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy, completeness and truthfulness of that information is your responsibility as the manufacturer.

We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct as of the last verification date. We do not guarantee that a specific document will be accepted by a market surveillance authority in a specific case or by a commercial buyer in a procurement process.

CRACheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.

Frequently asked questions

Must security updates be free during the support period?

Annex I Part II point 8 requires security updates to be provided "free of charge" during the support period. You cannot charge for security patches. Feature updates may be charged separately, but security patches must be free.

Can users opt out of automatic updates?

Annex I Part II point 8 specifies automatic updates "with an opt-out mechanism." Users must be able to disable automatic updates. However, if they opt out, the product may become vulnerable. Document the opt-out mechanism and inform users of the consequences per Annex II.

Must security updates be separate from feature updates?

Annex I Part II point 8 states that security updates should be provided "separately from functionality updates where technically feasible." If your OTA platform can deliver security-only patches, do so. If combined updates are the only option, document why separation is not technically feasible.

Does the CRA require signed firmware?

Annex I Part I point 1(a) requires protection against unauthorized access, which includes protection of firmware integrity. Unsigned firmware can be modified by an attacker. While the CRA does not mandate a specific signing mechanism, firmware signing is the industry-standard approach to meeting this requirement. Document your signing mechanism in Annex VII.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours to keep.

Can I request a refund?

Pursuant to Art. 16(m) of Directive (EU) 2011/83 on consumer rights, by activating the licence you give express consent for the immediate generation of the digital content, waiving the 14-day withdrawal period. Refunds are accepted only for reproducible technical failures.

What if the regulation changes?

If the regulation changes during the validity of your licence, you can regenerate the document with the updated version of the generator at no additional cost.

Official legal sources

Regulation (EU) 2024/2847 — Annex I Part II point 8, Annex VII point 2(b)

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.