Annex III points 13-14 of Regulation (EU) 2024/2847 classify microprocessors and microcontrollers with security-related functionalities as Important Class I. Annex III point 15 adds ASICs and FPGAs with security-related functionalities. Annex IV point 3 classifies smartcards and secure elements as Critical products. Your semiconductor falls in one of these categories. The conformity assessment route depends on which one. CRACheck generates the Annex VII technical documentation that underpins every assessment route.

A microcontroller with secure boot and hardware cryptographic acceleration is not a generic chip — it is a security component that other manufacturers depend on for their product's cybersecurity. Regulation (EU) 2024/2847 recognises this by classifying security-relevant semiconductors in Annex III (Class I or II) and Annex IV (Critical). The classification determines the conformity assessment route: Class I with harmonised standards = Module A. Class I without = notified body (Module B+C or H). Class II = always notified body. Critical = certification under Art. 32.4. In every case, Article 31 and Annex VII require technical documentation. CRACheck generates 8 PDF documents. 15-25 minutes. €149 per component family. Browser-side.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15-25 minutes · Browser-side

Key numbers

Annex III.13-15

Microprocessors, MCUs and ASICs/FPGAs with security functions = Class I or Class II.

Annex IV.3

Smartcards and secure elements = Critical. Highest conformity assessment obligation.

€149

Per component family. Annex VII documentation for any assessment route.

CRA classification and documentation for security-relevant semiconductors

Your semiconductor is the root of trust for thousands of products. Its CRA documentation is the foundation of the supply chain's compliance.

Determine your classification

MCU with secure boot/crypto: Class I (Annex III.14). Tamper-resistant MCU: Class II (Annex III, Class II point 4). Secure element/smartcard: Critical (Annex IV.3). FPGA with security functions: Class I (Annex III.15).

Understand the conformity assessment route

Class I + harmonised standard = Module A. Class I without = Module B+C or H (notified body). Class II = always Module B+C or H. Critical = certification under Art. 32.4.

Generate Annex VII documentation

CRACheck generates 8 documents covering silicon security features, firmware, key management, side-channel resistance documentation. 15-25 minutes.

Submit to notified body or certification body

The documentation is the input. The assessment body reviews it.

Provide to OEM customers

Your chip customers need your CRA documentation for their Art. 13.5 due diligence on third-party components.

Your semiconductor is the root of trust for thousands of products. Its CRA documentation is the foundation of the supply chain's compliance.

Semiconductor CRA mistakes

❌

ANNEX III vs IV

All microcontrollers are Class I — there is no higher classification

Annex III Class II points 3-4 list tamper-resistant microprocessors and microcontrollers. Annex IV point 3 lists smartcards and secure elements as Critical. If your MCU is tamper-resistant (certified to CC EAL4+ or equivalent), it may be Class II. If it is a secure element, it is Critical. The classification depends on the product's security properties.

❌

ART. 32.4

We already have Common Criteria certification — that covers CRA

Common Criteria (ISO/IEC 15408) certifies a product's security against a specific Protection Profile. CRA requires a separate conformity assessment under Art. 32. For Critical products, Art. 32.4 requires certification under a European cybersecurity certification scheme per Art. 27(9) or, if no scheme exists, the procedures of Art. 32.3. CC certification may support the CRA assessment but does not replace it.

❌

SUPPLY CHAIN

Our chip is a component — the end-product manufacturer handles CRA

If your microcontroller or secure element is placed on the EU market separately (sold through distributors like Mouser, Farnell, Arrow), it is a product with digital elements under Art. 3(1). It needs its own CRA documentation. Additionally, every OEM customer integrating your chip will request your documentation under Art. 13.5.

What each CRACheck dossier contains: 8 documents

Security-relevant semiconductors are at the highest classification tiers of the CRA. The 8-document dossier covers silicon security architecture, cryptographic implementation, key management and side-channel resistance.

Product Classifier

Determines product category per Annex III. Defines conformity assessment route under Art. 32.

Technical Documentation

Complete technical documentation structured per Art. 31 and Annex VII. All 8 mandatory sections.

Risk Assessment

Cybersecurity risk assessment per Art. 13.2 and Art. 13.3. Mapped against Annex I Part I requirements.

User Information

Information and instructions per Annex II. Security properties, support period, vulnerability reporting.

Declaration of Conformity

EU declaration of conformity per Art. 28 and Annex V.

CVD Policy

Coordinated Vulnerability Disclosure policy per Annex I Part II.

ENISA Notification Template

Pre-structured for 24h early warning, 72h notification, 14-day final report under Art. 14.

Obligations Calendar

Key dates: Art. 14 from 11 Sep 2026, full enforcement 11 Dec 2027, support period per Art. 13.8.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated in your browser. No product data is transmitted to any server.

What you pay for semiconductor CRA documentation

🧾 SEMICONDUCTOR SECURITY CERTIFICATION (CC + CRA)

€50,000–€200,000

Per product family. 6-18 months. Common Criteria + CRA combined.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history