A microcontroller with secure boot and hardware cryptographic acceleration is not a generic chip — it is a security component that other manufacturers depend on for their product's cybersecurity. Regulation (EU) 2024/2847 recognises this by classifying security-relevant semiconductors in Annex III (Class I or II) and Annex IV (Critical). The classification determines the conformity assessment route: Class I with harmonised standards = Module A. Class I without = notified body (Module B+C or H). Class II = always notified body. Critical = certification under Art. 32.4. In every case, Article 31 and Annex VII require technical documentation. CRACheck generates 8 PDF documents. 15-25 minutes. €149 per component family. Browser-side.
€149 one-time · 8-document ZIP · 15-25 minutes · Browser-side
Your semiconductor is the root of trust for thousands of products. Its CRA documentation is the foundation of the supply chain's compliance.
Your semiconductor is the root of trust for thousands of products. Its CRA documentation is the foundation of the supply chain's compliance.
Annex III Class II points 3-4 list tamper-resistant microprocessors and microcontrollers. Annex IV point 3 lists smartcards and secure elements as Critical. If your MCU is tamper-resistant (certified to CC EAL4+ or equivalent), it may be Class II. If it is a secure element, it is Critical. The classification depends on the product's security properties.
Common Criteria (ISO/IEC 15408) certifies a product's security against a specific Protection Profile. CRA requires a separate conformity assessment under Art. 32. For Critical products, Art. 32.4 requires certification under a European cybersecurity certification scheme per Art. 27(9) or, if no scheme exists, the procedures of Art. 32.3. CC certification may support the CRA assessment but does not replace it.
If your microcontroller or secure element is placed on the EU market separately (sold through distributors like Mouser, Farnell, Arrow), it is a product with digital elements under Art. 3(1). It needs its own CRA documentation. Additionally, every OEM customer integrating your chip will request your documentation under Art. 13.5.
Security-relevant semiconductors are at the highest classification tiers of the CRA. The 8-document dossier covers silicon security architecture, cryptographic implementation, key management and side-channel resistance.
Determines product category per Annex III. Defines conformity assessment route under Art. 32.
Complete technical documentation structured per Art. 31 and Annex VII. All 8 mandatory sections.
Cybersecurity risk assessment per Art. 13.2 and Art. 13.3. Mapped against Annex I Part I requirements.
Information and instructions per Annex II. Security properties, support period, vulnerability reporting.
EU declaration of conformity per Art. 28 and Annex V.
Coordinated Vulnerability Disclosure policy per Annex I Part II.
Pre-structured for 24h early warning, 72h notification, 14-day final report under Art. 14.
Key dates: Art. 14 from 11 Sep 2026, full enforcement 11 Dec 2027, support period per Art. 13.8.
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated in your browser. No product data is transmitted to any server.
Generates Annex VII documentation for your microcontroller or secure element. Covers security architecture, crypto implementation, key management, side-channel measures. The documentation layer every assessment route requires.
CRACheck does not perform Common Criteria evaluation, side-channel testing, fault injection analysis or security target development. Silicon security certification is a separate, specialised process. CRACheck generates the CRA-specific documentation.
We document. Your CC evaluation lab certifies.
Article 64 establishes three tiers of administrative fines. Penalties are calculated per undertaking — but non-compliance on a single product can trigger inspection of your entire portfolio.
Art. 64.2. Up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher.
Art. 64.3. Up to €10 million or 2% of total worldwide annual turnover, whichever is higher. Includes failure to produce Annex VII documentation.
Art. 64.4. Up to €5 million or 1% of total worldwide annual turnover, whichever is higher.
Art. 64.5 accounts for the nature, gravity and duration of the infringement, and gives consideration to microenterprises, small and medium-sized enterprises, including start-ups.
| Alternative | Cost | What you get |
|---|---|---|
| CC + CRA certification | €50,000–€200,000 | 6-18 months. Full certification. |
| Provide existing CC certificate only | €0 additional | CC does not replace CRA Annex VII documentation. |
| Let OEM customers handle CRA | €0 | OEM customers require your documentation for Art. 13.5. No docs = no design-in. |
| CRACheck | €149 | 8 CRA docs. 15 min. Documentation for any assessment route. |
Each component family with different security architecture needs its own CRA dossier. Volume pricing: €99/family (10-pack), €79/family (30-pack).
Request volume pricingCRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy, completeness and truthfulness of that information is your responsibility as the manufacturer.
We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct as of the last verification date. We do not guarantee that a specific document will be accepted by a market surveillance authority in a specific case or by a commercial buyer in a procurement process.
CRACheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.