Are NAS devices Default or Important under CRA?

NAS devices are not listed in Annex III or IV. They are Default products eligible for Module A self-assessment. However, if a NAS integrates network management functionality listed in Annex III point 6, or operates as a server with security-relevant functions, classification may differ. Standard consumer and SMB NAS devices are Default.

What support period for a NAS device?

NAS devices are used for 5-8 years in consumer environments and 5-10 years in SMB. Art. 13.8 requires the support period to reflect expected use. 5-7 years of security updates is a competitive baseline. Longer is better for enterprise buyers.

Does the CRA apply to the hard drives inside the NAS?

Hard drives without digital elements (no firmware, no data connection) are not products with digital elements. Hard drives with built-in encryption controllers or network interfaces may be in scope. The NAS device itself — the enclosure with firmware, network connectivity and user interface — is the product with digital elements.

Our NAS supports Docker containers — do third-party containers need CRA documentation?

Third-party containers installed by the user after purchase are not your responsibility as manufacturer. The NAS firmware, the container runtime and the pre-installed applications are your responsibility. Document the security of your container runtime and any default containers in Annex VII.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours to keep.

Can I request a refund?

Pursuant to Art. 16(m) of Directive (EU) 2011/83 on consumer rights, by activating the licence you give express consent for the immediate generation of the digital content, waiving the 14-day withdrawal period. Refunds are accepted only for reproducible technical failures.

What if the regulation changes?

If the regulation changes during the validity of your licence, you can regenerate the document with the updated version of the generator at no additional cost.

Your NAS device sits on the local network of a European small business. It stores financial records, client data and backups. It is accessible via web interface, mobile app and sometimes the internet. Ransomware gangs have targeted NAS devices systematically — CVE databases list dozens of NAS vulnerabilities exploited in the wild. Regulation (EU) 2024/2847 requires technical documentation under Annex VII covering vulnerability handling, secure defaults and risk assessment. CRACheck generates it.

A NAS device is one of the most cybersecurity-exposed consumer and SMB products on the market. It runs a full operating system, exposes network services (SMB, NFS, HTTP, FTP, SSH), processes sensitive data and is frequently internet-accessible. Public ransomware campaigns (Deadbolt, QLocker, eCh0raix) have demonstrated that NAS devices are systematically targeted. Regulation (EU) 2024/2847 addresses exactly this risk class. Annex VII documentation must cover vulnerability handling processes, SBOM, secure default configuration and cybersecurity risk assessment. CRACheck generates 8 PDF documents. 15-25 minutes. €149 per NAS model. Browser-side.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15-25 minutes · Browser-side

Key numbers

Default

NAS devices are typically Default products. Module A self-assessment. No notified body required.

Ransomware target

Deadbolt, QLocker, eCh0raix — NAS ransomware campaigns are documented and ongoing.

€149

Per NAS model. 8 documents covering network services, firmware, SBOM, vulnerability handling.

CRA compliance for a Chinese NAS manufacturer

NAS devices are ransomware targets with documented CVEs. CRA documentation is not optional — it is a competitive necessity.

Classify your NAS

NAS devices are not in Annex III. Default product. Module A self-assessment under Art. 32.1(a).

Map the attack surface

SMB/CIFS, NFS, HTTP/HTTPS admin interface, FTP, SSH, DDNS, mobile app, cloud relay, firmware update mechanism, USB, Docker/container support.

Document vulnerability handling

Your CVE response process, security advisory publication, firmware update delivery timeline. These are Annex I Part II requirements.

Generate CRA dossier

Enter specifications into CRACheck. 15-25 minutes.

Publish CVD policy

NAS devices attract security researchers. Your Coordinated Vulnerability Disclosure policy must be public and responsive.

Deliver to EU channels

IT distributors, Amazon Business, EU VAR partners receive CRA documentation.

NAS devices are ransomware targets with documented CVEs. CRA documentation is not optional — it is a competitive necessity.

NAS CRA mistakes

❌

ANNEX I, PART I, 1(d)

Our NAS ships with a default admin password — the setup wizard requires changing it

Annex I Part I point 1(d) requires secure by default configuration. If the NAS is accessible on the network with default credentials before the user completes the setup wizard, it is vulnerable during that window. Best practice under CRA: unique device-specific credentials out of the box, or mandatory credential setup before any network service is enabled.

❌

ART. 14

We publish security advisories on our website — that covers vulnerability reporting

Article 14 requires active notification to ENISA and the designated CSIRT within 24 hours of becoming aware of an actively exploited vulnerability. Publishing an advisory on your website is a disclosure action. ENISA notification is a separate legal obligation with a specific timeline and reporting platform. Both are required.

❌

ANNEX VII.2(b)

Our NAS firmware has hundreds of packages — we cannot list them all in the SBOM

Annex VII point 2(b) requires the SBOM as part of vulnerability handling documentation. A NAS running Linux with hundreds of packages has a large SBOM — this is expected. Use automated SBOM generation tools (Syft, Trivy) to extract the component list. CRACheck structures the output into Annex VII format. The SBOM size reflects your product's complexity — it is not a reason to skip it.

What each CRACheck dossier contains: 8 documents

NAS devices are complex digital products with large attack surfaces. CRACheck generates 8 documents covering every CRA-relevant dimension.

Product Classifier

Determines product category per Annex III. Defines conformity assessment route under Art. 32.

Technical Documentation

Complete technical documentation structured per Art. 31 and Annex VII. All 8 mandatory sections.

Risk Assessment

Cybersecurity risk assessment per Art. 13.2 and Art. 13.3. Mapped against Annex I Part I requirements.

User Information

Information and instructions per Annex II. Security properties, support period, vulnerability reporting.

Declaration of Conformity

EU declaration of conformity per Art. 28 and Annex V.

CVD Policy

Coordinated Vulnerability Disclosure policy per Annex I Part II.

ENISA Notification Template

Pre-structured for 24h early warning, 72h notification, 14-day final report under Art. 14.

Obligations Calendar

Key dates: Art. 14 from 11 Sep 2026, full enforcement 11 Dec 2027, support period per Art. 13.8.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated in your browser. No product data is transmitted to any server.

What you pay for NAS CRA documentation

🧾 CYBERSECURITY AUDIT + CRA DOCUMENTATION FOR NAS

€20,000–€40,000

Per NAS platform. Penetration test + documentation. 4-8 months.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history