CRA NAS Storage Device Manufacturer China EU

Key numbers

Default

NAS devices are typically Default products. Module A self-assessment. No notified body required.

Ransomware target

Deadbolt, QLocker, eCh0raix — NAS ransomware campaigns are documented and ongoing.

€149

Per NAS model. 8 documents covering network services, firmware, SBOM, vulnerability handling.

CRA compliance for a Chinese NAS manufacturer

NAS devices are ransomware targets with documented CVEs. CRA documentation is not optional — it is a competitive necessity.

Classify your NAS

NAS devices are not in Annex III. Default product. Module A self-assessment under Art. 32.1(a).

Map the attack surface

SMB/CIFS, NFS, HTTP/HTTPS admin interface, FTP, SSH, DDNS, mobile app, cloud relay, firmware update mechanism, USB, Docker/container support.

Document vulnerability handling

Your CVE response process, security advisory publication, firmware update delivery timeline. These are Annex I Part II requirements.

Generate CRA dossier

Enter specifications into CRACheck. 15-25 minutes.

Publish CVD policy

NAS devices attract security researchers. Your Coordinated Vulnerability Disclosure policy must be public and responsive.

Deliver to EU channels

IT distributors, Amazon Business, EU VAR partners receive CRA documentation.

NAS devices are ransomware targets with documented CVEs. CRA documentation is not optional — it is a competitive necessity.

NAS CRA mistakes

❌

ANNEX I, PART I, 1(d)

Our NAS ships with a default admin password — the setup wizard requires changing it

Annex I Part I point 1(d) requires secure by default configuration. If the NAS is accessible on the network with default credentials before the user completes the setup wizard, it is vulnerable during that window. Best practice under CRA: unique device-specific credentials out of the box, or mandatory credential setup before any network service is enabled.

❌

ART. 14

We publish security advisories on our website — that covers vulnerability reporting

Article 14 requires active notification to ENISA and the designated CSIRT within 24 hours of becoming aware of an actively exploited vulnerability. Publishing an advisory on your website is a disclosure action. ENISA notification is a separate legal obligation with a specific timeline and reporting platform. Both are required.

❌

ANNEX VII.2(b)

Our NAS firmware has hundreds of packages — we cannot list them all in the SBOM

Annex VII point 2(b) requires the SBOM as part of vulnerability handling documentation. A NAS running Linux with hundreds of packages has a large SBOM — this is expected. Use automated SBOM generation tools (Syft, Trivy) to extract the component list. CRACheck structures the output into Annex VII format. The SBOM size reflects your product's complexity — it is not a reason to skip it.

What each CRACheck dossier contains: 8 documents

NAS devices are complex digital products with large attack surfaces. CRACheck generates 8 documents covering every CRA-relevant dimension.

Product Classifier

Determines product category per Annex III. Defines conformity assessment route under Art. 32.

Technical Documentation

Complete technical documentation structured per Art. 31 and Annex VII. All 8 mandatory sections.

Risk Assessment

Cybersecurity risk assessment per Art. 13.2 and Art. 13.3. Mapped against Annex I Part I requirements.

User Information

Information and instructions per Annex II. Security properties, support period, vulnerability reporting.

Declaration of Conformity

EU declaration of conformity per Art. 28 and Annex V.

CVD Policy

Coordinated Vulnerability Disclosure policy per Annex I Part II.

ENISA Notification Template

Pre-structured for 24h early warning, 72h notification, 14-day final report under Art. 14.

Obligations Calendar

Key dates: Art. 14 from 11 Sep 2026, full enforcement 11 Dec 2027, support period per Art. 13.8.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated in your browser. No product data is transmitted to any server.

What you pay for NAS CRA documentation

🧾 CYBERSECURITY AUDIT + CRA DOCUMENTATION FOR NAS

€20,000–€40,000

Per NAS platform. Penetration test + documentation. 4-8 months.

✓ CRACHECK

€149

8 CRA documents. 15 min. Security audit handled separately.

Documentation vs. penetration testing

● LAYER 1

What CRACheck does

Generates Annex VII documentation for your NAS. Covers network services, firmware, SBOM, vulnerability handling, secure defaults and risk assessment.

∅ LAYER 2

What CRACheck does NOT do

CRACheck does not perform penetration testing, vulnerability scanning or ransomware resilience assessment. Your NAS needs both documentation and security testing. CRACheck handles the documentation.

We document. You pentest.

CRA penalty regime — Article 64 of Regulation (EU) 2024/2847

Article 64 establishes three tiers of administrative fines. Penalties are calculated per undertaking — but non-compliance on a single product can trigger inspection of your entire portfolio.

🇪🇺

Non-compliance with essential cybersecurity requirements (Annex I) and Art. 13/14 obligations

€15M / 2.5%

Art. 64.2. Up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher.

🇪🇺

Non-compliance with technical documentation (Art. 31), authorised representative (Art. 18), conformity assessment (Art. 32)

€10M / 2%

Art. 64.3. Up to €10 million or 2% of total worldwide annual turnover, whichever is higher. Includes failure to produce Annex VII documentation.

🇪🇺

Supply of incorrect, incomplete or misleading information to authorities

€5M / 1%

Art. 64.4. Up to €5 million or 1% of total worldwide annual turnover, whichever is higher.

Art. 64.5 accounts for the nature, gravity and duration of the infringement, and gives consideration to microenterprises, small and medium-sized enterprises, including start-ups.

Alternatives

Alternative	Cost	What you get
Cybersecurity audit + documentation	€20,000–€40,000	Per NAS platform. 4-8 months.
Publish CVE responses only	€0	CVE response is one component. Annex VII requires complete documentation.
Rely on community trust (open-source NAS OS)	€0	Community trust does not satisfy Art. 31. Documented compliance required.
CRACheck	€149	8 docs. 15 min. Per NAS model.

Your NAS lineup spans consumer, SMB and rack-mount models?

Each NAS model with different firmware or hardware platform needs its own CRA dossier. 2-bay consumer, 4-bay SMB, 12-bay rack — three products, three dossiers. Volume pricing: €99/product (10-pack), €79/product (30-pack).

Request volume pricing

Response within one business day.

What CRACheck guarantees and what it does not

CRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy, completeness and truthfulness of that information is your responsibility as the manufacturer.

We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct as of the last verification date. We do not guarantee that a specific document will be accepted by a market surveillance authority in a specific case or by a commercial buyer in a procurement process.

CRACheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.

Frequently asked questions

Are NAS devices Default or Important under CRA?

NAS devices are not listed in Annex III or IV. They are Default products eligible for Module A self-assessment. However, if a NAS integrates network management functionality listed in Annex III point 6, or operates as a server with security-relevant functions, classification may differ. Standard consumer and SMB NAS devices are Default.

What support period for a NAS device?

NAS devices are used for 5-8 years in consumer environments and 5-10 years in SMB. Art. 13.8 requires the support period to reflect expected use. 5-7 years of security updates is a competitive baseline. Longer is better for enterprise buyers.

Does the CRA apply to the hard drives inside the NAS?

Hard drives without digital elements (no firmware, no data connection) are not products with digital elements. Hard drives with built-in encryption controllers or network interfaces may be in scope. The NAS device itself — the enclosure with firmware, network connectivity and user interface — is the product with digital elements.

Our NAS supports Docker containers — do third-party containers need CRA documentation?

Third-party containers installed by the user after purchase are not your responsibility as manufacturer. The NAS firmware, the container runtime and the pre-installed applications are your responsibility. Document the security of your container runtime and any default containers in Annex VII.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours to keep.

Can I request a refund?

Pursuant to Art. 16(m) of Directive (EU) 2011/83 on consumer rights, by activating the licence you give express consent for the immediate generation of the digital content, waiving the 14-day withdrawal period. Refunds are accepted only for reproducible technical failures.

What if the regulation changes?

If the regulation changes during the validity of your licence, you can regenerate the document with the updated version of the generator at no additional cost.

Official legal sources

Regulation (EU) 2024/2847 — Cyber Resilience Act — full text

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.