Our access control system uses cloud management. Does the cloud platform need separate CRA documentation?

No. Under Article 3(2) of Regulation (EU) 2024/2847, the cloud platform is remote data processing that is part of the product with digital elements. The technical documentation under Article 31 covers the entire product: hardware, firmware, and cloud management as a unified system. CRACheck generates one dossier covering all layers.

Does our product classify as Important Class I because it performs a security function?

Annex III, Part I of Regulation (EU) 2024/2847 lists product categories. Products primarily performing functions critical to cybersecurity — such as securing authentication, access control, intrusion detection, or endpoint security — may fall under Important Class I. If your access control system's primary function is securing physical access through digital means, it likely qualifies. CRACheck's Product Classifier makes this determination explicit.

What conformity assessment does Important Class I require?

Under Article 32(2), Important Class I products can use self-assessment (Module A) if harmonised standards covering the relevant essential requirements have been applied. If harmonised standards are not applied, Module B+C or Module H with notified body involvement is required. CRACheck identifies the applicable path based on your classification.

Our products are installed by third-party integrators. Who is responsible for post-installation cybersecurity?

The manufacturer maintains responsibility for security updates and vulnerability handling for the support period per Article 13(8) and Annex I, Part II. The integrator bears responsibility for correct installation per the manufacturer's instructions. Your Annex II user information document should include installation security guidelines for integrators.

We sell the same product to US and EU markets. Do we need separate documentation?

CRA documentation is for the EU market. You do not need separate US documentation under CRA. However, the documentation you produce for the EU market applies to the product itself, which is presumably identical in both markets. One CRA dossier per product model covers all EU Member States.

Is CRACheck a subscription?

No. One-time payment. 30 days of editing, 10 regenerations. The PDF is yours to keep.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, activating the license constitutes express consent for immediate generation. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate at no additional cost during your license period.

You manufacture access control panels, IP cameras, or building management systems in the United States and sell them to European integrators. These products combine hardware, firmware, and cloud connectivity — three layers that Regulation (EU) 2024/2847 treats as a single product with digital elements. Your European integrator needs Article 31 documentation before installing your equipment in an EU building project. CRACheck generates it.

Smart building security systems typically fall within the scope of both the Cyber Resilience Act and existing sectoral regulation. A networked access control system with cloud-based management qualifies as a product with digital elements under Article 3(1), with the cloud platform as remote data processing under Article 3(2). Products performing security functions — access control, intrusion detection, network protection — may classify as Important Class I under Annex III, which affects the conformity assessment path. CRACheck generates the 8-document dossier under Article 31 + Annex VII in 15-25 minutes for €149, covering hardware, firmware, and cloud layers as a unified regulated product.

Generate CRA documentation — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

Annex III

Smart building security products with security functions may classify as Important Class I — higher conformity requirements

€15M

Maximum CRA fine for non-compliance with essential cybersecurity requirements (Art. 64(2))

€149

One-time cost per product for the complete 8-document CRA dossier

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Define the product system

Enter product name (access control panel, IP camera, BMS controller), hardware model, firmware version, and cloud platform details. CRACheck treats the hardware-firmware-cloud system as one product.

Classify under Annex III

Products performing access control, intrusion detection, or network security functions may fall under Important Class I (Annex III, Part I). CRACheck evaluates your product against the specific criteria.

Describe multi-layer architecture

Hardware components (processors, communication modules), firmware (RTOS, embedded Linux), connectivity protocols (BACnet, Modbus, IP, Zigbee), and cloud management platform.

Map physical and cyber threats

Building security systems face unique threat combinations: physical tampering plus cyber exploitation. CRACheck structures the risk assessment to cover both attack surfaces per Article 13(2)-(3).

Document supply chain components

Communication modules, embedded processors, and third-party firmware libraries. Article 13(5) requires due diligence on all integrated components.

Generate 8 documents

Technical documentation covering all system layers, risk assessment, declaration of conformity, user information for integrators and building operators, CVD policy, ENISA template, obligations calendar.

Deliver to your EU integrator

The integrator needs your documentation to include in their project compliance file. Having it ready accelerates project approvals.

Common mistakes

❌

DIGITAL CONVERGENCE

"Our access control system is physical security, not cybersecurity — CRA does not apply"

If your access control system connects to a network, has firmware that receives updates, or transmits data to a cloud platform, it is a product with digital elements under Article 3(1) of Regulation (EU) 2024/2847. The CRA regulates the cybersecurity of connected products regardless of their primary function. A networked door controller is both a physical security device and a cybersecurity-relevant product.

❌

MANUFACTURER vs INTEGRATOR

"Our European system integrator handles building code compliance — they can handle CRA too"

The system integrator installs your product but did not design or develop it. Article 13 places the technical documentation obligation on the manufacturer — you. The integrator has separate obligations as an importer or distributor under Articles 19-20. They can verify your documentation exists but cannot produce it for you.

❌

STANDARD SCOPE

"Our product already has EN 50131 or EN 62676 certification"

EN 50131 (alarm systems) and EN 62676 (video surveillance) address functional security performance. The CRA addresses product cybersecurity: secure-by-default configuration, encryption, access control, vulnerability handling, and security update mechanisms per Annex I. CRA compliance is additional to and distinct from existing building security standards.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Determines whether your building security product is Default or Important Class I under Annex III. Products with access control or intrusion detection functions may classify higher.

Technical Documentation

Art. 31 + Annex VII dossier covering hardware design, firmware architecture, communication protocols (BACnet, IP, Zigbee), cloud integration, and physical-cyber interface security.

Risk Assessment

Building security-specific analysis: unauthorized remote access to door controllers, camera feed interception, firmware exploitation via building network, credential theft for cloud management platform, and physical-cyber combined attack scenarios.

User Information

Annex II for building integrators and operators: system hardening instructions, default credential change procedures, network segmentation recommendations, update policy, and security monitoring guidance.

Declaration of Conformity

Art. 28 + Annex V for your building security product. Accompanies the CE marking on the device.

CVD Policy

Vulnerability disclosure policy adapted for building security: responsible disclosure process for hardware and firmware vulnerabilities, coordinated notification to integrators and building operators.

Notification Template

ENISA template per Article 14 for building security incidents: exploited access control vulnerabilities, camera system compromises, BMS takeover scenarios. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Timeline with CRA milestones, Art. 14 reporting from September 2026, and support period obligations for installed building systems.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 BUILDING SYSTEMS CYBERSECURITY CONSULTANT

€15,000–€30,000

10-20 weeks. Requires on-site system review and firmware analysis. Multiple stakeholder meetings.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history