Smart building security systems typically fall within the scope of both the Cyber Resilience Act and existing sectoral regulation. A networked access control system with cloud-based management qualifies as a product with digital elements under Article 3(1), with the cloud platform as remote data processing under Article 3(2). Products performing security functions — access control, intrusion detection, network protection — may classify as Important Class I under Annex III, which affects the conformity assessment path. CRACheck generates the 8-document dossier under Article 31 + Annex VII in 15-25 minutes for €149, covering hardware, firmware, and cloud layers as a unified regulated product.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.
If your access control system connects to a network, has firmware that receives updates, or transmits data to a cloud platform, it is a product with digital elements under Article 3(1) of Regulation (EU) 2024/2847. The CRA regulates the cybersecurity of connected products regardless of their primary function. A networked door controller is both a physical security device and a cybersecurity-relevant product.
The system integrator installs your product but did not design or develop it. Article 13 places the technical documentation obligation on the manufacturer — you. The integrator has separate obligations as an importer or distributor under Articles 19-20. They can verify your documentation exists but cannot produce it for you.
EN 50131 (alarm systems) and EN 62676 (video surveillance) address functional security performance. The CRA addresses product cybersecurity: secure-by-default configuration, encryption, access control, vulnerability handling, and security update mechanisms per Annex I. CRA compliance is additional to and distinct from existing building security standards.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Determines whether your building security product is Default or Important Class I under Annex III. Products with access control or intrusion detection functions may classify higher.
Art. 31 + Annex VII dossier covering hardware design, firmware architecture, communication protocols (BACnet, IP, Zigbee), cloud integration, and physical-cyber interface security.
Building security-specific analysis: unauthorized remote access to door controllers, camera feed interception, firmware exploitation via building network, credential theft for cloud management platform, and physical-cyber combined attack scenarios.
Annex II for building integrators and operators: system hardening instructions, default credential change procedures, network segmentation recommendations, update policy, and security monitoring guidance.
Art. 28 + Annex V for your building security product. Accompanies the CE marking on the device.
Vulnerability disclosure policy adapted for building security: responsible disclosure process for hardware and firmware vulnerabilities, coordinated notification to integrators and building operators.
ENISA template per Article 14 for building security incidents: exploited access control vulnerabilities, camera system compromises, BMS takeover scenarios. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.
Timeline with CRA milestones, Art. 14 reporting from September 2026, and support period obligations for installed building systems.
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated from your data, in your browser. No data leaves your device.
Generates the technical documentation for your smart building security product covering Article 31, Annex VII, Annex V, Annex II, and Article 14. Addresses hardware, firmware, and cloud as a single documented product.
Does not penetration test your access control system. Does not audit your camera firmware. Does not assess your cloud platform's SOC 2 posture. Does not certify your product against EN 50131 or EN 62676. Does not serve as a notified body for Important Class I products.
CRACheck documents. Your hardware security team and third-party testers validate. Both are necessary for a building security product.
Article 64 of Regulation (EU) 2024/2847.
Non-compliance with essential requirements or manufacturer obligations.
Missing documentation or conformity assessment.
Misleading information to authorities.
| Criteria | Building security consultant | Generic CRA consultant | Internal compliance | CRACheck |
|---|---|---|---|---|
| Time | 10-20 weeks | 8-16 weeks | 4-8 weeks | 15-25 minutes |
| Cost per product line | €15,000-€30,000 | €10,000-€20,000 | Staff hours | €149 |
| Covers hardware+firmware+cloud | Yes (specialized) | Partially | Depends on expertise | Yes — unified dossier |
| Ready for integrator | Custom report | Custom report | Internal doc | 8 standardized PDFs |
Each product model — access control panel, IP camera, BMS controller — needs independent Article 31 documentation. Volume pricing: 10 products at €99, 30 at €79.
Request Volume PricingCRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy of that information is your responsibility as the manufacturer.
We guarantee the document structure follows Article 31 + Annex VII and that legal references are correct. We do not guarantee acceptance by a specific market surveillance authority or building project approval.
CRACheck is not legal advice. For questions about Annex III classification for security-function products or notified body requirements, consult a qualified regulatory professional.
Eight documents. Article 31 + Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.