CRA Smart Camera IP Camera China Compliance

Key numbers

Class I

Security cameras — Annex III point 17. Important product with conformity assessment obligation.

Art. 32.2

Without harmonised standards: notified body assessment required (Module B+C or H).

€149

CRACheck generates the technical documentation. The notified body reviews it.

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Confirm Class I classification

Annex III point 17: "smart home products with security functionalities, including security cameras." Your IP camera is Class I. No ambiguity.

Check harmonised standards

If harmonised standards under Regulation (EU) 2024/2847 are published and you apply them in full, Module A self-assessment is sufficient. If not published or not fully applied, you need a notified body.

Generate Annex VII documentation

CRACheck generates the 8-document dossier the notified body will review. Enter your camera's specifications: firmware, video processing, cloud connectivity, update mechanism, vulnerability handling.

Engage a notified body

Submit the documentation for Module B (EU-type examination) or Module H (full quality assurance) assessment.

Receive conformity certificate

The notified body issues the certificate. You update your declaration of conformity to reference Regulation (EU) 2024/2847.

Affix CE marking and ship

Your camera now carries CE marking covering RED + CRA. Ship to EU distributors with the complete documentation package.

Common mistakes

❌

ANNEX III.17

"Our camera is a simple consumer device — it is a Default product"

Annex III point 17 of Regulation (EU) 2024/2847 explicitly names "security cameras" as Important Class I products. The regulatory text does not distinguish between professional CCTV and consumer security cameras. If your product is marketed or can be used as a security camera, it is Class I.

❌

ART. 32.2

"We can self-assess our camera under Module A"

Module A self-assessment under Art. 32.1(a) applies to Default products or to Important Class I products where harmonised standards are fully applied. If the relevant CRA harmonised standard is not yet published or you have not applied it in full, Art. 32.2 requires conformity assessment by a notified body.

❌

ART. 14

"Vulnerability reporting is only for software companies"

Article 14 of Regulation (EU) 2024/2847 applies to manufacturers of all products with digital elements — including hardware manufacturers. If a vulnerability in your camera's firmware is actively exploited, you must notify ENISA and the designated CSIRT within 24 hours. This obligation applies from 11 September 2026.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Classifies camera as Class I per Annex III point 17. No ambiguity for security cameras.

Technical Documentation

Art. 31 + Annex VII. Covers video processing, cloud connectivity, encryption, firmware update architecture, access control.

Risk Assessment

Art. 13.2-13.3. Includes network exposure, unauthorized camera access, credential theft, firmware tampering.

User Information

Annex II. Privacy settings, recording notification, secure setup, vulnerability reporting, secure disposal.

Declaration of Conformity

Art. 28 + Annex V. References CRA alongside RED and any other applicable directives.

CVD Policy

Coordinated Vulnerability Disclosure for firmware vulnerabilities. Critical for cameras with cloud connectivity.

Notification Template

Art. 14 ENISA notification for camera-specific incidents and vulnerabilities.

Obligations Calendar

CRA dates with Class I notified body milestones and support period.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 NOTIFIED BODY + DOCUMENTATION PACKAGE

€8,000–€20,000

Documentation + assessment bundle. 3-6 months.

✓ CRACHECK

€149

€149 for CRACheck documentation. Notified body assessment separately. You control the timeline. Pack 10: €99/product.

Two layers

● LAYER 1

What CRACheck does

Generates the Annex VII technical documentation for your IP camera. Structured per Art. 31. Ready for submission to a notified body.

∅ LAYER 2

What CRACheck does NOT do

CRACheck does not perform the conformity assessment. For Class I products without harmonised standards, a notified body must issue the certificate under Art. 32.2. CRACheck produces the documentation input — the notified body produces the assessment output.

We document. The notified body certifies.

Enforcement regime

Article 64 of Regulation (EU) 2024/2847.

🔴

Non-compliance with Annex I + Art. 13/14 (Art. 64(2))

€15,000,000 / 2.5%

Art. 64.2.

🟠

Non-compliance with Art. 31, Art. 28, Art. 32 (Art. 64(3))

€10,000,000 / 2%

Art. 64.3.

🟡

Incorrect or misleading information (Art. 64(4))

€5,000,000 / 1%

Art. 64.4.

Alternatives

Criterion	Notified body full-service (docs + assessment)	Ask your RED lab to add CRA	Self-assess under Module A (incorrect for Class I)	CRACheck + separate notified body
Cost	€8,000–€20,000	€3,000–€8,000	€0	€149 + NB fee
Result	Complete. 3-6 months.	If they cover CRA. Most do not yet.	Non-compliant. Art. 32.2 requires NB if no harmonised standard.	Documentation in 15 min. NB assessment on your timeline.

Your camera product line spans multiple models?

Each camera model with different firmware, hardware or connectivity needs its own Annex VII dossier. Indoor camera, outdoor PTZ, doorbell camera — three products, three dossiers. Volume pricing: €99/product (10-pack), €79/product (30-pack).

Request Volume Pricing

Response within one business day.

What CRACheck guarantees and what it does not

CRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy, completeness and truthfulness of that information is your responsibility as the manufacturer.

We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct. We do not guarantee that a specific document will be accepted by a market surveillance authority in a specific case or by a commercial buyer in a procurement process.

CRACheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.

Frequently asked questions

Are all cameras Class I under the CRA?

Annex III point 17 lists "security cameras" as Important Class I. A camera marketed exclusively as a webcam for video calls may not fall under this category. However, if the product can reasonably be used for home security monitoring — and most IP cameras can — market surveillance authorities may classify it as Class I. When in doubt, document as Class I.

When will CRA harmonised standards for cameras be available?

The European Commission has mandated CEN/CENELEC to develop harmonised standards under Regulation (EU) 2024/2847. The timeline for publication depends on the standardisation process. If harmonised standards are available and you apply them fully, Module A self-assessment is sufficient even for Class I. Monitor EUR-Lex and the Official Journal for publications.

Does the CRA cover the privacy aspects of cameras?

Regulation (EU) 2024/2847 covers cybersecurity, not data protection. GDPR covers privacy. However, Annex I Part I point 1(c) requires the product to protect the confidentiality of stored, transmitted and processed data — which overlaps with privacy. The CRA documentation addresses the cybersecurity dimension. Privacy compliance is separate.

Our camera connects to our proprietary cloud — does the cloud fall under CRA?

Article 3(1) defines a product with digital elements as including "remote data processing solutions." If your camera's functionality depends on a cloud service you provide, the cloud component is part of the product and must be documented. CRACheck covers the documentation of remote data processing solutions within the Technical Documentation.

Is this a subscription?

No. One-time payment. 30 days editing, 10 regenerations. PDF yours permanently.

Can I request a refund?

Pursuant to Art. 16(m) of Directive (EU) 2011/83, licence activation constitutes express consent. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate at no additional cost during licence validity.

Official legal sources

Regulation (EU) 2024/2847 — Cyber Resilience Act — Annex III

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.