CRA Smart Lock Manufacturer China Requirements

Key numbers

Class I

Smart door locks — Annex III point 17. Important product. Conformity assessment obligation.

Physical access

A cybersecurity vulnerability in a smart lock = unauthorized physical entry. Risk profile above typical IoT.

€149

Annex VII documentation per lock model. 15 minutes. The notified body reviews it.

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Classification: Class I

Annex III point 17: "smart door locks." No ambiguity. Class I.

Document access control architecture

Authentication methods (fingerprint, PIN, Bluetooth, NFC, WiFi), encryption of credentials, key management, firmware update mechanism, fail-safe behaviour on power loss.

Generate Annex VII dossier

CRACheck structures the 8 documents from your lock's specifications. 15-25 minutes.

Engage notified body

Submit documentation for Module B+C or Module H assessment if harmonised standards are not fully applied.

Update Declaration of Conformity

Add Regulation (EU) 2024/2847. Your lock's CE marking now covers CRA.

Deliver to EU buyers

Hotels, building integrators and distributors receive your complete documentation package.

Maintain CVD channel

Smart locks are high-value targets for security researchers. Your CVD policy must be active and responsive.

Common mistakes

❌

ANNEX I, PART I, 1(a)

"Our lock uses AES-128 encryption — it is secure enough"

Annex I Part I point 1(a) requires protection of confidentiality, integrity, availability and authenticity. Encryption of stored credentials is one element. The CRA also requires secure authentication, protection against unauthorized access, secure firmware updates and resistance to denial-of-service. AES-128 on stored PINs does not cover the full surface.

❌

ANNEX I, PART II

"We patched a vulnerability last year — our lock is clean"

Annex I Part II requires ongoing vulnerability handling — not one-time patching. You must identify, document, address and remediate vulnerabilities without delay throughout the support period.

❌

ART. 13.6

"Users create their own PIN — the default is 0000 for initial setup"

Annex I Part I point 1(d) requires secure by default configuration. A universal default PIN of 0000 is the exact pattern the CRA targets. Your lock must ship with unique default credentials or force credential setup before first use.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Class I confirmation per Annex III point 17.

Technical Documentation

Art. 31 + Annex VII. Covers authentication architecture, credential storage, encryption, BLE/WiFi security, firmware update mechanism.

Risk Assessment

Art. 13.2-13.3. Includes unauthorized physical entry, credential theft, replay attacks, brute force, jamming.

User Information

Annex II. Secure setup, master code management, battery replacement, vulnerability reporting, secure disposal (credential wipe).

Declaration of Conformity

Art. 28 + Annex V.

CVD Policy

Critical for access control products. Clear reporting channel and response timeline.

Notification Template

Art. 14. A vulnerability in a smart lock is a high-severity incident. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

CRA dates plus support period for the lock.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 SECURITY CERTIFICATION LAB (CRA + PENETRATION TEST)

€15,000–€30,000

Per lock model. 4-8 months. Includes penetration testing.

✓ CRACHECK

€149

8 documents. 15 min. Documentation only. Penetration testing separately. Pack 10: €99/product.

Two layers

● LAYER 1

What CRACheck does

Generates the Annex VII documentation for your smart lock. Covers authentication, encryption, credential management, vulnerability handling. Ready for notified body review.

∅ LAYER 2

What CRACheck does NOT do

CRACheck does not perform penetration testing, brute-force resistance testing or physical security assessment. A smart lock needs both documentation and security testing. CRACheck handles the documentation layer.

We document. You secure the lock.

Enforcement regime

Article 64 of Regulation (EU) 2024/2847.

🔴

Non-compliance with Annex I + Art. 13/14 (Art. 64(2))

€15,000,000 / 2.5%

Art. 64.2.

🟠

Non-compliance with Art. 31, Art. 28, Art. 32 (Art. 64(3))

€10,000,000 / 2%

Art. 64.3.

🟡

Incorrect or misleading information (Art. 64(4))

€5,000,000 / 1%

Art. 64.4.

Alternatives

Criterion	Security certification lab	Self-assess under Module A (incorrect for Class I)	Wait for EU buyer to enforce	CRACheck
Cost	€15,000–€30,000	€0	€0	€149
Result	Docs + pentest. 4-8 months.	Non-compliant. Notified body required without harmonised standards.	Lose the tender. Hotels will buy from compliant competitors.	8 docs. 15 min. Documentation ready. Security testing separate.

Your smart lock catalogue spans residential, hospitality and office models?

Each lock model with different firmware, authentication methods or connectivity needs its own Annex VII dossier. Volume pricing: €99/product (10-pack), €79/product (30-pack).

Request Volume Pricing

Response within one business day.

What CRACheck guarantees and what it does not

CRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy, completeness and truthfulness of that information is your responsibility as the manufacturer.

We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct. We do not guarantee that a specific document will be accepted by a market surveillance authority in a specific case or by a commercial buyer in a procurement process.

CRACheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.

Frequently asked questions

Are Bluetooth-only locks in scope of the CRA?

Yes. Article 2.1 covers products with a data connection. A Bluetooth connection is a data connection. A Bluetooth smart lock is in scope and classified as Class I under Annex III point 17.

Does a hotel need CRA documentation for every room lock?

The CRA obligation is on the manufacturer per product model, not per unit installed. One dossier per lock model. The hotel is a user, not a manufacturer, importer or distributor.

Can we include our physical lock certifications (EN 15684, EN 12209) in the CRA documentation?

The CRA covers cybersecurity, not physical lock strength. However, Annex VII point 5 allows listing all applicable standards. Including physical security certifications provides a complete picture.

What support period should we declare for a smart lock?

Smart locks are expected to be used for 10+ years. Article 13.8 requires a support period reflecting expected time of use. For access control products, align with the product's physical durability.

Our lock has a physical key backup — does the CRA still apply?

Yes. The CRA applies to the digital elements. If your lock has WiFi, Bluetooth or any data connection, the digital functionality is in scope regardless of physical backup mechanisms.

Is this a subscription?

No. One-time payment. 30 days editing, 10 regenerations. PDF yours permanently.

Can I request a refund?

Pursuant to Art. 16(m) of Directive (EU) 2011/83, licence activation constitutes express consent. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate at no additional cost during licence validity.

Official legal sources

Regulation (EU) 2024/2847 — Cyber Resilience Act — full text

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.