Are Bluetooth-only locks in scope of the CRA?

Yes. Article 2.1 covers products with a data connection. A Bluetooth connection is a data connection. A Bluetooth smart lock is in scope and classified as Class I under Annex III point 17.

Does a hotel need CRA documentation for every room lock?

The CRA obligation is on the manufacturer per product model, not per unit installed. One dossier per lock model. The hotel is a user, not a manufacturer, importer or distributor.

Can we include our physical lock certifications (EN 15684, EN 12209) in the CRA documentation?

The CRA covers cybersecurity, not physical lock strength. However, Annex VII point 5 allows listing all applicable standards. Including physical security certifications provides a complete picture.

What support period should we declare for a smart lock?

Smart locks are expected to be used for 10+ years. Article 13.8 requires a support period reflecting expected time of use. For access control products, align with the product's physical durability.

Our lock has a physical key backup — does the CRA still apply?

Yes. The CRA applies to the digital elements. If your lock has WiFi, Bluetooth or any data connection, the digital functionality is in scope regardless of physical backup mechanisms.

Is this a subscription?

No. One-time payment. 30 days editing, 10 regenerations. PDF yours permanently.

Can I request a refund?

Pursuant to Art. 16(m) of Directive (EU) 2011/83, licence activation constitutes express consent. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate at no additional cost during licence validity.

Annex III point 17 of Regulation (EU) 2024/2847 lists "smart door locks" as Important Class I products. A cybersecurity vulnerability in your smart lock is not a data leak — it is an unauthorized physical entry. European hospitality chains and distributors will require Annex VII documentation before placing your lock in any building. CRACheck generates the 8-document dossier.

A compromised smart lock opens a physical door. The cybersecurity requirements of Annex I intersect with physical security for this product category. Annex III point 17 classifies smart door locks as Important Class I. If harmonised standards are not fully applied, Article 32.2 requires conformity assessment by a notified body. CRACheck generates the technical documentation under Annex VII: 8 PDFs, 15-25 minutes, €149. Browser-side.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

Class I

Smart door locks — Annex III point 17. Important product. Conformity assessment obligation.

Physical access

A cybersecurity vulnerability in a smart lock = unauthorized physical entry. Risk profile above typical IoT.

€149

Annex VII documentation per lock model. 15 minutes. The notified body reviews it.

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Classification: Class I

Annex III point 17: "smart door locks." No ambiguity. Class I.

Document access control architecture

Authentication methods (fingerprint, PIN, Bluetooth, NFC, WiFi), encryption of credentials, key management, firmware update mechanism, fail-safe behaviour on power loss.

Generate Annex VII dossier

CRACheck structures the 8 documents from your lock's specifications. 15-25 minutes.

Engage notified body

Submit documentation for Module B+C or Module H assessment if harmonised standards are not fully applied.

Update Declaration of Conformity

Add Regulation (EU) 2024/2847. Your lock's CE marking now covers CRA.

Deliver to EU buyers

Hotels, building integrators and distributors receive your complete documentation package.

Maintain CVD channel

Smart locks are high-value targets for security researchers. Your CVD policy must be active and responsive.

Common mistakes

❌

ANNEX I, PART I, 1(a)

"Our lock uses AES-128 encryption — it is secure enough"

Annex I Part I point 1(a) requires protection of confidentiality, integrity, availability and authenticity. Encryption of stored credentials is one element. The CRA also requires secure authentication, protection against unauthorized access, secure firmware updates and resistance to denial-of-service. AES-128 on stored PINs does not cover the full surface.

❌

ANNEX I, PART II

"We patched a vulnerability last year — our lock is clean"

Annex I Part II requires ongoing vulnerability handling — not one-time patching. You must identify, document, address and remediate vulnerabilities without delay throughout the support period.

❌

ART. 13.6

"Users create their own PIN — the default is 0000 for initial setup"

Annex I Part I point 1(d) requires secure by default configuration. A universal default PIN of 0000 is the exact pattern the CRA targets. Your lock must ship with unique default credentials or force credential setup before first use.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Class I confirmation per Annex III point 17.

Technical Documentation

Art. 31 + Annex VII. Covers authentication architecture, credential storage, encryption, BLE/WiFi security, firmware update mechanism.

Risk Assessment

Art. 13.2-13.3. Includes unauthorized physical entry, credential theft, replay attacks, brute force, jamming.

User Information

Annex II. Secure setup, master code management, battery replacement, vulnerability reporting, secure disposal (credential wipe).

Declaration of Conformity

Art. 28 + Annex V.

CVD Policy

Critical for access control products. Clear reporting channel and response timeline.

Notification Template

Art. 14. A vulnerability in a smart lock is a high-severity incident. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

CRA dates plus support period for the lock.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 SECURITY CERTIFICATION LAB (CRA + PENETRATION TEST)

€15,000–€30,000

Per lock model. 4-8 months. Includes penetration testing.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history