CRA Smart Speaker Virtual Assistant China

Key numbers

Class I

General-purpose virtual assistants — Annex III point 16. Always-listening microphone = high cybersecurity scrutiny.

Voice data

Voice commands processed locally or in the cloud. Annex I requires data confidentiality.

€149

Per speaker model. Class I documentation for notified body review.

CRA documentation for a Chinese smart speaker with virtual assistant

A virtual assistant listens. CRA requires you to document how you secure what it hears.

Confirm Class I classification

General-purpose virtual assistant = Annex III point 16. If your speaker only plays Bluetooth audio without a VA, it is Default.

Map voice processing architecture

Wake word detection (local vs. cloud), voice command processing, device control protocols, cloud API calls, data retention, encryption.

Generate CRA dossier

Enter specifications into CRACheck. 15-25 minutes.

Engage notified body if needed

Without harmonised standards: Module B+C or Module H.

Document microphone behaviour

Always-listening, wake-word-only, manual activation. Users need clear documentation per Annex II.

Deliver to EU retail channels

Amazon, MediaMarkt, Fnac.

A virtual assistant listens. CRA requires you to document how you secure what it hears.

Smart speaker CRA mistakes

❌

ANNEX III.16

Our speaker uses Alexa/Google — the platform vendor handles CRA

If your smart speaker integrates Alexa or Google Assistant, the platform vendor provides the VA service. But you are the manufacturer of the product with digital elements under Art. 3(13). Your hardware, your firmware, your WiFi module, your microphone, your OTA updates — all are your responsibility. The platform vendor's compliance does not cover your product.

❌

ANNEX I, PART I, 1(c)

Voice data goes to Amazon/Google cloud — we do not process it

Annex I Part I point 1(c) requires protection of data confidentiality. Even if voice processing happens in the platform vendor's cloud, your product transmits the voice data over WiFi. The security of the transmission — encryption, authentication, channel integrity — is your responsibility. Document it.

❌

ART. 13.8

If the platform vendor discontinues the VA service, that is not our problem

Art. 13.8 requires you to declare a support period. If the VA platform is discontinued within your support period, the product loses core functionality. Document the dependency on the platform and what happens to the product if the VA service is discontinued. Annex II requires informing users about the support period.

What each CRACheck dossier contains: 8 documents

Smart speakers with virtual assistants combine audio hardware, microphone privacy, cloud processing and smart home control. CRACheck documents all dimensions.

Product Classifier

Determines product category per Annex III. Defines conformity assessment route under Art. 32.

Technical Documentation

Complete technical documentation structured per Art. 31 and Annex VII. All 8 mandatory sections.

Risk Assessment

Cybersecurity risk assessment per Art. 13.2 and Art. 13.3. Mapped against Annex I Part I requirements.

User Information

Information and instructions per Annex II. Security properties, support period, vulnerability reporting.

Declaration of Conformity

EU declaration of conformity per Art. 28 and Annex V.

CVD Policy

Coordinated Vulnerability Disclosure policy per Annex I Part II.

ENISA Notification Template

Pre-structured for 24h early warning, 72h notification, 14-day final report under Art. 14.

Obligations Calendar

Key dates: Art. 14 from 11 Sep 2026, full enforcement 11 Dec 2027, support period per Art. 13.8.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated in your browser. No product data is transmitted to any server.

What you pay for smart speaker CRA documentation

🧾 SMART HOME CERTIFICATION + CRA CONSULTANCY

€10,000–€20,000

Per speaker platform. 3-6 months.

✓ CRACHECK

€149

8 CRA documents. 15 min. Class I documentation.

Your product vs. the platform vendor

● LAYER 1

What CRACheck does

Generates Annex VII documentation for your smart speaker. Covers microphone, voice processing, cloud integration, device control, WiFi security and OTA updates.

∅ LAYER 2

What CRACheck does NOT do

CRACheck does not audit the VA platform (Alexa, Google, proprietary), assess voice data retention policies or test microphone privacy. CRA covers your product's cybersecurity. Platform-level compliance is the platform vendor's responsibility.

We document your product. The platform vendor documents their service.

CRA penalty regime — Article 64 of Regulation (EU) 2024/2847

Article 64 establishes three tiers of administrative fines. Penalties are calculated per undertaking — but non-compliance on a single product can trigger inspection of your entire portfolio.

🇪🇺

Non-compliance with essential cybersecurity requirements (Annex I) and Art. 13/14 obligations

€15M / 2.5%

Art. 64.2. Up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher.

🇪🇺

Non-compliance with technical documentation (Art. 31), authorised representative (Art. 18), conformity assessment (Art. 32)

€10M / 2%

Art. 64.3. Up to €10 million or 2% of total worldwide annual turnover, whichever is higher. Includes failure to produce Annex VII documentation.

🇪🇺

Supply of incorrect, incomplete or misleading information to authorities

€5M / 1%

Art. 64.4. Up to €5 million or 1% of total worldwide annual turnover, whichever is higher.

Art. 64.5 accounts for the nature, gravity and duration of the infringement, and gives consideration to microenterprises, small and medium-sized enterprises, including start-ups.

Alternatives

Alternative	Cost	What you get
Smart home certification consultancy	€10,000–€20,000	Per platform. 3-6 months.
Rely on Alexa/Google Works With certification	€0 additional	Works With certification covers interoperability, not CRA cybersecurity.
Classify as Default (incorrect for VA)	€0	Annex III.16 = Class I. Incorrect classification = non-compliance.
CRACheck	€149	8 docs. 15 min. Class I documentation for smart speaker VA.

Your speaker line includes multiple models with VA?

Compact speaker, display speaker, soundbar with VA — each model with different hardware or firmware needs its own dossier. Volume pricing: €99/product (10-pack), €79/product (30-pack).

Request volume pricing

Response within one business day.

What CRACheck guarantees and what it does not

CRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy, completeness and truthfulness of that information is your responsibility as the manufacturer.

We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct as of the last verification date. We do not guarantee that a specific document will be accepted by a market surveillance authority in a specific case or by a commercial buyer in a procurement process.

CRACheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.

Frequently asked questions

Is a Bluetooth speaker without a virtual assistant Class I?

No. Annex III point 16 covers "smart home general purpose virtual assistants." A Bluetooth speaker that only plays audio from a paired device, without voice assistant, smart home control or internet connectivity, may not even be a product with digital elements (if Bluetooth is used only for audio streaming without data processing). If it has WiFi and an app but no VA, it is Default.

Does a speaker with Alexa Built-in require separate CRA documentation from a speaker with Google Assistant?

If both models share the same hardware, firmware and WiFi security implementation, the CRA documentation covers the product-level cybersecurity regardless of the VA platform. The VA platform is a third-party component documented under Art. 13.5. If the models differ in hardware or firmware, separate documentation is needed.

What if our speaker also has a screen (smart display)?

A smart display with VA is still classified under Annex III point 16. The screen adds a visual interface but does not change the classification. Document the additional attack surface (browser, video calls, camera if present).

Does the CRA require us to let users delete voice recordings?

The CRA does not explicitly mandate data deletion features — that is GDPR territory (Art. 17 right to erasure). However, Annex I Part I point 1(f) requires data minimisation, and Annex II requires informing users about data handling. If your speaker retains voice recordings, document the retention policy and deletion mechanism.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours to keep.

Can I request a refund?

Pursuant to Art. 16(m) of Directive (EU) 2011/83 on consumer rights, by activating the licence you give express consent for the immediate generation of the digital content, waiving the 14-day withdrawal period. Refunds are accepted only for reproducible technical failures.

What if the regulation changes?

If the regulation changes during the validity of your licence, you can regenerate the document with the updated version of the generator at no additional cost.

Official legal sources

Regulation (EU) 2024/2847 — Annex III, point 16

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.