Does CRA apply to IoT devices already on the EU market before December 2027?

Products placed on the EU market before the enforcement date are not retroactively subject to CRA. However, any product placed on the market from 11 December 2027 onward must comply, including existing models still being manufactured and shipped. If you continue exporting the same device model after that date, it must have CRA documentation.

What support period applies to our IoT device?

Article 13(8) of Regulation (EU) 2024/2847 requires the manufacturer to determine a support period proportionate to the expected product lifetime. The support period must be at least 5 years unless the product's expected usage time is shorter. During this period, you must provide security updates and handle vulnerabilities per Part II of Annex I.

Our device uses third-party firmware modules. Who is responsible for their CRA compliance?

Article 13(5) requires the manufacturer to exercise due diligence when integrating third-party components. You remain the manufacturer of the final product and bear responsibility for the entire product's compliance, including components you sourced from third parties. You should obtain CRA documentation or compliance evidence from your component suppliers.

Do we need a notified body for our IoT device?

It depends on classification. Default category products use self-assessment (Module A). Important Class I products can use Module A if harmonised standards apply, otherwise Module B+C or Module H. Important Class II and Critical products require notified body involvement per Article 32(3). CRACheck's Product Classifier determines your path.

Our EU importer is asking for CRA documentation now, before the enforcement date. Is that normal?

Yes. Importers are preparing their supply chains early because Article 19 obligates them to verify manufacturer compliance before placing products on the EU market. An importer who waits until December 2027 to request documentation from all suppliers risks supply chain disruption. Early preparation is standard practice.

Is CRACheck a subscription?

No. One-time payment. 30 days of editing, 10 regenerations. The PDF is yours to keep.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, activating the license constitutes express consent for immediate generation, waiving the 14-day withdrawal right. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate with the updated generator version at no additional cost during your license period.

You manufacture IoT devices in the United States and export them to European distributors. Article 13 of Regulation (EU) 2024/2847 makes you responsible for the technical documentation, the cybersecurity risk assessment, and the declaration of conformity — not your EU importer. Your European buyer will ask for these documents before placing the next order. CRACheck generates them.

The Cyber Resilience Act applies to all products with digital elements placed on the EU market, including hardware manufactured in the United States (Article 2(1)). An IoT device with firmware and a cloud backend is a product with digital elements plus remote data processing under Article 3(1)-(2). The manufacturer — the company that designed and developed the product — bears the documentation obligations under Article 13, regardless of establishment. CRACheck generates the 8 documents required under Article 31 + Annex VII in 15-25 minutes for €149 per product. All processing runs in your browser.

Generate CRA documentation — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

€15,000,000

Maximum fine for non-compliance with essential cybersecurity requirements (Art. 64(2))

5 years

Minimum expected support period for security updates after placing the product on the market (Art. 13(8))

15–25 min

Time to generate 8 CRA documents per product with CRACheck

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Identify your product

Enter device name, model, firmware version, manufacturer legal entity, and US headquarters address. If you have an EU authorized representative under Article 18, include their details.

Classify under Annex III

CRACheck determines if your IoT device is Default, Important Class I (e.g., routers, smart home systems with security function), Important Class II, or Critical. Classification determines the conformity assessment path.

Describe hardware and firmware

Enter processor type, connectivity protocols (WiFi, Bluetooth, Zigbee, cellular), sensor types, firmware update mechanism (OTA or manual), and third-party libraries.

Map cloud/remote processing

If your device communicates with a cloud backend, describe the data flows, APIs, and what functions require the remote connection. This defines the CRA's remote data processing boundary.

Generate risk assessment

Cybersecurity risk analysis per Article 13(2)-(3) covering IoT-specific threats: firmware tampering, unencrypted data transmission, default credentials, physical interface attacks, and supply chain compromise.

Produce full dossier

8 PDFs covering technical documentation, risk assessment, declaration of conformity, user information, CVD policy, ENISA notification template, and obligations calendar.

Share with your EU importer

Your importer needs to verify your documentation exists before placing your product on the EU market (Article 19(2)(b)). CRACheck gives them the documents they need to confirm.

Common mistakes

❌

MANUFACTURER VS IMPORTER

"Our EU distributor will handle CRA compliance for us"

Article 13 assigns technical documentation, risk assessment, and conformity obligations to the manufacturer. Article 19 assigns verification obligations to the importer: they must confirm you have done your work before placing the product on the EU market. If you have not produced the Article 31 documentation, your importer cannot legally import your device. The importer does not produce your documents — they verify yours exist.

❌

REGULATORY MISMATCH

"We already have FCC Part 15 and UL certification — that should cover EU requirements"

FCC Part 15 covers electromagnetic interference. UL covers electrical safety. Neither addresses cybersecurity documentation. The Cyber Resilience Act requires a cybersecurity risk assessment (Art. 13), essential security requirements (Annex I), user information on security properties (Annex II), and a specific technical documentation structure (Annex VII). These are distinct from and additional to FCC and UL requirements.

❌

SCOPE UNDERESTIMATION

"Our device is simple — just a sensor with WiFi. CRA is for complex products"

Article 2(1) covers any product with a direct or indirect data connection. A WiFi-connected sensor transmitting data to a cloud platform is a product with digital elements under Article 3(1). Complexity does not determine scope — connectivity does. Even a simple temperature sensor with a WiFi chip and OTA firmware updates must meet CRA requirements.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Determines your IoT device's Annex III category. Devices with network management functions or that serve as smart home hubs may classify as Important Class I.

Technical Documentation

Art. 31 + Annex VII dossier covering hardware design, firmware architecture, connectivity protocols, cloud integration, supply chain components, and conformity assessment references.

Risk Assessment

IoT-specific cybersecurity risk analysis: firmware integrity, OTA update security, default credential risks, physical attack vectors, data-in-transit protection, and cloud backend dependencies.

User Information

Annex II document for IoT end users: device security properties, update procedure, factory reset instructions, data handling disclosure, and manufacturer support contact.

Declaration of Conformity

Article 28 + Annex V formal declaration for your IoT product. Accompanies the CE marking required under Article 30.

CVD Policy

Vulnerability disclosure policy for hardware manufacturers: how researchers report firmware bugs, your response timeline, and coordinated disclosure process.

Notification Template

ENISA notification structure per Article 14 adapted for IoT incidents: firmware exploits, botnet recruitment, data exfiltration through compromised devices. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

IoT-specific timeline: Art. 14 reporting from September 2026, full enforcement December 2027, 5-year support period calculation per Article 13(8).

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 EU IoT REGULATORY CONSULTANT

€10,000–€25,000

8-16 weeks. Requires shipping device samples and firmware documentation overseas. Multiple revision cycles.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history