IEC 62443 is a series of international standards for the security of industrial automation and control systems. Regulation (EU) 2024/2847 (CRA) is a mandatory EU regulation requiring product-level cybersecurity documentation. They are not the same thing. IEC 62443 addresses security capabilities and processes for industrial products and systems. The CRA requires specific documentation under Article 31 and Annex VII, a structured cybersecurity risk assessment under Article 13, an EU Declaration of Conformity under Article 28, and vulnerability notification to ENISA under Article 14. IEC 62443 conformity does not automatically produce any of these documents. CRACheck generates them.

Q: Can I reference my IEC 62443 certification in the CRA Annex VII file?

Yes. Annex VII point (5) allows the manufacturer to list 'other relevant technical specifications applied' alongside harmonised standards. Your IEC 62443 certification is a technical specification that supports your demonstration of Annex I compliance. CRACheck provides the structured field for this reference.

The relationship between IEC 62443 and the CRA is potential alignment, not equivalence. Annex VII point (5) of the CRA requires the manufacturer to list "harmonised standards applied in full or in part" or "descriptions of the solutions adopted to meet the essential cybersecurity requirements." If the European Commission publishes harmonised standards that reference IEC 62443 concepts, IEC 62443 conformity could support a presumption of conformity with certain Annex I requirements. But as of the date of this page, IEC 62443 is not a CEN/CENELEC harmonised standard cited in the Official Journal for purposes of the CRA. It is a valuable technical framework — and CRACheck allows you to document IEC 62443 compliance as part of the "other relevant technical specifications applied" in Annex VII point (5). €149. 15–25 minutes. 8 PDFs.

Generate CRA Dossier — €149 Free: check your product classification

€149 one-time payment per product · 8 PDF documents in ZIP · 15–25 minutes · 100% in your browser

Key facts

Mandatory vs voluntary

CRA = EU regulation (mandatory). IEC 62443 = international standard (voluntary).

Annex VII §5

CRA allows citing IEC 62443 as a "relevant technical specification" in the documentation

€15M

Maximum CRA fine under Art. 64(2) — no IEC 62443 certificate exempts from this

How CRACheck bridges IEC 62443 practices to CRA documentation

Product identification

You enter your industrial product type, IEC 62443 security level target (SL-T), and component security capabilities.

Annex I mapping

CRACheck maps the 21 CRA Annex I requirements against your product. Many IEC 62443-4-2 foundational requirements (FR) align with CRA Annex I requirements: FR1 (access control) ↔ Annex I (2)(d), FR2 (use control) ↔ Annex I (2)(d), FR3 (system integrity) ↔ Annex I (2)(f), FR4 (data confidentiality) ↔ Annex I (2)(e), FR7 (resource availability) ↔ Annex I (2)(h).

Standards declaration

In the Annex VII §5 section, you declare IEC 62443 as a "relevant technical specification applied" and specify the parts (62443-4-1 for secure development lifecycle, 62443-4-2 for component security requirements). CRACheck structures this in the format Annex VII requires.

Gap documentation

CRA requirements not covered by IEC 62443 — including SBOM (Annex I Part II point 1), CVD policy (Part II point 5), ENISA notification (Art. 14), and user information (Annex II) — are documented separately in the CRACheck dossier.

Output

8 PDFs. The Technical Documentation references IEC 62443 where applicable and documents CRA-specific requirements independently.

IEC 62443 demonstrates technical cybersecurity competence. The CRA file demonstrates regulatory compliance. CRACheck generates the regulatory file.

Common mistakes with IEC 62443 and CRA

❌

ANNEX VII · §5

Treating IEC 62443 certification as CRA compliance

An IEC 62443-4-2 certificate demonstrates component security capability against the standard. It does not produce the CRA Annex VII technical documentation, the Article 13 risk assessment, the Article 28 Declaration of Conformity, or the Article 14 notification template. The CRA file is a separate deliverable.

❌

HARMONISED STANDARD

Assuming IEC 62443 is a harmonised standard under the CRA

A harmonised standard under the CRA must be a European standard (EN) adopted by CEN/CENELEC and published in the Official Journal of the European Union. IEC 62443 is an international standard published by IEC/ISA. It may inform future harmonised standards, but it is not one as of the date of this page. Annex VII §5 allows citing it as an "other relevant technical specification."

❌

CRA · ANNEX I PART II

Overlooking CRA-specific obligations not addressed by IEC 62443

The CRA requires: (1) an SBOM in machine-readable format (Annex I Part II point 1), (2) a coordinated vulnerability disclosure policy (Part II point 5), (3) ENISA vulnerability notification within 24 hours (Article 14), (4) user information including support period end-date (Annex II point 7). IEC 62443 does not specify these requirements.

8 CRA documents — referencing IEC 62443 in Annex VII §5

CRACheck generates the CRA documentation, referencing IEC 62443 in the standards section and documenting CRA-specific requirements independently.

Product Classifier

Annex III / Annex IV classification. Conformity assessment module.

Technical Documentation

Art. 31 + Annex VII. Complete dossier.

Risk Assessment

Art. 13(2)–(3). Cybersecurity risk assessment against Annex I.

User Information

Annex II. 9 required information points.

Declaration of Conformity

Art. 28 + Annex V. Ready for signature.

CVD Policy

Annex I Part II point (5). Coordinated vulnerability disclosure.

Notification Template

Art. 14. ENISA 24h/72h/14d notification.

Obligations Calendar

Key dates and milestones.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated in your browser. No data leaves your device.

IEC 62443 certification + CRA documentation: cost comparison

🧾 IEC 62443 CERTIFICATION + CRA GAP ASSESSMENT

€20,000–€50,000

IEC 62443 certification: €15,000–€40,000. CRA gap assessment: €5,000–€10,000.

✓ CRACHECK

€149

CRA documentation file. Reference your existing IEC 62443 certification in Annex VII §5. Fill the CRA-specific gaps (SBOM, CVD, ENISA notification, user information) in the same session.

Two layers of compliance

● LAYER 1

What CRACheck does

CRACheck generates the CRA Annex VII file, referencing IEC 62443 in the standards section and documenting CRA-specific requirements independently. The dossier includes risk assessment, Declaration of Conformity, CVD policy, ENISA notification template, and obligations calendar.

∅ LAYER 2

What CRACheck does NOT do

CRACheck does not perform IEC 62443 assessment. It does not issue IEC 62443 certificates. It does not replace IEC 62443 security testing or validation. IEC 62443 conformity is an engineering and certification process; CRACheck produces the regulatory documentation that exists alongside it.

IEC 62443 proves capability. The CRA file proves regulatory compliance. Both exist in parallel.

Enforcement regime

⚖️

CRA: Annex I cybersecurity non-compliance

€15M / 2.5%

Art. 64(2) of Regulation (EU) 2024/2847.

⚖️

CRA: Documentation and conformity assessment failures

€10M / 2%

Art. 64(3) of Regulation (EU) 2024/2847.

⚖️

CRA: Misleading information to authorities

€5M / 1%

Art. 64(4) of Regulation (EU) 2024/2847.

No IEC 62443 certificate exempts from CRA penalties.

CRA vs IEC 62443 — comparison

Criterion	IEC 62443	CRA (Reg. 2024/2847)	CRACheck scope
Nature	International standard (voluntary)	EU Regulation (mandatory)	Mandatory documentation
Scope	Industrial cybersecurity capabilities	All products with digital elements	Per product
Documentation	IEC 62443 certificate + report	Art. 31 + Annex VII file	Generates Annex VII
SBOM	Not specified	Annex I Part II point (1)	Documented in dossier
ENISA notification	Not applicable	Art. 14 (24h/72h/14d)	Notification template
CVD policy	IEC 62443-4-1 partially addresses	Annex I Part II point (5)	Generated as PDF

Industrial product family with IEC 62443 coverage?

Each product variant needs its own CRA file. Volume pricing: Pack of 10: €99. Pack of 30: €79.

Request Volume Pricing

Commercial enquiries via hello@solidwaretools.com

What CRACheck guarantees and what it does not

CRACheck generates a structured document set according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy, completeness, and truthfulness of that information is your responsibility as the manufacturer.

We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct. We do not guarantee that a specific document will be accepted by a market surveillance authority in a particular case.

CRACheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.

Frequently asked questions — CRA and IEC 62443

Will IEC 62443 become a harmonised standard under the CRA?

The European Commission may request CEN/CENELEC to develop harmonised standards referencing IEC 62443 concepts. The resulting European standards (e.g., EN IEC 62443-4-2) would need to be published in the Official Journal to create a presumption of conformity with CRA Annex I. This process is underway but not complete as of the date of this page.

If I have IEC 62443-4-2 SL-2 certification, which CRA Annex I requirements does it help demonstrate?

IEC 62443-4-2 foundational requirements overlap with several CRA Annex I requirements: FR1 (access control) aligns with Annex I (2)(d), FR3 (system integrity) with (2)(f), FR4 (data confidentiality) with (2)(e), FR7 (resource availability) with (2)(h). However, the CRA requires additional elements not in 62443-4-2: SBOM, ENISA notifications, user information under Annex II, and the specific documentation format of Annex VII.

Can I reference my IEC 62443 certification in the CRA Annex VII file?

Yes. Annex VII point (5) allows the manufacturer to list "other relevant technical specifications applied" alongside harmonised standards. Your IEC 62443 certification is a technical specification that supports your demonstration of Annex I compliance. CRACheck provides the structured field for this reference.

Does the CRA apply to industrial automation systems not sold to consumers?

Yes. CRA Article 2(1) applies to all products with digital elements made available on the market with a data connection. Industrial products sold B2B are within scope. The CRA does not distinguish between consumer and industrial products — it applies to all products with digital elements placed on the EU market.

Is this a subscription?

No. One-time payment. The licence includes a 30-day editing window and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, by activating the licence you give express consent for the immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are accepted only for reproducible technical defects.

What if the regulation changes?

If the regulation is amended during the validity of your licence, you can regenerate the document with the updated version of the generator at no additional cost.

Official legal sources

Regulation (EU) 2024/2847 — Cyber Resilience Act — full text

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.