CRA Compliance

CRA Compliance Checklists by Product Category

Free, niche-specific compliance checklists for EU manufacturers of products with digital elements. Covers classification, security requirements, CVD obligations, and Article 14 reporting. Deadline: September 2026.

10 product categories covered6 sectorsFree to use · No signup required

Consumer Electronics

Consumer Routers & Modems

Consumer routers and modems are high-value targets for attackers and face specific CRA requirements around default credentials, remote management security, and firmware update integrity. Routers marketed for home use are Default class; those marketed for industrial or critical infrastructure use may be Annex III Class II.

Default Class for consumer use

View checklist →

Smart Home Devices

Smart home devices — thermostats, smart speakers, lighting controllers, home security cameras — are among the most common products with digital elements in scope for the CRA. Most will fall into the Default class requiring self-assessment, but devices with gateway functionality may be classified as Important Class I.

Default Class (self-assessment)

View checklist →

Wearable Devices & Fitness Trackers

Wearable devices — fitness trackers, smartwatches, and health monitors — collect sensitive biometric and health data and are in scope for the CRA as products with digital elements. Unlike medical devices regulated under MDR, general fitness wearables are not excluded from the CRA and must comply with all Annex I security requirements, including data minimisation, encrypted transmission, and secure update mechanisms.

Default Class (self-assessment)

View checklist →

Industrial & Manufacturing

Building Automation & Smart Buildings

Building automation systems (BAS/BMS) control HVAC, lighting, access, fire safety, and energy management across commercial and industrial buildings. Most BAS components are Default class under the CRA, but those deployed in hospitals, data centres, and other critical facilities may be treated as critical infrastructure components. The BACnet and Modbus protocols widely used in BAS were not designed with security in mind — CRA compliance requires significant attention to protocol security and access control.

Default Class to Important Class I

View checklist →

Industrial Controllers & PLCs

Industrial controllers, PLCs, and SCADA components are classified as Important Class II under Annex III of the CRA, requiring third-party conformity assessment. These products have long operational lifetimes (10–20+ years), network connectivity, and significant safety implications. CRA compliance must be planned well in advance of the September 2026 deadline.

Important Class II (Annex III)

View checklist →

IoT Sensors & Connected Devices

IoT sensors — temperature, humidity, pressure, flow, and motion sensors — are the backbone of industrial and building automation. Most fall into the Default CRA class, but their constrained hardware often makes meeting Annex I security requirements challenging. Manufacturers must plan for secure update mechanisms even on resource-constrained devices.

Default Class (self-assessment)

View checklist →

Healthcare

Medical Devices

Medical devices regulated under the EU Medical Device Regulation (MDR) or In Vitro Diagnostic Regulation (IVDR) are generally excluded from the CRA. However, software products used in healthcare that are not classified as medical devices under MDR may fall within CRA scope. Manufacturers should carefully verify their product's regulatory classification.

Excluded from CRA if covered by MDR/IVDR

View checklist →

Networking & IT

Enterprise Networking Equipment

Enterprise networking equipment — switches, firewalls, load balancers, and network management systems — spans multiple Annex III classifications. Hardware firewalls are Class II Important products; network management software and monitoring tools are Class I Important products. Both require third-party conformity assessment.

Important Class I (network management tools) or Class II (hardware firewalls)

View checklist →

Automotive & Transport

EV Charging Equipment

EV charging equipment sits at the intersection of energy infrastructure, payment systems, and connected vehicles — making it a high-priority CRA compliance target. Residential chargers are typically Default class, while public charging networks connected to grid management systems may be classified as critical infrastructure under NIS2 and face Annex III Important product classification under the CRA. The OCPP (Open Charge Point Protocol) ecosystem introduces supply chain complexity that manufacturers must address.

Important Class I or II depending on deployment context

View checklist →

Safety & Security

Smart Cameras & Video Surveillance

Smart cameras and IP video surveillance systems are frequently compromised via default credentials and unpatched firmware — they were among the first device classes targeted by Mirai and similar botnets. The CRA's prohibition on default passwords and requirement for secure update mechanisms directly target these failure modes. Manufacturers must also consider GDPR obligations around video data and the NIS2 implications for critical infrastructure deployments.

Default Class for consumer cameras

View checklist →

Ready to meet your CRA obligations?

CVD Portal provides a complete vulnerability disclosure programme — submission portal, Article 14 deadline tracking, and CSAF advisory generation. Free for EU manufacturers.

Set up your free portal