HealthcareDeadline: September 2026

CRA Compliance Checklist: Assistive Technologies & AAC Devices

Default — most assistive technologies and AAC devices not classified as medical devices are in full CRA scope; MDR-classified devices may be excluded

Assistive technologies and augmentative and alternative communication (AAC) devices serve users with disabilities and complex communication needs. Products not classified as medical devices under MDR fall fully within CRA scope. Given the vulnerable user population and the critical dependency of users on these devices, security and continuity requirements are especially important. Manufacturers must balance rigorous security with accessibility and usability needs.

checklist items

high priority

September 2026

deadline

Healthcare

sector

Track progress free →

CRA Classification:Default — most assistive technologies and AAC devices not classified as medical devices are in full CRA scope; MDR-classified devices may be excluded

1. Scope & Classification

Determine whether each assistive technology product is classified as a medical device under MDR — if not, full CRA applies

highArticle 3(2)(a), CRA

Communication aids, environmental control systems, and mobility aids with digital elements may or may not be MDR medical devices. Verify using MDCG 2019-16. Many AAC devices are not MDR-classified.

Consider the EU Accessibility Act (2019/882) interaction — assistive technologies must also meet accessibility requirements

highArticle 6, CRA / European Accessibility Act

The European Accessibility Act imposes accessibility requirements on assistive technology products. CRA security requirements must be implemented without creating accessibility barriers.

Compile a full SBOM covering AAC device firmware, communication software, symbol library, and cloud synchronisation components

highArticle 10(6)

AAC devices run complex software including symbol engines, text-to-speech, language models, and cloud sync. All components must be tracked in the SBOM.

2. Product Security (Annex I Part I)

Implement accessible authentication mechanisms that do not create barriers for users with motor or cognitive impairments

highAnnex I, Part I(2)

Security authentication must be accessible. Consider switch-scanning PIN entry, caregiver-managed profiles, and alternative authentication methods that do not exclude the user population.

Encrypt all user communication data, vocabulary profiles, and personal settings at rest and in transit

highAnnex I, Part I(3)

AAC user vocabulary and communication patterns are sensitive personal data. Encrypt device storage and all cloud synchronisation communications.

Implement over-the-air updates with user-controlled timing to prevent disruption of critical communication scenarios

highAnnex I, Part I(9)

For AAC users, a device restart or update at the wrong moment can prevent critical communication. Implement user-scheduled updates with clear notifications and allow deferral.

Apply data minimisation — collect only vocabulary, usage, and configuration data necessary for product function

highAnnex I, Part I(4)

AAC devices capture intimate communication patterns. Collect only what is needed for device function. Do not share user communication data with third parties without explicit consent.

3. CVD Policy & Vulnerability Handling

Publish a CVD policy with a dedicated security contact and accessible reporting mechanism

highArticle 13(1)

Security vulnerabilities in assistive devices can directly impact vulnerable users. A responsive CVD process must be in place. Ensure the reporting mechanism itself is accessible.

Define a security support lifecycle appropriate to the needs of users who depend on specific devices for communication

highAnnex I, Part II(5)

AAC users often develop extensive vocabularies and rely on specific devices for years. A minimum 5-year security support period from last sale is appropriate. Consider extended support for users in long-term dependency.

Provide security patches that can be applied by caregivers or support workers — not all AAC users can manage updates themselves

highAnnex I, Part II(1)

Security updates must be manageable by caregivers and support staff with varying technical skills. Provide clear instructions and, where possible, automated update mechanisms.

4. Article 14 Incident Reporting

Define Article 14 triggers — focus on incidents affecting AAC device availability, communication data exposure, or remote control of the device

highArticle 14(1)

Exploitation that disables an AAC device or exposes a user's communication patterns is a serious incident. Define your triggers and ensure rapid escalation.

Coordinate Article 14 and GDPR breach notification — AAC communication data is sensitive personal data

mediumArticle 14(2), CRA / GDPR Article 33

Communication data from AAC users may constitute health or disability-related special category data. A breach may trigger both CRA Article 14 and GDPR Article 33 breach notification.

5. CE Marking & Technical Documentation

Prepare CRA technical file demonstrating that security measures do not create accessibility barriers

highArticle 23, Annex V

Document the accessibility considerations made in implementing security requirements. Market surveillance authorities should see evidence that security and accessibility have been balanced.

Issue EU Declaration of Conformity referencing the CRA — and European Accessibility Act where applicable

highArticle 20, Article 22

A single DoC can reference both the CRA and European Accessibility Act. Coordinate compliance documentation across both regulatory frameworks.

Track your Assistive Technologies & AAC Devices compliance progress in CVD Portal.

Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.

Start your free portal

Frequently asked

Our AAC app runs on a standard tablet — is the app in scope for CRA even though we don't make the hardware?+

Yes. Standalone software products with digital elements are in scope for the CRA. An AAC app published on the EU market is a software product subject to CRA requirements regardless of the underlying hardware. You must publish a CVD policy, maintain an SBOM, provide security updates, and issue a Declaration of Conformity for your software.

Our assistive device is prescribed by healthcare professionals — does it qualify as an MDR medical device?+

Prescription or clinical recommendation alone does not make a device an MDR medical device. The determining factor is the intended purpose — whether the device is intended for diagnosis, prevention, monitoring, treatment, or alleviation of a medical condition. Many assistive technologies (communication aids, environmental controls) do not have a medical intended purpose and are not MDR-classified.

How do we handle security updates for AAC users who cannot manage device updates themselves?+

The CRA requires security updates to be available and applicable. For AAC users with high support needs, implement a caregiver-managed update system with clear notifications and instructions for support workers. Cloud-connected devices may support silent background updates during idle periods. Clearly document the update process in accessible formats for both users and carers.

Related compliance checklists

Medical Devices

Healthcare

→

Health Monitoring Wearables

Healthcare

→

Wearable Devices & Fitness Trackers

Consumer Electronics

→

Hospital IT & Clinical Information Systems

Healthcare

→

Need a CVD policy for Assistive Technologies & AAC Devices?

Download a free CRA-compliant disclosure policy template and deploy it in minutes.

Browse templates →