HealthcareDeadline: September 2026

CRA Compliance Checklist: Health Monitoring Wearables

Default — health monitoring wearables not classified as medical devices under MDR are in full CRA scope; not excluded by MDR carve-out

Health monitoring wearables — fitness trackers, smartwatches with health sensors, sleep monitors, and consumer ECG devices not classified as medical devices under MDR — are fully in scope for the CRA. Unlike regulated medical devices, these consumer health products cannot claim the MDR exclusion and must meet all CRA requirements. The combination of sensitive health data and consumer deployment makes security practices critical.

checklist items

high priority

September 2026

deadline

Healthcare

sector

Track progress free →

CRA Classification:Default — health monitoring wearables not classified as medical devices under MDR are in full CRA scope; not excluded by MDR carve-out

1. Scope & Classification

Verify the product is not classified as a medical device under MDR 2017/745 — if not MDR-classified, full CRA applies

highArticle 3(2)(a), CRA

Consumer fitness trackers, wellness wearables, and health monitoring devices without a medical intended purpose are not MDR-classified. They do not benefit from the CRA MDR exclusion and are fully in scope.

Assess whether Annex III Class I applies if the wearable incorporates significant health data processing or AI-based health inference

mediumAnnex III, Class I

Most consumer health wearables are Default class. If the device incorporates AI making health-relevant inferences, review Class I criteria and the EU AI Act high-risk classification for health AI.

Compile a full SBOM covering wearable firmware, companion app, Bluetooth stack, health sensor SDKs, and cloud platform components

highArticle 10(6)

Health wearables have complex stacks: embedded firmware, iOS/Android companion app, cloud health platform, and third-party health algorithms. All are in scope.

2. Product Security (Annex I Part I)

Implement end-to-end encryption for all health data — on-device storage, Bluetooth transmission, and cloud sync

highAnnex I, Part I(3)

Health data is among the most sensitive personal data categories under GDPR. Encrypt at rest (device and cloud) and in transit (Bluetooth, API). Use AES-256 for storage and TLS 1.3 for transmission.

Require explicit user authentication before health data can be accessed via the companion app or cloud portal

highAnnex I, Part I(2)

Health data must not be accessible without user authentication. Implement biometric or PIN unlock on companion apps. Cloud portals must support MFA.

Apply data minimisation — only collect health metrics required for the product's documented functionality

highAnnex I, Part I(4)

Collect only the health data needed for declared product functions. Do not collect ancillary health metrics, location data, or usage analytics beyond what is necessary and disclosed.

Implement over-the-air firmware update with cryptographic signature verification

highAnnex I, Part I(9)

Wearable firmware updates are common. Sign all updates and verify signatures on-device before applying. This prevents malicious firmware delivery over BLE or Wi-Fi.

Implement a factory reset that removes all health data and cloud account associations from the device

highAnnex I, Part I(6)

Wearables are frequently resold or shared. A complete factory reset must remove all user health data, pairing information, and cloud credentials from the device.

3. CVD Policy & Vulnerability Handling

Publish a CVD policy and security contact — health data breaches attract significant regulatory and media scrutiny

highArticle 13(1)

Security vulnerabilities in health wearables that expose sensitive health data create serious privacy harm. A responsive CVD process is both a CRA requirement and essential for user trust.

Commit to a security update support period appropriate to the wearable's expected use life — minimum 3 years from last sale

highAnnex I, Part II(5)

Health wearables are often used for 2–4 years. Publish per-device security support end dates and ensure updates are delivered free of charge.

Deploy a security.txt file on your product and cloud service domains for researchers

mediumArticle 13(1)

Use the CVD Portal security.txt generator to create a compliant file. Host it at /.well-known/security.txt on your product support and cloud domains.

4. Article 14 Incident Reporting

Establish monitoring for active exploitation of wearable vulnerabilities — especially any affecting health data access

highArticle 14(1)

Exploitation of health wearable vulnerabilities is a high-severity event triggering Article 14. Monitor your cloud API logs and threat intelligence for exploitation indicators.

Coordinate Article 14 reporting with GDPR Article 33 data breach notification — health data breaches trigger both

highArticle 14(2), CRA / GDPR Article 33

A health data breach simultaneously triggers CRA Article 14 (to ENISA) and GDPR Article 33 (to national DPA within 72 hours). Prepare coordinated templates for both.

5. CE Marking & Technical Documentation

Prepare technical file including health data architecture, encryption specifications, SBOM, and CVD policy

highArticle 23, Annex V

Given the sensitivity of health data, market surveillance authorities may scrutinise health wearable technical files carefully. Ensure thorough documentation.

Issue EU Declaration of Conformity and affix CE marking before EU market placement

highArticle 20, Article 22

DoC must reference the CRA. If the wearable includes radio (Bluetooth, Wi-Fi), also reference the Radio Equipment Directive.

Track your Health Monitoring Wearables compliance progress in CVD Portal.

Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.

Start your free portal

Frequently asked

Our smartwatch measures heart rate and SpO2 — does it qualify as a medical device and get the MDR exclusion?+

Not automatically. A smartwatch with heart rate and SpO2 sensors intended for fitness and wellness use, without specific medical claims, is generally not classified as a medical device under MDR. Only devices with a declared medical intended purpose (e.g. diagnosing or monitoring a specific condition) qualify for MDR classification. Without MDR classification, the device is fully in scope for the CRA.

We collect health data only on-device and never sync to the cloud — does CRA still apply?+

Yes. The CRA applies to the product (the wearable device and its firmware) regardless of whether data is synced to the cloud. The on-device storage and any Bluetooth or Wi-Fi connectivity are in scope. Even a fully offline health wearable with updatable firmware is a product with digital elements subject to CRA requirements.

How does GDPR special category data protection interact with CRA security requirements for health wearables?+

Health data is special category data under GDPR Article 9, requiring a higher standard of protection and explicit consent. The CRA Annex I requirement to protect personal data (Part I(4)) aligns with GDPR obligations. Organisations should design health wearable data security to satisfy both simultaneously: encryption, access controls, data minimisation, and incident notification procedures that address both CRA and GDPR requirements.

Related compliance checklists

Wearable Devices & Fitness Trackers

Consumer Electronics

→

Medical Devices

Healthcare

→

Smart Home Devices

Consumer Electronics

→

IoT Sensors & Connected Devices

Industrial & Manufacturing

→

Need a CVD policy for Health Monitoring Wearables?

Download a free CRA-compliant disclosure policy template and deploy it in minutes.

Browse templates →