← CRA Compliance Checklists
Consumer ElectronicsDeadline: September 2026

CRA Compliance Checklist: Smart Toys & Connected Children's Products

Annex III Class II — toys intended for children that incorporate AI capabilities or collect personal data require third-party conformity assessment under CRA Annex III

Smart toys and connected children's products are among the most sensitive categories under the CRA. Toys intended for children that incorporate AI or collect personal data are explicitly listed in Annex III Class II, requiring mandatory third-party conformity assessment by an EU Notified Body. Manufacturers must also address the intersection with GDPR children's data protections and the Toy Safety Directive.

16
checklist items
15
high priority
September 2026
deadline
Consumer Electronics
sector
Track progress free →
CRA Classification:Annex III Class II — toys intended for children that incorporate AI capabilities or collect personal data require third-party conformity assessment under CRA Annex III

1. Scope & Classification

Determine whether your product meets the Annex III Class II definition: a toy intended for children under 14 with AI or personal data collection capabilities

highAnnex III, Class II, point 9

CRA Annex III Class II explicitly lists toys with AI and data collection. If your product meets this definition, self-declaration is not sufficient — third-party assessment is mandatory.

Engage an EU Notified Body for conformity assessment before placing the product on the market

highArticle 24, Annex VIII

For Class II products, the manufacturer cannot self-certify. A Notified Body must assess the technical documentation. Identify and contract a Notified Body early — lead times can be 6–12 months.

Assess intersection with the EU Toy Safety Directive (2009/48/EC) and ensure both frameworks are addressed

highArticle 3(2), CRA

Smart toys must comply with both CRA cybersecurity requirements and Toy Safety Directive physical/chemical safety requirements. Prepare an integrated compliance plan.

Review GDPR Article 8 and the UK Children's Code if selling in those markets — children's data has heightened protections

highArticle 10(4), CRA / GDPR Article 8

Processing children's personal data requires parental consent below age 16 (varies by member state). Align your data minimisation and consent architecture with CRA and GDPR jointly.

2. Product Security (Annex I Part I)

Apply strict data minimisation — collect only data essential to the toy's core function

highAnnex I, Part I(4)

Children's toys should collect minimal data. Audio recordings, location, and behavioural profiles are high-risk. Each data element must be justified.

Implement end-to-end encryption for all voice, video, or messaging features in children's toys

highAnnex I, Part I(3)

Connected toys with microphones or cameras are high-value targets. All communications must be encrypted in transit and at rest.

Disable remote access, diagnostic ports, and undocumented interfaces by default

highAnnex I, Part I(5)

Several high-profile smart toy breaches exploited undocumented Bluetooth or web interfaces. Conduct a thorough port and service audit.

Implement tamper-evident secure boot to prevent firmware replacement

highAnnex I, Part I(9)

Secure boot ensures only signed, authenticated firmware can run on the toy. This prevents malicious firmware being loaded via physical access or OTA.

3. CVD Policy & Vulnerability Handling

Publish a coordinated vulnerability disclosure policy with a dedicated security contact address

highArticle 13(1)

Smart toy security vulnerabilities generate significant public and media attention. A clear CVD policy and responsive process are essential for both compliance and reputation.

Define a security support lifecycle of at least 5 years from market availability for children's products

highAnnex I, Part II(5)

Children's toys have long use cycles and are frequently passed between children. Commit to an extended security support period and publish it clearly.

Establish a vulnerability triage process that prioritises child safety and privacy risks above all others

highArticle 13(6)

Any vulnerability that could expose children's location, communications, or audio/video feeds must be treated as critical and addressed without delay.

4. Article 14 Incident Reporting

Implement telemetry to detect anomalous access patterns indicating exploitation of child-facing services

highArticle 14(1)

Unauthorised access to children's data collected by toys is likely to trigger Article 14 reporting. Monitoring systems must be in place before product launch.

Coordinate Article 14 reporting with GDPR data breach notification obligations to data protection authorities

highArticle 14(2), CRA / GDPR Article 33

An exploit affecting children's personal data may trigger both CRA Article 14 (to ENISA) and GDPR Article 33 (to DPA) simultaneously. Pre-draft templates for both.

5. CE Marking & Conformity Assessment

Submit full technical documentation to Notified Body for Type Examination (Annex VIII) — self-declaration is prohibited for Class II

highArticle 24, Annex VIII

The Notified Body will assess security architecture, data handling, SBOM, and CVD policy. Prepare documentation to the same standard as an MDR submission.

Affix CE marking only after Notified Body has issued a certificate and DoC is complete

highArticle 20, Article 22

CE marking a Class II smart toy without a Notified Body certificate is a serious non-compliance and may result in market withdrawal.

Register on the EU RAPEX/Safety Gate system if a safety-critical vulnerability is discovered post-market

mediumArticle 11(5)

Vulnerabilities in children's products may require proactive notification to market surveillance authorities and, in serious cases, a coordinated recall.

Track your Smart Toys & Connected Children's Products compliance progress in CVD Portal.

Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.

Start your free portal

Frequently asked

Does every connected toy require third-party conformity assessment, or only AI toys?+

Under CRA Annex III Class II, third-party assessment is required specifically for toys intended for children that incorporate AI capabilities or collect personal data. A simple connected toy without AI or data collection may be Default class and eligible for self-declaration. However, most modern smart toys collect some user data, which triggers Class II.

Our toy collects voice data only locally and does not send it to the cloud — does CRA still apply?+

Yes. The CRA applies to the product as a whole. Local processing of voice data still constitutes data collection on a product with digital elements. The on-device AI model and the data it processes are within scope. Local processing may reduce GDPR risk but does not remove CRA obligations.

How does CRA interact with the EU AI Act for AI-enabled toys?+

AI systems interacting with children may be classified as high-risk under the EU AI Act Annex III. Both the CRA and AI Act requirements must be met. The AI Act requires conformity assessment for the AI component; the CRA requires conformity assessment for the product as a whole. Work with your Notified Body to design an integrated assessment that satisfies both.

Related compliance checklists

Smart Home Devices

Consumer Electronics

Wearable Devices & Fitness Trackers

Consumer Electronics

Health Monitoring Wearables

Healthcare

Consumer Routers & Modems

Consumer Electronics

Need a CVD policy for Smart Toys & Connected Children's Products?

Download a free CRA-compliant disclosure policy template and deploy it in minutes.

Browse templates →