CRA Compliance Checklist: Wearable Devices & Fitness Trackers
Default Class (self-assessment) — wearables not classified as medical devices under MDR
Wearable devices — fitness trackers, smartwatches, and health monitors — collect sensitive biometric and health data and are in scope for the CRA as products with digital elements. Unlike medical devices regulated under MDR, general fitness wearables are not excluded from the CRA and must comply with all Annex I security requirements, including data minimisation, encrypted transmission, and secure update mechanisms.
1. Scope & Classification
Confirm the wearable connects to a network (Bluetooth, Wi-Fi, LTE) and is not MDR-classified as a medical device
Wearables with network connectivity are products with digital elements. If the device is classified as a medical device under MDR, the CRA exclusion may apply — verify with legal counsel.
Classify as Default class for consumer wearables — confirm no Annex III classification applies
Consumer fitness wearables are Default class. Wearables used for clinical monitoring or medical diagnosis may be MDR-classified and potentially excluded from CRA.
Compile SBOM covering firmware, companion app (iOS/Android), and cloud backend components
Wearable ecosystems span device firmware, mobile app, and cloud. All components must be tracked for CVEs.
2. Data Security & Privacy
Encrypt all biometric and health data in transit using TLS 1.2+ (or DTLS for Bluetooth)
Biometric data is sensitive personal data under GDPR. End-to-end encryption from device to cloud is mandatory.
Implement data minimisation — only collect data necessary for device function
CRA Annex I requires minimising the attack surface including data collected. Collect only what is necessary.
Encrypt health and biometric data at rest on the device and in the cloud
Data at rest must be encrypted. Hardware-backed secure storage is preferred for on-device data.
Implement Bluetooth pairing with authentication — reject unauthenticated connections
Bluetooth Low Energy pairing must use authenticated bonding. Unauthenticated or 'Just Works' pairing is insufficient for health data.
3. Product Security
Implement signed firmware updates verified before installation
OTA firmware updates must be cryptographically signed. Device must verify signature before applying any update.
Require user authentication (PIN, biometric) to access sensitive health data
Health data on the wearable must be protected from physical access. Device lock with authentication timeout is required.
Implement factory reset that securely wipes all personal and health data
CRA requires the ability to remove personal data. Factory reset must cryptographically erase all user data, not just delete pointers.
Disable unused wireless interfaces when not in use
Minimise radio attack surface. Wi-Fi and Bluetooth should not broadcast when the device is not actively paired or syncing.
4. CVD & Vulnerability Management
Publish a CVD policy covering both device firmware and companion app
Security researchers investigate wearable firmware and companion apps. A CVD policy covering all components is required.
Define a support lifecycle of at least 5 years for each wearable model
Consumers expect wearables to receive security updates throughout their use. Define and publish support end dates per model.
Publish CVEs and security advisories when vulnerabilities are fixed
Issue CVEs for vulnerabilities fixed in firmware or app updates. Release notes alone are not sufficient disclosure.
5. CE Marking & Conformity
Compile technical file with security architecture documentation and risk assessment
Technical file must cover device firmware, companion app, and cloud backend security architecture.
Issue EU Declaration of Conformity referencing CRA compliance
Wearables typically already have CE marking for radio (RED). CRA adds cybersecurity requirements to the existing DoC.
Track your Wearable Devices & Fitness Trackers compliance progress in CVD Portal.
Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.
Start your free portalFrequently asked
Our wearable tracks heart rate and SpO2 — does this make it a medical device exempt from the CRA?+
Not automatically. Whether a device is a medical device under MDR depends on its intended purpose and medical claims, not just its sensors. A fitness wearable that tracks heart rate for general wellness is typically not an MDR medical device. Only devices with a specific medical intended purpose (diagnosis, monitoring, treatment) qualify. If your device is not MDR-classified, it is in full CRA scope.
Do we need to comply with both CRA and GDPR for wearable health data?+
Yes — CRA and GDPR are complementary but separate frameworks. GDPR governs how you process personal data (lawful basis, data subject rights, retention). CRA governs the security of the product itself. Health and biometric data is both personal data under GDPR and sensitive data requiring protection under CRA Annex I. Compliance with one does not substitute for the other.
Our wearable only connects to a smartphone via Bluetooth — is it in scope?+
Yes. Bluetooth connectivity makes the device a product with digital elements under the CRA. Indirect internet connectivity via a smartphone is sufficient to bring the device within scope. The smartphone companion app, which connects to the internet, is also in scope as separate software.
Need a CVD policy for Wearable Devices & Fitness Trackers?
Download a free CRA-compliant disclosure policy template and deploy it in minutes.