Is my product in scope? / IoT / hardware device
CRA compliance for IoT and connected hardware
Connected hardware is the CRA's original target. Any device with digital elements sold in the EU is in scope, and hardware carries the heaviest lift: firmware SBOMs, secure boot, update infrastructure and — for some categories — third-party assessment.
What this means for you specifically
- ▸Check Annex III/IV carefully: smart-home security devices (locks, cameras, baby monitors, alarms), routers/modems, security chips and smart-meter gateways land in higher classes with notified-body involvement.
- ▸Firmware SBOM generation (embedded Linux layers, RTOS components, vendored C libraries) is harder than app SBOMs — budget real engineering time, not a checkbox.
- ▸You need an OTA update capability with integrity protection for the realistic lifetime of the device; devices that cannot be patched are close to unsellable under the CRA.
- ▸Default passwords are effectively banned (secure-by-default) — per-device credentials or forced first-boot setup.
The pitfall that catches most teams
Support-period economics: hardware margins rarely price in 5+ years of security engineering. Price it in now or the obligation eats the margin later.
The deadlines
2026-09-11
Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.
2027-12-11
Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.
Where does your product actually stand?
The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.
Or get CRAdar to handle it continuously:
Other product types
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.