Is my product in scope? / Smart home device
Smart home products under the CRA (Class I when security-related)
Smart home products with security functionalities — smart locks, security cameras, baby monitors, alarm systems — are Annex III Class I. General-purpose virtual assistants are too. Other smart-home gadgets (bulbs, plugs, sensors) are default class but fully in scope.
What this means for you specifically
- ▸The companion mobile app and the cloud backend are assessed with the device — the product is the system, not just the plastic.
- ▸Camera/lock/monitor makers: expect harmonised-standard requirements on authentication, encryption at rest/in transit, and update integrity.
- ▸Matter/Thread/Zigbee stacks are components in the firmware SBOM; several have had protocol-level CVEs.
- ▸Consumer-facing support-period disclosure is mandatory practice here: 'security updates until at least YYYY' on the box/listing.
The pitfall that catches most teams
Class creep: adding a 'watch your door' feature to a default-class gadget can promote it to Class I. Feature decisions now carry conformity-route consequences.
The deadlines
2026-09-11
Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.
2027-12-11
Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.
Where does your product actually stand?
The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.
Or get CRAdar to handle it continuously:
Other product types
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.