What is the CRA Resources Blog News Get Involved

Resources & References

Official documents, industry guidance, tools, and reference materials for CRA compliance in broadcast.

What You Need to Know

Essential CRA Requirements

Annex I of the CRA establishes two sets of essential requirements: security requirements for the design, development, and production of products with digital elements, and vulnerability handling requirements for manufacturers.

1 Before You Ship

Security by design and full transparency from day one — products must be secure before they reach the market.

  • Products ensure appropriate cybersecurity based on risks
  • No known exploitable vulnerabilities at sale
  • Secure by default configuration with reset capability
  • Protection from unauthorized access via authentication
  • Encrypt data at rest and in transit
  • Data minimization and limited attack surfaces
  • BOM and SBOM required
  • Single point of contact for vulnerability reporting
  • Coordinated vulnerability disclosure policy
  • Manufacturer contact and product info must accompany product
2 While Your Product Is in Use

Ongoing security updates and lifecycle commitments keep products protected throughout their operational life.

  • Automatic updates where possible
  • Broadcast exception: alternative means when automatic not feasible
  • Security updates separate from feature updates
  • Updates free of charge, disseminated without delay
  • Mechanisms for secure distribution
  • Minimum 5-year useful life
  • Support period listed at time of purchase
  • End of Life formally communicated
  • Documentation maintained throughout lifecycle
3 When a Vulnerability Is Found

Fast, structured incident response — from notification to remediation and public disclosure.

  • Report to CSIRT and ENISA within 24 hours
  • Inform impacted users
  • Publicly disclose fixed vulnerabilities
  • Regular security testing
  • Register in European Vulnerability Database
Product Categories

What Class Is Your Product?

The CRA classifies products into four tiers based on risk. Higher classifications require stricter conformity assessment — from self-assessment for default products to European cybersecurity certification for critical infrastructure.

Broadcast Relevance

Most broadcast equipment falls into Default or Class I. Network security appliances (firewalls, routers) used in broadcast infrastructure may qualify as Class II, while critical infrastructure controllers could reach Critical status.

Default Class I Class II Critical
Conformity Assessment Self-assessment Self or harmonised standard Third-party audit European cybersecurity certification
Risk Level Low Medium High Highest
Examples Photo editors, word processors Browsers, password managers, VPNs Firewalls, IDS/IPS, hypervisors Hardware security modules, smart cards
Broadcast Relevance Basic media tools Network management, monitoring Broadcast network security, routers Critical infrastructure controllers
Penalties
EUR 15M / 2.5% EUR 10M / 2% EUR 5M / 1%
of global annual turnover, whichever is higher
Official Sources

Official Regulatory Documents

EU Cyber Resilience Act: Full Text

Regulation EU 2024/2847, the complete legal text of the Cyber Resilience Act as published in the Official Journal of the European Union.

Read Full Text

European Commission: CRA Policy Page

Official policy overview and updates from the European Commission on the Cyber Resilience Act.

Visit Page

CRA Requirements Standards Mapping

JRC & ENISA Joint Analysis mapping Annex I essential cybersecurity requirements to existing cybersecurity standards. EUR 31892 EN.

View Analysis

ENISA: EU Agency for Cybersecurity

Governing body for CRA implementation, vulnerability database development, and reporting standards.

Visit ENISA

NIS2 Directive (EU 2022/2555)

Related directive on network and information security for essential entities. Broadcast and public communications may qualify as essential under NIS2.

View Directive

EU Vulnerability Database

Database for registering and tracking vulnerabilities, established under NIS2 Article 12(2) and integral to CRA reporting requirements.

Visit EUVD
Industry Guidance

Industry & Standards Bodies

ENISA

EU Agency for Cybersecurity providing implementation guidance, coordinated vulnerability disclosure frameworks, and the single reporting platform for CRA incident notifications.

Visit ENISA

UK NCSC

National Cyber Security Centre guidance on connected product security, relevant to CRA-aligned security practices.

Visit NCSC

BSI Germany

Federal Office for Information Security (BSI) CRA guidance for manufacturers and market surveillance.

Visit BSI

CEN/CENELEC

European standardisation organisations developing harmonised standards that can be used to demonstrate CRA compliance.

Visit CEN/CENELEC

ETSI

European Telecommunications Standards Institute, developing technical standards relevant to CRA compliance for connected devices.

Visit ETSI

ISO/IEC Standards

Key standards including ISO/IEC 27002, 27005, and 62443 series, mapped to CRA requirements in the Standards Mapping analysis.

View ISO/IEC 27002
Software Bill of Materials

SBOM Resources

The CRA requires a Software Bill of Materials (SBOM) as part of technical documentation (Annex VII). Every product with digital elements must have a complete software inventory identifying all components, libraries, and dependencies.

SPDX

Linux Foundation's Software Package Data Exchange format, an open standard for communicating SBOM information including components, licenses, and security references.

Visit SPDX

CycloneDX

OWASP standard for lightweight, security-focused SBOMs designed for use in software composition analysis and vulnerability identification.

Visit CycloneDX

NTIA SBOM Guidance

US National Telecommunications and Information Administration guidance on SBOM minimum elements, widely applicable globally and referenced in CRA discussions.

View Guidance
For Manufacturers

Frequently Asked Questions

Common questions from manufacturers navigating CRA compliance, with references to the official regulation text.

The CRA covers any product with digital elements — hardware or software — that is placed on the EU market and can connect to a device or network. This includes broadcast encoders, media servers, IP-connected cameras, and software tools used in production. Narrow exceptions exist for medical devices, vehicles, aviation, and products already regulated under equivalent EU frameworks. See Article 2 (Scope) and Article 3 (Definitions).
The CRA entered into force on 10 December 2024. Vulnerability reporting obligations apply from 11 September 2026, and the full set of essential requirements become mandatory from 11 December 2027. Products placed on the EU market after that date must comply. See Article 69 (Entry into force and application).
Products are categorised into Default, Class I, Class II, or Critical based on risk. The classification determines which conformity assessment route you must follow — Default products can self-assess, while Class II requires a third-party audit. Most broadcast equipment falls into Default or Class I. See Article 7 (Important products) and Annexes III & IV.
It depends on your product's classification. Default products can use self-assessment (internal control). Class I products can self-assess if they apply a harmonised standard covering all essential requirements — otherwise a third-party assessment is needed. Class II and Critical products always require third-party involvement. See Article 32 (Conformity assessment procedures).
Manufacturers must provide security updates for the expected product lifetime, with a minimum of five years from placing the product on the market. The support period must be clearly communicated at the time of purchase. For broadcast equipment with longer operational cycles, this period may need to extend beyond the five-year minimum. See Article 13(8).
Every product must include a Software Bill of Materials as part of its technical documentation. The SBOM must identify all components, including third-party and open-source libraries, at a minimum at the top-level dependency level. Standard formats such as SPDX or CycloneDX are recommended. See Annex VII (Technical Documentation).
When you become aware of an actively exploited vulnerability, you must submit an early warning to ENISA and the relevant CSIRT within 24 hours, a detailed notification within 72 hours, and a final report within 14 days. ENISA is building a single reporting platform to streamline this process. See Article 14 (Reporting obligations).
Yes — when you integrate open-source components into a commercial product, you as the manufacturer are responsible for ensuring the final product meets CRA requirements. The regulation does not apply to open-source software developed non-commercially, but once it is included in a product placed on the market, the manufacturer assumes the compliance obligation. See Article 18 (Open-source software stewards) and Recital 18.
Non-compliance with essential cybersecurity requirements carries fines of up to EUR 15 million or 2.5% of global annual turnover, whichever is higher. Violations of other CRA obligations can result in fines up to EUR 10 million or 2%. Providing incorrect or incomplete information to authorities carries fines up to EUR 5 million or 1%. Market surveillance authorities can also order product withdrawal or recall. See Article 64 (Penalties).
Products placed on the EU market before 11 December 2027 are only subject to CRA requirements if they undergo a substantial modification after that date. However, vulnerability reporting obligations under Article 14 apply to all in-scope products regardless of when they were placed on market — meaning existing products trigger the 24-hour reporting requirement from September 2026. See Article 69 (Transitional provisions).
A conformity assessment is the process of verifying that your product meets CRA essential requirements before it can carry the CE mark. Default-category products can self-assess using internal control procedures (Module A). For Class I products, self-assessment is allowed if you apply a harmonised standard covering all requirements — otherwise a notified body must be involved. Class II and Critical products always require third-party assessment. See Article 32 (Conformity assessment) and Annex VIII.
Importers must verify that the manufacturer has completed a conformity assessment, that the product bears the CE marking, and that technical documentation is available. Distributors must verify CE marking and ensure proper storage and transport conditions. If either party places a product on the market under their own name or makes a substantial modification, they assume the full obligations of a manufacturer. See Article 19 (Importer obligations) and Article 20 (Distributor obligations).
Key Terms

CRA Glossary

Any software or hardware product and its remote data processing solutions, including components placed on the market separately (Article 3). This encompasses a wide range of broadcast equipment including encoders, decoders, media servers, and connected production tools.
Natural or legal person who develops or manufactures products with digital elements, or has them designed, developed, or manufactured, and markets them under their name or trademark. In broadcast, this includes equipment manufacturers, software vendors, and system integrators who brand products.
Period during which the manufacturer ensures vulnerability handling and security updates. The CRA mandates a minimum of 5 years (Article 13(8)), reflecting the expected product lifetime. For broadcast equipment with longer operational lifespans, manufacturers may need to extend this period.
A change to a product with digital elements that affects its compliance with essential requirements or changes the product's risk level, triggering re-assessment requirements. Major firmware updates or architectural changes to broadcast systems may qualify.
Conformity marking indicating compliance with CRA essential requirements (Articles 29–30). Products must bear the CE marking before being placed on the EU market. For broadcast equipment, this adds cybersecurity to existing CE requirements.
Computer Security Incident Response Team. National teams designated under NIS2 that receive vulnerability and incident reports. Manufacturers must notify the relevant CSIRT within 24 hours of becoming aware of an actively exploited vulnerability.
European Union Agency for Cybersecurity. The governing body responsible for CRA implementation, developing the single reporting platform for vulnerability notifications, and managing the European Vulnerability Database.
Software Bill of Materials. A complete inventory of all software components, libraries, and dependencies in a product. Required by the CRA as part of technical documentation (Annex VII). Formats include SPDX and CycloneDX.
European standards developed by European Standardisation Organisations (CEN, CENELEC, ETSI) that provide a presumption of conformity with CRA essential requirements when applied. Using harmonised standards simplifies the compliance assessment process.
Organizations classified under NIS2 Directive Article 3(1) as essential to critical infrastructure. Broadcast and public communications providers may qualify as essential entities, triggering stricter cybersecurity requirements and oversight beyond the CRA.
A vulnerability for which reliable evidence exists that exploitation by a malicious actor has occurred in a system without the permission of the system owner. Discovery of such a vulnerability triggers mandatory 24-hour notification to ENISA and the relevant CSIRT.
A database established under NIS2 Article 12(2) for registering, tracking, and disseminating information about vulnerabilities in products with digital elements. Managed by ENISA, it serves as a central repository for vulnerability data across the EU.

Stay Ahead of CRA Compliance

Get the latest updates on CRA requirements, deadlines, and compliance guidance for the broadcast industry.

Subscribe for Updates Latest News