CRA Compliance Checklist: Access Control & Physical Security Systems
Annex III Class I — networked access control systems are important products; Class II if deployed in critical infrastructure or government security contexts
Access control systems — including IP-connected door controllers, card readers, biometric access terminals, and integrated physical security management platforms — are products with digital elements that directly control physical access to facilities. Their compromise can enable physical security breaches with serious consequences. Most networked access control systems qualify as Annex III Class I; those securing critical infrastructure or government facilities may be Class II.
1. Scope & Classification
Confirm all IP-connected door controllers, card readers, biometric terminals, and access management platforms are in scope
Any access control hardware or software with network connectivity and updateable firmware is a product with digital elements. Map all products and system components.
Assess Annex III Class I classification for access control systems given their safety-critical physical security role
Networked access control systems controlling physical access to buildings, servers, or equipment are important products. Class I applies to most commercial deployments.
Assess Class II classification for systems deployed in critical infrastructure, nuclear facilities, government, or defence contexts
Access control systems securing critical infrastructure or classified government facilities are likely Class II, requiring third-party Notified Body assessment.
Compile SBOM covering access control firmware, management software, credential management, and directory integration components
Access control platforms integrate with Active Directory, LDAP, and cloud identity providers. Include all integration components and SDKs in the SBOM.
2. Product Security (Annex I Part I)
Implement strong authentication with MFA for all access management platform administration accounts
Admin access to access control systems must be protected by MFA. Compromise of the management platform gives an attacker control over all physical doors and credential issuance.
Encrypt biometric templates and credential data at rest and in transit — biometric data must never be stored in recoverable form
Biometric data is special category under GDPR. Store biometric templates in encrypted, one-way hash form only. Never transmit raw biometric data over networks.
Implement tamper-evident audit logging for all access events, credential changes, and system configuration modifications
Access control audit logs are critical for security investigations. They must be tamper-evident and stored in a centralised, secure log management system.
Disable default credentials and require unique strong passwords for all door controller, reader, and management interfaces
Default credentials on access control hardware are a common attack vector. Each device must be provisioned with unique credentials during deployment.
3. CVD Policy & Vulnerability Handling
Publish a CVD policy with a dedicated security contact for access control system vulnerabilities
Access control systems are targeted for physical security bypass. A CVD policy enables security researchers to report vulnerabilities responsibly before they are exploited.
Provide cryptographically signed firmware updates with a clear deployment process for production access control installations
Access control firmware updates must be deployable without disabling physical access to buildings. Provide a staged rollout process with rollback capability.
Commit to a security support period of at least 10 years for access control hardware given typical deployment lifecycles
Physical access control hardware is installed for 10–20 years. Publish per-product security support end dates and provide migration guidance for end-of-life products.
4. Article 14 Incident Reporting
Define Article 14 triggers for access control incidents — focus on credential database exfiltration, remote door unlock exploits, and audit log tampering
An actively exploited vulnerability enabling remote unlocking of doors or mass credential theft is a high-severity Article 14 trigger.
Coordinate Article 14 reporting with GDPR breach notification for biometric data breaches
Biometric data breaches are the highest severity GDPR incident. A breach simultaneously triggers CRA Article 14 and GDPR Article 33. Prepare coordinated response procedures.
5. CE Marking & Technical Documentation
For Class I products, conduct internal conformity assessment documenting against all Annex I requirements
Class I allows self-assessment. Prepare thorough documentation of security architecture, credential storage, encryption implementation, and access control logic.
For Class II critical infrastructure deployments, engage Notified Body for Type Examination
Class II deployments require Notified Body assessment. Engage early given assessment lead times.
Issue EU Declaration of Conformity and affix CE marking before placing products on the EU market
DoC must reference the CRA. For biometric systems, also reference GDPR and relevant data protection impact assessment.
Track your Access Control & Physical Security Systems compliance progress in CVD Portal.
Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.
Start your free portalFrequently asked
Our access control system stores biometric fingerprint templates — what are the specific CRA and GDPR requirements?+
Biometric data is special category personal data under GDPR Article 9, requiring explicit consent and a higher standard of protection. Under CRA Annex I, personal data must be protected. In practice: store fingerprint templates in an encrypted, irreversible form only (not recoverable as a usable fingerprint), never transmit raw biometric data over networks, implement strict access controls on template storage, and conduct a GDPR Data Protection Impact Assessment (DPIA) before deployment.
We sell access control hardware to a systems integrator who programmes and installs it — who holds CRA obligations?+
You, as hardware manufacturer, are responsible for the CRA compliance of the hardware and its firmware. The systems integrator who configures and integrates the system into a customer installation may take on operator or manufacturer obligations depending on how substantially they modify the product. Your hardware must ship CRA-compliant. Provide the integrator with technical documentation and security configuration guidance.
Our cloud-based access management platform issues credentials remotely — is the cloud platform in CRA scope?+
Purely cloud-based services are generally outside CRA scope. However, any locally installed software agents, credential management clients, or controller firmware that interfaces with the cloud platform are in scope as products with digital elements. Ensure the full local component stack is CRA-compliant.
Need a CVD policy for Access Control & Physical Security Systems?
Download a free CRA-compliant disclosure policy template and deploy it in minutes.