← CRA Compliance Checklists
EmergingDeadline: September 2026

CRA Compliance Checklist: Professional Audio/Video Equipment

Default to Annex III Class I — professional AV equipment is a product with digital elements; broadcast infrastructure and critical event production systems may approach Class I

Professional audio and video equipment — including networked broadcast systems, IP audio routing (Dante, AES67), live production switchers, IP video distribution, and broadcast management systems — are products with digital elements subject to the CRA. While most professional AV products are Default class, broadcast infrastructure for national broadcasters and critical live event systems may approach Class I given their public communication role.

14
checklist items
10
high priority
September 2026
deadline
Emerging
sector
Track progress free →
CRA Classification:Default to Annex III Class I — professional AV equipment is a product with digital elements; broadcast infrastructure and critical event production systems may approach Class I

1. Scope & Classification

Confirm all IP-connected professional AV equipment with updateable firmware is in CRA scope

highArticle 3(1)

IP audio interfaces, broadcast cameras, production switchers, media servers, and AV management systems are all products with digital elements. Map all networked equipment in your portfolio.

Assess Class I for broadcast infrastructure and national broadcaster-grade production systems given their public communication infrastructure role

mediumAnnex III, Class I

Broadcast infrastructure for national public broadcasters or critical live event production (elections, emergency communications) may be important products warranting Class I review.

Compile SBOM covering AV device firmware, broadcast software, media processing libraries, and AV-over-IP protocol stacks (Dante, AES67, ST 2110)

highArticle 10(6)

Professional AV firmware includes complex media processing stacks. Dante, AES67, and SMPTE ST 2110 network stacks have well-known implementations with traceable open-source components.

2. Product Security (Annex I Part I)

Implement authentication and access control for all AV device management interfaces — Dante Controller, web-based configuration, and SNMP management

highAnnex I, Part I(2)

Unauthenticated AV management interfaces (common in Dante and AES67 ecosystems) allow any network user to reroute audio or modify device configuration. Implement authentication for all management functions.

Implement network segmentation for AV networks — isolate production networks from corporate IT and internet-connected networks

highAnnex I, Part I(5)

Professional AV networks (particularly low-latency Dante/AES67 networks) should operate in isolated VLANs. Internet connectivity for management should be mediated by authenticated VPN.

Implement signed firmware updates for all professional AV equipment — particularly for live production equipment where availability is critical

highAnnex I, Part I(9)

Production equipment firmware updates must be signed and verifiable. For live production environments, provide a secure offline update process that does not disrupt ongoing production.

Disable unnecessary network services — many AV devices expose mDNS, UPnP, and management services that are not required in production environments

highAnnex I, Part I(5)

AV devices often auto-discover using mDNS/Bonjour, creating large attack surfaces in production networks. Provide configuration options to disable discovery services not required in a specific deployment.

3. CVD Policy & Vulnerability Handling

Publish a CVD policy and security contact for professional AV equipment vulnerabilities

highArticle 13(1)

Professional AV security is an emerging research area. Vulnerabilities in broadcast-critical equipment attract significant attention. A CVD policy enables responsible disclosure.

Provide security patches with minimal production disruption — support scheduled maintenance window deployment and offline update for live production systems

highAnnex I, Part II(1)

Live production systems cannot be taken offline during events. Provide patch packages with staged deployment guidance and clear rollback procedures for production environments.

Define security support lifecycle appropriate to professional AV equipment investment — minimum 5 years for consumer-grade, 7 years for professional broadcast equipment

mediumAnnex I, Part II(5)

Professional broadcast equipment is a significant capital investment with 7–10 year operational lifespans. Publish per-product security support end dates.

4. Article 14 Incident Reporting

Define Article 14 triggers — focus on exploitation enabling broadcast signal injection, production system disruption at national broadcast scale, or audio/video data exfiltration

mediumArticle 14(1)

A vulnerability enabling injection of false signals into a national broadcast infrastructure is a potential Article 14 trigger given the public communication implications.

Prepare Article 14 notification procedure and test it — assign owners for each reporting milestone

mediumArticle 14(2)

Use the CVD Portal Article 14 timeline tool to document your notification process.

5. CE Marking & Technical Documentation

Prepare CRA technical file including AV device security architecture, network service audit, SBOM, and firmware update security documentation

highArticle 23, Annex V

Technical documentation should specifically address the security of AV-over-IP protocol implementations and management interfaces.

Issue EU Declaration of Conformity referencing the CRA for all in-scope professional AV products

highArticle 20, Article 22

DoC must reference the CRA. For wireless AV products (Wi-Fi audio, wireless video), also reference the Radio Equipment Directive.

Track your Professional Audio/Video Equipment compliance progress in CVD Portal.

Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.

Start your free portal

Frequently asked

Our Dante-enabled audio products have no authentication on the Dante network — is this a CRA problem?+

Yes. Audinate's Dante protocol historically had limited authentication. Dante Domain Manager provides network segmentation and access control, and Dante AES67 implementations should be deployed on isolated VLANs with authenticated access. CRA Annex I Part I(2) requires protection against unauthorised access, which includes management of AV signal routing. You should provide and document configuration guidance for secure Dante deployment as part of your CRA compliance.

We manufacture streaming video encoders used for internet live streaming — are these in CRA scope?+

Yes. A streaming encoder with network connectivity and updateable firmware is a product with digital elements in scope for the CRA. If the encoder connects to internet streaming platforms and processes live video, it is a meaningful attack target (content injection, service disruption). Default class applies to most consumer encoders; professional broadcast-grade encoders may be Class I.

Our AV equipment firmware is based on an open-source media framework (FFmpeg, GStreamer) — how do we handle SBOM obligations?+

FFmpeg and GStreamer have active CVE histories. You must include them and all their codec dependencies in your SBOM and monitor for CVEs. Both projects publish security advisories. Use automated SBOM scanning tools (Trivy, Grype) against your firmware build to detect known vulnerabilities. You are responsible as manufacturer for patching these components in your shipped firmware — the open-source project does not take responsibility for your product's security.

Related compliance checklists

Digital Signage & Display Systems

Retail

Smart Home Devices

Consumer Electronics

Embedded Linux Devices

Networking

Telecommunications Equipment

Networking

Need a CVD policy for Professional Audio/Video Equipment?

Download a free CRA-compliant disclosure policy template and deploy it in minutes.

Browse templates →