CRA Compliance Checklist: Consumer Routers & Modems
Default Class for consumer use — Important Class II if marketed for industrial or SCADA use
Consumer routers and modems are high-value targets for attackers and face specific CRA requirements around default credentials, remote management security, and firmware update integrity. Routers marketed for home use are Default class; those marketed for industrial or critical infrastructure use may be Annex III Class II.
1. Scope & Classification
Confirm the product is a network-connecting device in scope for the CRA
All routers, modems, and access points that connect to networks are in scope.
Verify whether the product is marketed for industrial or SCADA use — if so, review Annex III Class II
Industrial-grade routers may require third-party conformity assessment.
Compile a full SBOM covering firmware, OS (e.g. OpenWrt-based), and all packages
Router firmware typically includes hundreds of open-source packages. Each must be tracked for known CVEs.
2. Product Security (Annex I Part I)
Eliminate all hardcoded or universal default passwords — require unique credentials or forced first-use setup
Default credentials on routers are a leading cause of mass compromise. CRA explicitly prohibits insecure defaults.
Disable remote management interfaces (SSH, Telnet, web admin) on WAN interface by default
Remote management enabled on the WAN port is a critical security risk. Must be opt-in only.
Implement signed firmware updates verified by the device before installation
Unsigned firmware allows arbitrary code execution. Cryptographic signature verification is mandatory.
Enable automatic security update notification or opt-in automatic updates
Users must be notified of available security updates and be able to apply them easily.
Scan all firmware packages against CVE databases before each release
Use automated SBOM scanning. Router firmware often includes vulnerable versions of OpenSSL, dnsmasq, and other components.
Implement network segmentation capabilities to isolate IoT devices
Guest network and VLAN support reduces attack surface across connected devices.
Log security events — admin access, firmware updates, WAN connection events
Tamper-evident logging supports incident investigation under Article 14.
3. CVD Policy & Vulnerability Handling
Publish a CVD policy and security.txt file at /.well-known/security.txt
Consumer router manufacturers receive vulnerability reports from security researchers. A clear CVD policy is essential.
Establish monitored inbox for vulnerability reports with 48-hour acknowledgment SLA
Router vulnerabilities attract significant researcher interest. Ensure the inbox is monitored around the clock.
Define a firmware support lifecycle with end-of-life dates published per model
Router support lifecycles are often 3–5 years. CRA requires the period be appropriate to expected use life, which is typically longer.
Publish CVEs and security advisories for all vulnerabilities fixed in firmware updates
Release notes alone are insufficient. Issue formal CVEs and public advisories.
4. Article 14 Incident Reporting
Establish monitoring for active exploitation of router vulnerabilities in the wild
Subscribe to threat intelligence feeds. Router firmware CVEs are frequently exploited within days of disclosure.
Document 24h/72h/14-day Article 14 notification procedure with responsible owners
Router active exploitation events (e.g. Mirai-style botnets) are common. Pre-prepare your escalation process.
5. CE Marking & Conformity
Compile technical file with firmware security assessment, SBOM, and CVD policy documentation
Technical file must be available to market surveillance authorities within 10 business days of request.
Complete cybersecurity risk assessment addressing router-specific threats
Router-specific threats include DNS hijacking, credential brute-force, lateral movement, and botnet recruitment.
Issue EU Declaration of Conformity and affix CE marking
DoC must reference the CRA and declare compliance with Annex I requirements.
Track your Consumer Routers & Modems compliance progress in CVD Portal.
Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.
Start your free portalFrequently asked
Do mesh Wi-Fi systems count as routers under the CRA?+
Yes. Mesh Wi-Fi systems function as network routers and are in scope for the CRA. Each node in a mesh system is a product with digital elements. The entire system, including satellite nodes, must comply.
What firmware update frequency is required by the CRA?+
The CRA does not mandate a specific update frequency. It requires that security vulnerabilities be addressed 'without undue delay' and that updates be delivered free of charge. Industry practice suggests monthly security updates as a minimum for actively supported router firmware.
My router uses OpenWrt — how do I handle SBOM for open-source components?+
OpenWrt publishes package manifests that can serve as a starting point for your SBOM. You must track CVEs for all included packages. Tools like Trivy, Grype, or Dependency-Track can automate CVE scanning against your firmware package list.
Need a CVD policy for Consumer Routers & Modems?
Download a free CRA-compliant disclosure policy template and deploy it in minutes.