CRA Compliance Checklist: Digital Signage & Display Systems
Default — digital signage hardware and software are consumer and commercial products with digital elements; not Annex III unless integrated into critical infrastructure information systems
Digital signage systems — including commercial displays, media players, content management systems (CMS), and interactive display platforms — are products with digital elements subject to the CRA. While classified as Default, digital signage systems in public spaces present risks including unauthorised content injection, privacy violations through connected cameras, and use as botnet infrastructure. Manufacturers must implement robust security practices.
1. Scope & Classification
Confirm all networked digital signage players, displays with embedded computers, and signage management software are in CRA scope
Any digital signage player, display with network connectivity and updateable firmware, or signage CMS is a product with digital elements. Map all products in your portfolio.
Assess whether digital signage integrated into critical infrastructure information systems (transport, emergency services) warrants Class I classification
Digital signage used in airports, train stations, or emergency notification systems may be Class I if their compromise could affect public safety or critical infrastructure operations.
Compile SBOM covering signage player OS (often Android or embedded Linux), media player software, CMS client, and network services
Digital signage players often run stripped Android or embedded Linux with proprietary media player software. Include the full software stack in the SBOM.
2. Product Security (Annex I Part I)
Eliminate default credentials — require unique credentials or forced setup for all signage player management interfaces
Default credentials on signage players have led to mass compromises. CRA requires unique per-device credentials or forced setup. Eliminate admin/admin and similar defaults entirely.
Implement content authentication — verify content package signatures before rendering to prevent content injection
Unauthorised content injection on digital signage can cause reputational damage or public misinformation. Sign content packages and verify signatures before display.
Encrypt all management communications between signage players and the CMS — prevent man-in-the-middle content injection
CMS-to-player communications must be encrypted with TLS. An attacker intercepting unencrypted CMS traffic could inject arbitrary content onto signage screens.
Implement automatic security update delivery for signage OS and media player software
Digital signage devices are often deployed and forgotten. Implement automatic security updates to maintain security posture without requiring manual IT intervention at each device.
3. CVD Policy & Vulnerability Handling
Publish a CVD policy and security contact for digital signage platform vulnerabilities
Digital signage platforms are targeted by researchers and opportunistic attackers. A CVD policy enables responsible disclosure.
Define security support lifecycle for signage hardware — minimum 5 years from last unit production
Commercial digital signage deployments last 5–7 years. Commit to security support matching the deployment lifecycle and publish per-model end-of-support dates.
4. Article 14 Incident Reporting
Define Article 14 triggers — focus on mass content injection at scale, use of signage network as botnet, and privacy violations via connected cameras
Mass compromise of a signage network enabling simultaneous content injection across thousands of screens is a potential Article 14 trigger.
Prepare Article 14 notification procedure — assign owners and pre-draft notification templates
Use the CVD Portal Article 14 timeline tool to plan your notification process.
5. CE Marking & Technical Documentation
Prepare CRA technical file including signage player security architecture, content authentication design, SBOM, and update mechanism
Technical documentation should demonstrate the content authentication chain from CMS to player and the mechanism for preventing unauthorised content.
Issue EU Declaration of Conformity referencing the CRA and affix CE marking before EU market placement
DoC must reference the CRA. Displays with Wi-Fi must also reference the Radio Equipment Directive.
Track your Digital Signage & Display Systems compliance progress in CVD Portal.
Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.
Start your free portalFrequently asked
Our digital signage players run Android — does using Android satisfy any CRA security requirements?+
Android provides a security foundation but does not automatically satisfy CRA requirements. You must still implement secure boot (where hardware supports it), ensure Android security patches are delivered to deployed players, disable unnecessary services, and implement content authentication. If you use Android, commit to a patch cadence aligned with Android Security Bulletins and document how you deliver these to deployed players.
Our CMS is cloud-based — is the cloud platform in CRA scope?+
The cloud-based CMS itself is generally outside CRA scope as a service. However, the digital signage player hardware and firmware, and any locally installed CMS client software, are in scope. Ensure the communication protocol between the in-scope player and the cloud CMS is secure (TLS, authenticated).
Our signage displays include cameras for audience measurement — does this add any CRA obligations?+
Yes. Cameras that capture images of members of the public are particularly sensitive under GDPR (biometric data may be involved). Under CRA Annex I, the privacy protection requirements apply. You must minimise data collection, encrypt all camera data, obtain valid legal bases for any personal data processing, and conduct a GDPR DPIA for audience measurement using cameras. Ensure the camera stream cannot be accessed by unauthorised parties.
Need a CVD policy for Digital Signage & Display Systems?
Download a free CRA-compliant disclosure policy template and deploy it in minutes.