CRA Compliance Checklist: Drones & Unmanned Aerial Vehicles
Annex III Class II likely for C2 and above drone categories — interaction with EU Drone Regulation (EU) 2019/947; lower-category consumer drones may be Default or Class I
Drones and unmanned aerial vehicles operate in a complex regulatory environment combining the CRA and EU Drone Regulation (EU) 2019/947. Higher-category drones (C2 and above) capable of BVLOS operations, remote identification, and integration with UTM systems are likely Annex III Class II under the CRA. Consumer toy drones in the lowest categories may be Default class. Manufacturers must map each product to both regulatory frameworks.
1. Scope & Classification
Map each drone product to EU Drone Regulation category (C0-C6) and assess CRA classification accordingly
C0 toy drones are likely Default CRA class. C1-C2 consumer/prosumer drones may be Class I. C3+ professional and commercial drones supporting BVLOS or critical operations are likely Class II.
Assess whether EU Drone Regulation provides equivalent cybersecurity requirements constituting a CRA exclusion
The EU Drone Regulation (2019/947) does not currently provide comprehensive cybersecurity requirements equivalent to CRA Annex I. Most drone manufacturers should plan for full CRA compliance.
For Class II drones, engage a Notified Body for Type Examination — note that EU Drone Regulation Notified Bodies and CRA Notified Bodies may be different entities
Ensure your Notified Body is designated under the CRA (not just EU Drone Regulation). Some bodies are designated for both.
Compile SBOM covering flight controller firmware, ground control software, remote ID module, and telemetry systems
Drone firmware stacks include flight controller firmware (ArduPilot, PX4, or proprietary), companion computer software, and remote ID modules. All must be tracked.
2. Product Security (Annex I Part I)
Implement authenticated and encrypted command and control links — prevent unauthorised control takeover
Unauthenticated or unencrypted C2 links are exploitable for drone hijacking. Implement mutual authentication and encryption for all command and control communications. Consider FHSS and anti-jamming measures.
Implement EU Remote Identification (Remote ID) securely — protect the integrity of Remote ID broadcasts
Remote ID broadcasts must be tamper-resistant. Implement cryptographic signing of Remote ID messages where technically feasible to prevent spoofing.
Implement geo-fencing with integrity protection — prevent software bypass of airspace restrictions
Geo-fencing must be robust against software bypass. Cryptographic zone data and fail-safe behaviour (land or return-to-home) when zone data integrity fails must be implemented.
Implement signed firmware updates with rollback protection for all drone firmware
Drone firmware updates must be signed and verified before installation. Rollback to a safe known-good firmware version must be possible if a new version causes issues.
3. CVD Policy & Vulnerability Handling
Publish a CVD policy for flight controller, ground control, and companion software vulnerabilities
Drone security research is an active field. Remote control hijacking and geo-fence bypass vulnerabilities are of particular public safety interest. A responsive CVD policy is essential.
Define security support lifecycle appropriate to drone operational lifecycles — minimum 3 years for consumer, 7 years for professional drones
Consumer drones have shorter lifecycles; professional inspection and commercial drones are used for many years. Publish per-product support end dates.
4. Article 14 Incident Reporting
Define Article 14 triggers for drone incidents — focus on C2 link hijacking, geo-fence bypass, Remote ID spoofing, and fleet-scale exploitation
An actively exploited vulnerability enabling mass drone hijacking or geo-fence bypass near airports is a critical Article 14 trigger with national security implications.
Coordinate Article 14 ENISA reporting with EASA and national aviation authority notifications for safety-critical drone incidents
Safety-critical drone cybersecurity incidents may require parallel notifications to ENISA (CRA Article 14) and national aviation authorities (safety incident reporting). Pre-plan coordination.
5. CE Marking & Technical Documentation
Prepare integrated CRA and EU Drone Regulation technical file — coordinate CE marking requirements across both frameworks
Drone technical files must satisfy both EU Drone Regulation category requirements and CRA cybersecurity requirements. Integrate documentation to avoid duplication.
Issue EU Declaration of Conformity referencing both the CRA and EU Drone Regulation
A single DoC can reference both frameworks. Affix the C-class label as required by EU Drone Regulation alongside CRA CE marking requirements.
Track your Drones & Unmanned Aerial Vehicles compliance progress in CVD Portal.
Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.
Start your free portalFrequently asked
My drone uses open-source flight controller firmware (ArduPilot/PX4) — how do I handle the SBOM and CVE obligations?+
Using open-source flight controller firmware does not exempt you from CRA obligations as the product manufacturer. You must include ArduPilot or PX4 and all their dependencies in your SBOM. Both projects publish security advisories and have security teams. Subscribe to their advisories, monitor CVEs for all included components, and deliver patches to your customers. You may also contribute security fixes upstream.
Do racing drones and FPV drones require CRA compliance?+
This depends on whether they are placed on the EU market as products. Racing drones sold as consumer products are in scope. FPV drones built by individuals for personal use (not sold commercially) may be outside scope as non-commercial hobby products. However, any FPV or racing drone sold as a finished product or kit to the EU market is in scope. Check whether your product qualifies as C0 or a higher drone category.
We manufacture drones for military use — does CRA apply?+
Products designed for military or national security use are excluded from CRA scope under Article 2(4). However, if you also sell commercial or civilian variants of the same drone platform to the EU market, those commercial variants are in scope. Dual-use products require careful classification.
Need a CVD policy for Drones & Unmanned Aerial Vehicles?
Download a free CRA-compliant disclosure policy template and deploy it in minutes.