CRA Compliance Checklist: E-Readers & Consumer Tablets
Default — consumer tablets and e-readers are general-purpose consumer devices; not listed in Annex III unless used in critical or industrial contexts
E-readers and consumer tablets are among the most widely deployed consumer products with digital elements. They run complex software stacks, connect to app stores and cloud services, and often store sensitive personal data. As Default-class products under the CRA, manufacturers must implement all Annex I security requirements, maintain vulnerability disclosure processes, and support timely security updates.
1. Scope & Classification
Confirm all network-connected tablets and e-readers with software are in scope for the CRA
Any tablet or e-reader that connects to Wi-Fi, cellular, or Bluetooth and runs updateable software is a product with digital elements. Confirm all SKUs.
Compile a full SBOM covering the device OS, pre-installed applications, and firmware components
Consumer tablets typically run Android, iOS, or a proprietary OS. Include all pre-installed apps, runtime libraries, and kernel modules in the SBOM.
Assess whether education-sector or enterprise-managed tablet deployments attract different CRA obligations
The same hardware deployed in schools or enterprise may be considered differently. In most cases the manufacturer's obligations are unchanged — the operator takes on additional duties.
2. Product Security (Annex I Part I)
Implement verified secure boot ensuring only signed OS images can be loaded on the device
Secure boot prevents OS-level compromise via physical access. It must be enabled by default and not easily disabled without explicit user action.
Enforce full-device encryption for user data at rest with hardware-backed key protection
User files, credentials, and app data must be encrypted using device-bound hardware keys. This protects data when devices are lost or stolen.
Deliver timely OS security patches — monthly security patch cadence is industry standard and aligns with CRA expectations
The CRA requires security vulnerabilities be remediated 'without undue delay.' A regular published patch cadence demonstrates compliance.
Apply sandboxing and permission controls to isolate apps from each other and from system resources
App isolation prevents a compromised app from accessing data from other apps. Review and enforce your permission model against minimum-privilege principles.
3. CVD Policy & Vulnerability Handling
Publish a CVD policy with a security contact, acknowledgment timeline, and disclosure process
Tablets and e-readers are targeted by security researchers. A public CVD policy and responsive security team are both required and good practice.
Define and publish security update support duration per device model from date of last sale
CRA requires the support period be appropriate to expected use. For tablets, 3–5 years from last sale is a common commitment; consider publishing per model.
Publish security advisories and CVE IDs for all vulnerabilities fixed in OS updates
Generic patch notes are insufficient for transparency. Issue formal CVEs and advisories for all security fixes.
4. Article 14 Incident Reporting
Establish a detection process for actively exploited zero-days targeting your device OS or firmware
In-the-wild exploitation of tablet OS vulnerabilities (e.g. privilege escalation, remote code execution) triggers Article 14 reporting. Monitor threat intelligence sources.
Prepare and test the Article 14 notification process — 24h early warning, 72h notification, 14-day final report
Assign roles for incident identification, legal review, and ENISA reporting. Use the CVD Portal Article 14 timeline tool to plan your process.
5. CE Marking & Technical Documentation
Prepare technical file with security architecture, SBOM, penetration test report, and CVD documentation
Technical documentation must be complete before CE marking is affixed. It must be retained for 10 years after last product placed on market.
Issue EU Declaration of Conformity and affix CE marking before sale in the EU
DoC must reference the CRA and the specific product models covered. A single DoC may cover a product family if the security architecture is shared.
Track your E-Readers & Consumer Tablets compliance progress in CVD Portal.
Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.
Start your free portalFrequently asked
Our e-reader runs a custom OS — does CRA still apply, or only to Android devices?+
CRA applies to all products with digital elements regardless of the OS. Custom, proprietary, or Linux-based operating systems are all in scope. The requirements — secure boot, CVD policy, update support, SBOM — apply equally regardless of the underlying OS.
We manufacture tablets but our app store is operated by a third party — who is responsible for app security?+
The device manufacturer is responsible for the security of the platform, firmware, and pre-installed software. Third-party app developers are responsible for their own apps. However, the platform operator (which may be the manufacturer) has obligations to provide a secure runtime environment and app review processes that prevent malicious apps.
How many years of security updates does the CRA require for consumer tablets?+
The CRA requires a support period 'appropriate to the nature of the product and its reasonably foreseeable use.' For consumer tablets, this is generally interpreted as 3–5 years from the date of last sale. The support period must be clearly communicated to consumers at point of sale.
Need a CVD policy for E-Readers & Consumer Tablets?
Download a free CRA-compliant disclosure policy template and deploy it in minutes.