Networking & ITDeadline: September 2026

CRA Compliance Checklist: Enterprise Networking Equipment

Important Class I (network management tools) or Class II (hardware firewalls) — see Annex III

Enterprise networking equipment — switches, firewalls, load balancers, and network management systems — spans multiple Annex III classifications. Hardware firewalls are Class II Important products; network management software and monitoring tools are Class I Important products. Both require third-party conformity assessment.

checklist items

high priority

September 2026

deadline

Networking & IT

sector

Track progress free →

CRA Classification:Important Class I (network management tools) or Class II (hardware firewalls) — see Annex III

1. Annex III Classification

Classify hardware firewall products as Annex III Class II — engage notified body for EU type-examination

highAnnex III, Class II

Standalone hardware firewalls are explicitly listed as Class II Important Products. Third-party examination is mandatory.

Classify network management, monitoring, and SIEM products as Annex III Class I

highAnnex III, Class I

Network management systems, IDS/IPS software, and SIEM tools are Class I Important Products. Third-party audit required.

Verify classification for switches, routers, and access points — most are Default class unless marketed for critical infrastructure

highAnnex III

General-purpose enterprise switches are typically Default class. Products marketed specifically for OT/SCADA use may be Class II.

2. Product Security

Implement role-based access control (RBAC) for all management interfaces

highAnnex I, Part I(3)

Network equipment management interfaces must enforce least-privilege access. Admin, read-only, and operator roles should be separated.

Enforce MFA or certificate-based authentication for management access

highAnnex I, Part I(3)

Password-only authentication is insufficient for enterprise network equipment. MFA or mutual TLS is required.

Disable insecure management protocols (Telnet, SNMPv1/v2c, HTTP) by default

highAnnex I, Part I(5)

All management access must use encrypted, authenticated protocols — SSH, SNMPv3, HTTPS only.

Implement signed firmware/software updates with rollback protection

highAnnex I, Part I(9)

Enterprise network equipment is high-value compromise target. Firmware integrity is critical.

Maintain comprehensive security event logging with syslog export and SIEM integration

highAnnex I, Part I(8)

Enterprise customers expect rich security logging. Logs must be tamper-evident and exportable.

Conduct pre-release vulnerability scanning of all firmware and software releases

highAnnex I, Part I(1)

Enterprise networking equipment is a high-value target. Thorough pre-release security testing is non-negotiable.

3. CVD & PSIRT

Establish a formal PSIRT with documented charter, SLAs, and executive sponsorship

highArticle 13

Annex III Class I/II manufacturers are expected to have a mature PSIRT function. A shared inbox is insufficient.

Publish CVD policy with researcher-friendly language and safe harbour protections

highArticle 13(1)

Enterprise networking vendors receive significant researcher attention. A clear, welcoming CVD policy is important for community relations.

highAnnex I, Part II(3)

Enterprise networking vendors typically register as CNAs. This speeds up CVE assignment and improves customer confidence.

Publish CSAF 2.0 security advisories for all CVE-assigned vulnerabilities

highAnnex I, Part II(2)

Enterprise customers parse CSAF advisories for automated vulnerability management. This is table stakes for enterprise networking vendors.

4. Article 14 Incident Reporting

Monitor for active exploitation of your products via threat intelligence feeds and researcher reports

highArticle 14(1)

Enterprise networking CVEs are frequently exploited within days. Establish automated monitoring for PoC publication and exploitation reports.

Pre-establish Article 14 notification relationships with national CSIRTs

highArticle 14(1)

For enterprise networking vendors, pre-establishing CSIRT relationships before an incident enables faster 24h notification.

Track your Enterprise Networking Equipment compliance progress in CVD Portal.

Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.

Start your free portal

Frequently asked

Our firewall is sold as both a hardware appliance and a virtual machine — do both require third-party assessment?+

The hardware firewall appliance is explicitly listed as Annex III Class II and requires EU type-examination. The virtual machine version's classification is less clear — it functions as a firewall but is implemented as software. Legal guidance is recommended, but most interpretations would classify it similarly to the hardware version given equivalent functionality.

We sell the same hardware to both enterprise and service provider customers — does classification differ?+

Classification is based on the product's function and the markets it is sold into, not just the buyer type. If the product is marketed and capable of being used in critical infrastructure contexts (telco, data centres serving critical services), it may face stricter classification scrutiny.

Related compliance checklists

Consumer Routers & Modems

Consumer Electronics

→

Need a CVD policy for Enterprise Networking Equipment?

Download a free CRA-compliant disclosure policy template and deploy it in minutes.

Browse templates →