AgricultureDeadline: September 2026

CRA Compliance Checklist: Environmental Monitoring Sensors

Default to Annex III Class I — environmental monitoring sensors are products with digital elements; Class I may apply to sensors integrated into critical environmental regulatory or emergency systems

Environmental monitoring sensors — including air quality monitors, water quality sensors, weather stations, soil sensors, and flood detection systems — are products with digital elements subject to the CRA. Most are Default class, but sensors integrated into official environmental regulatory monitoring networks or emergency warning systems may be Annex III Class I. Compromise of environmental monitoring data could have public health, regulatory, and emergency response implications.

checklist items

high priority

September 2026

deadline

Agriculture

sector

Track progress free →

CRA Classification:Default to Annex III Class I — environmental monitoring sensors are products with digital elements; Class I may apply to sensors integrated into critical environmental regulatory or emergency systems

1. Scope & Classification

Confirm all networked environmental sensors with updateable firmware are products with digital elements in CRA scope

highArticle 3(1)

Any environmental sensor with network connectivity (cellular, Wi-Fi, LoRaWAN, NB-IoT) and updateable firmware is in scope. Purely analog sensors are not.

Assess Class I classification for sensors integrated into official regulatory monitoring networks, early warning systems, or critical environmental infrastructure

mediumAnnex III, Class I

Sensors feeding data into official air quality networks (with public health advisory implications) or flood early warning systems serving as public safety infrastructure may be Class I.

Compile SBOM covering sensor firmware, communication stack (LoRaWAN, cellular, Wi-Fi), and cloud platform components

highArticle 10(6)

Environmental sensor SBOMs should include embedded firmware, LPWAN communication stack, and any cloud API SDK used for data upload. Track all components for CVEs.

2. Product Security (Annex I Part I)

Implement per-device unique authentication credentials — never use shared credentials across sensor networks

highAnnex I, Part I(2)

Shared credentials across environmental sensor networks mean a single credential compromise affects all sensors. Use unique per-device certificates or keys provisioned at manufacture.

Implement data integrity protection for sensor readings — detect and reject tampered or replayed measurement data

highAnnex I, Part I(1)

Tampered environmental data can lead to incorrect public health decisions or regulatory non-compliance. Sign or HMAC all sensor readings so tampering in transit can be detected.

Encrypt all sensor data transmissions using appropriate protocols for the connectivity technology (TLS for MQTT, LoRaWAN security suite, etc.)

highAnnex I, Part I(3)

Implement encryption appropriate to the connectivity technology. LoRaWAN: use OTAA with 128-bit AES. MQTT over cellular: use TLS 1.3. Wi-Fi: WPA3 with TLS for data upload.

Implement signed firmware updates for remote sensor deployment scenarios — support secure offline update for field maintenance

highAnnex I, Part I(9)

Environmental sensors are deployed in remote locations. Support both OTA updates (when connectivity allows) and secure offline update via authenticated field maintenance procedures.

3. CVD Policy & Vulnerability Handling

Publish a CVD policy and security contact for environmental sensor platform vulnerabilities

highArticle 13(1)

Environmental monitoring platforms are increasingly targeted as data sources for regulatory and public health decisions. A CVD policy enables responsible disclosure.

Define security support lifecycle appropriate to environmental monitoring deployment cycles — minimum 7 years

highAnnex I, Part II(5)

Environmental sensors are deployed for 7–15 years. Commit to a long security support period and publish per-product end-of-support dates.

Provide security patches deployable in field-deployed, low-connectivity sensor networks

mediumAnnex I, Part II(1)

Support patch delivery mechanisms appropriate to your connectivity technology. For LoRaWAN networks, coordinate patch delivery with network server operators.

4. Article 14 Incident Reporting

Define Article 14 triggers — focus on exploitation enabling false environmental readings at scale, particularly for air quality or water quality regulatory networks

mediumArticle 14(1)

Mass injection of false readings into a public air quality network is a potential Article 14 trigger with public health implications.

Prepare Article 14 notification procedure — assign owners for each reporting milestone

mediumArticle 14(2)

Pre-prepare notification templates. Use the CVD Portal Article 14 timeline tool to plan your notification process.

5. CE Marking & Technical Documentation

Prepare CRA technical file covering sensor security architecture, data integrity mechanisms, SBOM, and update process

highArticle 23, Annex V

Technical documentation should demonstrate that sensor data integrity is protected end-to-end from sensor to platform.

Issue EU Declaration of Conformity referencing the CRA for all in-scope environmental monitoring products

highArticle 20, Article 22

DoC must reference the CRA. For radio-enabled sensors, also reference the Radio Equipment Directive.

Track your Environmental Monitoring Sensors compliance progress in CVD Portal.

Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.

Start your free portal

Frequently asked

Our air quality sensors feed data to a city's official air quality monitoring network — does this change our CRA classification?+

It may. Sensors providing data to official regulatory monitoring networks that inform public health decisions or emergency responses have greater potential impact if compromised, which may support a Class I classification. Consult the CRA Annex III criteria and consider voluntary engagement with the competent authority about classification. Regardless of classification, all Annex I security requirements apply.

Our sensors measure environmental parameters only — there is no personal data involved. Does GDPR still apply?+

If your sensors do not collect personal data, GDPR does not apply to the sensor data itself. However, if your platform requires user accounts, registration, or stores location data that could identify individuals, GDPR applies to that data. CRA applies independently of GDPR and requires you to protect the product's security regardless of personal data involvement.

We supply sensors to research institutions who deploy them in field networks — who is the manufacturer for CRA purposes?+

If you manufacture the sensors and place them on the market for sale to research institutions, you are the manufacturer and hold CRA obligations. The research institution that deploys and operates them is the operator. If the research institution develops their own custom sensors for their own use (not for commercial sale), they are the manufacturer for their own internal deployment, but this is generally outside CRA scope as non-commercial.

Related compliance checklists

IoT Sensors & Connected Devices

Industrial & Manufacturing

→

Precision Agriculture & Smart Farming

Agriculture

→

Livestock Monitoring Systems

Agriculture

→

Smart Greenhouse Automation

Agriculture

→

Need a CVD policy for Environmental Monitoring Sensors?

Download a free CRA-compliant disclosure policy template and deploy it in minutes.

Browse templates →