CRA Compliance Checklist: Fire Safety & Detection Systems
Annex III Class II — networked fire detection and suppression systems are safety-critical life safety infrastructure requiring third-party conformity assessment
Networked fire detection and suppression systems are life safety infrastructure — their failure or compromise can result in loss of life. Networked fire alarm control panels, addressable fire detection systems, and remotely managed suppression systems are classified as Annex III Class II under the CRA, requiring third-party Notified Body conformity assessment. Manufacturers must also address the intersection with the Construction Products Regulation (CPR) and EN 54 standards.
1. Scope & Classification
Confirm networked fire alarm control panels, detection systems, and suppression controllers are Annex III Class II
Networked fire safety systems are life safety critical infrastructure. CRA Annex III Class II applies. Third-party Notified Body assessment is mandatory.
Engage a Notified Body with fire safety and industrial cybersecurity expertise for Class II Type Examination
Fire safety Notified Bodies may also be accredited for CRA assessment. Verify Notified Body CRA designation before engagement. Lead times for complex safety system assessments can be 9–12 months.
Assess the intersection with Construction Products Regulation (CPR) and EN 54 standards — CRA cybersecurity and CPR essential performance requirements must both be met
Fire detection products for permanent installation in buildings must meet CPR essential requirements. CRA adds cybersecurity requirements to the CPR framework. Coordinate both compliance tracks.
Compile SBOM covering fire alarm control panel firmware, addressable device firmware, network communication modules, and remote monitoring clients
Modern fire systems include complex software stacks. Track all firmware versions and components for CVEs. Particular attention to communication stack components (Ethernet, BACnet, proprietary protocols).
2. Product Security (Annex I Part I)
Implement strong authentication for all fire system management interfaces — prevent unauthorised alarm inhibition or suppression activation
Unauthorised access to fire alarm control panels could allow alarm inhibition (disabling detection) or false suppression activation. MFA is required for all management access.
Ensure safety functions cannot be disabled via network commands — alarm activation and suppression control must have hardware-enforced fail-safe behaviour
Life safety functions must be independent of network security. A cyber attack must not be able to disable fire detection or prevent suppression activation. Hardware fail-safe circuits are mandatory.
Implement tamper-evident audit logging for all configuration changes, alarm acknowledgments, and system tests
Fire safety audit logs are required for regulatory compliance and incident investigation. Logs must be stored in a tamper-evident, centralised system accessible to fire safety authorities.
Encrypt all remote monitoring and management communications for fire systems connected to monitoring centres
Fire system remote monitoring links to alarm receiving centres must be encrypted. An attacker able to inject false alarms or suppress real alarms via the monitoring link creates immediate life safety risk.
3. CVD Policy & Vulnerability Handling
Publish a CVD policy with a dedicated life safety security contact and expedited response process
Vulnerabilities in life safety systems require the fastest possible response. Define an expedited vulnerability response process for fire safety critical vulnerabilities.
Provide security patches that can be deployed without disrupting fire system operation — document patching procedures aligned with EN 54 commissioning requirements
Security patches for live fire systems must be applied without creating windows of reduced protection. Define patching procedures that maintain system functionality throughout. Align with EN 54 testing requirements.
Define a security support lifecycle of at least 10 years for fire safety infrastructure given long installation cycles
Fire system installations last 10–25 years. A 10-year minimum security support commitment is appropriate. Publish per-product end dates and provide migration support well in advance.
4. Article 14 Incident Reporting
Define Article 14 triggers for fire system incidents — any exploitation affecting detection capability, alarm inhibition, or suppression control is highest severity
Any actively exploited vulnerability that could affect fire detection or suppression is a life safety emergency and an immediate Article 14 trigger. Pre-define criteria and escalation paths.
Coordinate Article 14 reporting with building regulatory authorities and fire safety enforcement bodies as required by national fire regulations
Fire system cybersecurity incidents may require notifications to fire safety authorities under national building regulations in addition to CRA Article 14 (ENISA). Pre-plan all notification tracks.
5. CE Marking & Conformity Assessment
Complete Notified Body Type Examination and obtain certificate before CE marking
Class II fire safety systems must not be CE-marked or placed on the market without a Notified Body certificate. Engage early given the complexity of fire safety system assessments.
Prepare integrated CRA and CPR technical file demonstrating both cybersecurity and essential performance requirements
Fire safety technical files must address both CPR essential performance characteristics and CRA cybersecurity requirements. An integrated approach with the Notified Body is recommended.
Issue EU Declaration of Performance (DoP) under CPR and EU Declaration of Conformity under CRA — coordinate both
CPR requires a Declaration of Performance; CRA requires a Declaration of Conformity. Both are required for fire safety products installed in buildings in the EU.
Track your Fire Safety & Detection Systems compliance progress in CVD Portal.
Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.
Start your free portalFrequently asked
Our fire alarm system uses proprietary radio protocols — does CRA require us to open-source or document the protocol?+
No. CRA does not require open-sourcing or public disclosure of proprietary protocols. However, the security of the protocol must be demonstrable. Your technical documentation must include a security analysis of the protocol showing it resists eavesdropping, replay attacks, and injection. If the protocol relies on security through obscurity alone, this will not satisfy CRA requirements.
We supply standalone addressable smoke detectors that connect to a fire alarm control panel — who holds CRA obligations for the complete system?+
Both you (detector manufacturer) and the control panel manufacturer hold CRA obligations for your respective products. If a systems integrator assembles detectors and control panel into a complete fire system and places it on the market, they may take on manufacturer responsibilities for the integrated system. Each component manufacturer must provide CRA technical documentation to integrators. The system integrator must ensure the complete system meets CRA requirements.
How does the life safety nature of fire systems affect the Article 14 reporting threshold?+
Article 14 applies when a vulnerability is actively exploited with significant impact. For fire safety systems, the threshold for 'significant impact' is lower than for most product categories — any exploitation that could affect detection capability, create false alarms at scale, or compromise suppression control creates immediate life safety risk. This should be treated as a highest-priority Article 14 trigger.
Need a CVD policy for Fire Safety & Detection Systems?
Download a free CRA-compliant disclosure policy template and deploy it in minutes.