CRA Compliance Checklist: Hotel & Hospitality Systems
Default — hotel and hospitality technology products are consumer and commercial products with digital elements; not Annex III unless handling critical infrastructure data
Hotel and hospitality technology — including electronic door locks, in-room automation systems, property management software (PMS), guest Wi-Fi platforms, and hotel IoT devices — are products with digital elements subject to the CRA. Hotels process sensitive guest personal and payment data, and their technology systems face threats including room access compromise, guest data theft, and payment fraud. Most hospitality products are Default class.
1. Scope & Classification
Confirm all networked hotel technology products are products with digital elements in CRA scope
Electronic room locks, in-room tablets, hotel management systems, guest Wi-Fi access points, and connected HVAC controllers are all in scope. Map all products in your hospitality portfolio.
Compile SBOM covering door lock firmware, in-room controller software, PMS, and any guest-facing application
Hotel technology stacks span multiple vendors: lock management systems, PMS, point-of-sale, spa booking, and energy management. Track all components across the portfolio.
2. Product Security (Annex I Part I)
Implement cryptographic key management for electronic room lock systems — prevent key cloning and replay attacks
Electronic door lock vulnerabilities enabling room access without a valid key are a serious safety and privacy risk. Implement rolling codes, MAC-protected key cards, and replay attack prevention.
Encrypt all communications between room lock management systems and front desk PMS
Lock management communications including room assignments, check-in and check-out events, and key issuance must be encrypted. An attacker intercepting these could issue valid room keys.
Implement guest data encryption for PMS and all systems storing personal data — names, passport numbers, payment data
Hotel PMS data contains highly sensitive personal data: full names, passport numbers, credit card data, and stay history. Encrypt all data at rest and in transit.
Implement network segmentation for hotel IoT — isolate guest Wi-Fi, room controls, and staff systems into separate network segments
Guest Wi-Fi, room IoT devices, PMS, and payment systems must be on isolated network segments. A guest compromising the Wi-Fi network must not be able to reach room lock management or PMS.
Secure all in-room touchscreen terminals and control panels against tampering and kiosk breakout
In-room tablets and control panels in public and semi-public hotel rooms are accessible to many guests. Implement kiosk lockdown and tamper-evident physical security.
3. CVD Policy & Vulnerability Handling
Publish a CVD policy for all hotel technology products — particularly lock systems and PMS
Hotel lock system vulnerabilities have been published by multiple researchers. A CVD policy enables responsible disclosure before vulnerabilities are exploited by criminals.
Define security support lifecycle for hotel lock hardware — minimum 7 years given installation investment
Hotel lock hardware installations last 7–15 years. Publish per-product security support end dates and provide migration guidance well before end of support.
4. Article 14 Incident Reporting
Define Article 14 triggers for hotel system incidents — focus on lock system compromise enabling room access, guest data exfiltration, and payment data breach
Mass compromise of hotel room locks enabling unauthorised room access is a high-severity Article 14 trigger with serious guest safety implications.
Coordinate Article 14 and GDPR breach notifications for guest personal data — hotel PMS data breaches trigger both
Guest personal data breaches (names, passport numbers, payment data) trigger both CRA Article 14 and GDPR Article 33. Pre-prepare coordinated response procedures.
5. CE Marking & Technical Documentation
Prepare CRA technical file including lock cryptographic architecture, PMS data security design, network segmentation specification, and SBOM
Hotel technology technical files should specifically address the physical security access implications of lock system vulnerabilities. Market surveillance authorities may prioritise this area.
Issue EU Declaration of Conformity referencing the CRA for all in-scope hospitality technology products
DoC must reference the CRA. Radio-enabled products (Bluetooth locks, Wi-Fi devices) must also reference the Radio Equipment Directive.
Track your Hotel & Hospitality Systems compliance progress in CVD Portal.
Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.
Start your free portalFrequently asked
RFID hotel room keys — are these in scope for CRA?+
The RFID key card itself is not in scope — it is a passive token, not a product with digital elements. However, the electronic lock that reads and validates the key card is a product with digital elements and is in scope. The lock management system and key issuance platform are also in scope. The security of the entire system (lock + management + key issuance) must be addressed.
Our hotel PMS is installed on-premises at each hotel — does CRA apply differently than a cloud PMS?+
On-premises PMS software is clearly in scope as a software product with digital elements installed at hotel sites. Cloud-based PMS is generally outside CRA product scope as a service, but any locally installed software agents or on-site hardware components remain in scope. Both deployment models require the manufacturer to maintain CVD policies and provide security updates.
Hotels frequently customise our PMS — who is responsible for CRA compliance after customisation?+
You are responsible for CRA compliance of your base PMS product. Hotels making substantial customisations may take on operator or manufacturer responsibilities for the modified system. However, the base product must be CRA-compliant. Provide customisation guidelines that help hotels maintain security compliance in their configurations, and clearly document which modifications are supported within the security architecture.
Need a CVD policy for Hotel & Hospitality Systems?
Download a free CRA-compliant disclosure policy template and deploy it in minutes.