CRA Compliance Checklist: Intruder Alarm & Security Systems
Annex III Class II for systems protecting critical infrastructure or high-security facilities — Annex III Class I for commercial security systems; Default for basic consumer alarm products
Intruder alarm and security systems range from consumer burglar alarms to commercial grade monitored alarm systems protecting critical facilities. The CRA classification depends on deployment context: systems protecting critical infrastructure are Class II; commercial security systems are likely Class I; basic consumer alarm products may be Default. All networked alarm systems must meet CRA Annex I requirements regardless of classification.
1. Scope & Classification
Classify each product by deployment context: Class II for critical infrastructure protection, Class I for commercial, Default for consumer
Security systems protecting nuclear sites, power stations, government buildings, or financial institutions are Class II. Commercial grade systems (Grade 3/4 per EN 50131) are likely Class I. Basic consumer systems may be Default.
For Class II products, engage a Notified Body for Type Examination before market placement
Critical infrastructure security systems require Notified Body assessment. Engage a body with both security system and cybersecurity expertise.
Assess intersection with EN 50131 grading requirements — security grade and CRA classification are related but distinct
EN 50131 grades define resistance to attack. Higher EN 50131 grades (Grade 3, 4) correlate with higher CRA classification. Align your CRA compliance with your EN 50131 grade claims.
Compile SBOM covering alarm panel firmware, communication module firmware, monitoring platform software, and mobile app
Modern alarm systems include alarm panel firmware, cellular/IP communication modules, cloud monitoring platforms, and user mobile apps. All are products with digital elements requiring SBOM.
2. Product Security (Annex I Part I)
Implement tamper detection for all alarm system components — physical tamper must trigger an alert even under power failure
Alarm system tamper detection must function under attack conditions including mains power removal. Implement tamper circuits with battery backup and encrypted tamper alerts to the monitoring centre.
Encrypt all communications between alarm panels, sensors, and monitoring centres — resist eavesdropping and replay attacks
Alarm communication jamming and interception are known attack vectors. Implement end-to-end encryption for all alarm signals and use frequency-hopping or channel diversity for wireless systems.
Implement strong authentication for alarm panel programming and remote management — prevent unauthorised disarm
Engineer codes, installer codes, and remote access credentials must be unique per installation. Shared installer codes across all panels are a critical vulnerability. Support role-based access.
Implement anti-jamming detection and alert — notify when wireless jamming is detected rather than silently failing
RF jamming to prevent alarm transmission is a known attack technique. Implement jamming detection and generate alerts when jamming is detected. Align with EN 50131 jamming requirements for the relevant grade.
3. CVD Policy & Vulnerability Handling
Publish a CVD policy and security contact for alarm system hardware and software vulnerabilities
Security system vulnerabilities enabling silent disarm or monitoring centre disconnection are extremely sensitive. A rapid, confidential CVD process is essential.
Provide cryptographically signed firmware updates — ensure updates can be delivered without creating security windows during installation
Security patch deployment on live alarm systems must be carefully managed. Updates should not require system disarm or communication disconnection during installation.
Define security support lifecycle appropriate to alarm system installation lifecycles — minimum 7 years for commercial, 10 years for critical infrastructure
Commercial alarm systems are installed for 7–15 years. Publish per-product security support end dates and provide replacement planning guidance.
4. Article 14 Incident Reporting
Define Article 14 triggers — focus on exploitation enabling remote disarm, communication link suppression, or monitoring centre disconnection
An actively exploited vulnerability enabling remote disarm of alarm systems or suppression of monitoring alerts is a serious Article 14 trigger.
Coordinate Article 14 reporting with monitoring centre operators and, for critical facility systems, relevant national security authorities
Security system incidents affecting critical facilities may require parallel notifications to ENISA, national security authorities, and affected monitoring centres.
5. CE Marking & Conformity Assessment
For Class I commercial systems, conduct thorough internal assessment aligning CRA Annex I with EN 50131 Grade 3+ requirements
Grade 3/4 EN 50131 compliance evidence provides a strong foundation for CRA Class I self-assessment. Document the mapping between EN 50131 and CRA requirements.
Issue EU Declaration of Conformity referencing the CRA for all in-scope alarm products
DoC must reference the CRA. For radio-based alarm systems, also reference the Radio Equipment Directive.
Track your Intruder Alarm & Security Systems compliance progress in CVD Portal.
Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.
Start your free portalFrequently asked
Our alarm system uses PSTN/ISDN as a backup communication path — how does CRA apply to legacy telephone connections?+
The CRA applies to the alarm product regardless of the communication path. However, PSTN/ISDN are being phased out across Europe (most planned by 2028). Ensure your products support IP/cellular primary and backup communications with full encryption. Legacy PSTN signalling over analogue lines lacks encryption and is vulnerable to line cut attacks — plan to transition away from PSTN-only designs.
We supply alarm systems through professional installers who programme each installation — who is responsible for CRA compliance?+
You, as the manufacturer, are responsible for CRA compliance of the hardware and firmware as supplied. The installer configures the system to a specific site, and if they make substantial changes to the system's security configuration, they may take on operator obligations. Your products must ship CRA-compliant with secure defaults. Installer programming should only be able to make site-specific configurations within a secure framework you define.
Do consumer smart home security sensors (PIR, door/window sensors) sold individually need CRA compliance?+
Yes. Individual wireless sensors sold as standalone products with digital elements are in CRA scope. If you sell PIR sensors, door sensors, or motion detectors with wireless communication as products, each must meet CRA requirements. Many basic consumer sensors are simple enough to be Default class with straightforward compliance paths. Ensure firmware is signed, communication is encrypted (if applicable), and a CVD policy is published.
Need a CVD policy for Intruder Alarm & Security Systems?
Download a free CRA-compliant disclosure policy template and deploy it in minutes.