AgricultureDeadline: September 2026

CRA Compliance Checklist: Livestock Monitoring Systems

Default — livestock monitoring systems are products with digital elements; consumer and professional products range from simple wearable sensors to integrated farm management systems

Livestock monitoring systems — including connected ear tags, health monitoring wearables for animals, automated feeding and milking systems, and livestock management platforms — are products with digital elements in scope for the CRA. They collect sensitive farm data, often operate in remote or low-connectivity environments, and their compromise could affect animal welfare, food safety, and farm productivity. Most are Default class.

checklist items

high priority

September 2026

deadline

Agriculture

sector

Track progress free →

CRA Classification:Default — livestock monitoring systems are products with digital elements; consumer and professional products range from simple wearable sensors to integrated farm management systems

1. Scope & Classification

Confirm all networked livestock monitoring hardware and software is in CRA scope

highArticle 3(1)

Connected ear tags, health sensors, automated milking systems, feeding controllers, and associated management software are all products with digital elements.

Assess whether automated milking and feeding systems require Class I classification as safety-relevant systems

mediumAnnex III, Class I

Automated milking robots and precision feeding systems have animal welfare and food safety implications if compromised. Assess whether Class I applies to your most critical products.

Assess intersection with EU Machinery Regulation for automated milking robots and mechanical livestock handling systems

mediumArticle 6, CRA / Machinery Regulation (EU) 2023/1230

Milking robots and automated livestock handling equipment are machinery subject to the Machinery Regulation. Both safety and cybersecurity compliance are required.

Compile SBOM for all monitoring hardware firmware, sensor software, and farm management platform components

highArticle 10(6)

Livestock monitoring systems use LoRaWAN, Bluetooth, or cellular connectivity. Track all connectivity stack components, sensor firmware, and cloud platform libraries.

2. Product Security (Annex I Part I)

Implement unique per-device credentials for all livestock monitoring sensors and gateways

highAnnex I, Part I(2)

Shared credentials across a sensor network mean a single compromised credential exposes all sensors. Provision unique credentials per device using a secure manufacturing process.

Encrypt all livestock health and location data in transit and at rest — farm data is commercially sensitive

highAnnex I, Part I(3)

Livestock health data, location, and farm productivity metrics are commercially sensitive and subject to GDPR where personal data of farm workers is involved. Encrypt all data.

Implement signed firmware updates for livestock monitoring devices — support offline update for farms with limited connectivity

highAnnex I, Part I(9)

Many farms have limited or intermittent internet connectivity. Support cryptographically signed updates via both OTA (when connected) and secure offline media (USB/SD card).

Implement anomaly detection for automated feeding and milking system commands — reject out-of-range parameters

mediumAnnex I, Part I(1)

Malicious commands causing automated feeders to over- or under-dose animals could affect animal welfare and food safety. Validate all control parameters against expected ranges.

3. CVD Policy & Vulnerability Handling

Publish a CVD policy with a security contact for livestock monitoring system vulnerabilities

highArticle 13(1)

Livestock monitoring systems are increasingly connected and an emerging security research target. A CVD policy enables responsible disclosure.

Define security support lifecycle appropriate to farm equipment investment cycles — minimum 7 years

highAnnex I, Part II(5)

Livestock monitoring systems are long-term farm investments. Commit to a 7-year minimum security support period and publish per-product end-of-support dates.

4. Article 14 Incident Reporting

Define Article 14 triggers — focus on automated system manipulation affecting animal welfare, data exfiltration, and ransomware disrupting farm operations

mediumArticle 14(1)

Exploitation enabling remote manipulation of automated milking or feeding systems is a potential Article 14 trigger. Define criteria appropriate to your product portfolio.

Prepare Article 14 notification procedure — 24h early warning, 72h notification, 14-day final report

mediumArticle 14(2)

Use the CVD Portal Article 14 timeline tool to document your notification process and assign owners.

5. CE Marking & Technical Documentation

Prepare CRA technical file including sensor security architecture, connectivity stack, SBOM, and update mechanism documentation

highArticle 23, Annex V

Technical documentation for sensor-based livestock monitoring should address the full connectivity path from ear tag through gateway to cloud platform.

Issue EU Declaration of Conformity referencing the CRA for all in-scope livestock monitoring products

highArticle 20, Article 22

DoC must reference the CRA. For LoRaWAN and Bluetooth-enabled sensors, also reference the Radio Equipment Directive.

Track your Livestock Monitoring Systems compliance progress in CVD Portal.

Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.

Start your free portal

Frequently asked

Our livestock ear tags have no screen or user interface — how do we publish a CVD policy for them?+

The CVD policy does not need to be on the device. Publish it on your company website and reference it in product documentation. A security.txt file at /.well-known/security.txt on your company domain is the primary mechanism. The ear tags themselves need only meet the Annex I security requirements (secure firmware, no default credentials, encrypted communications).

We sell livestock monitoring systems through agricultural cooperatives — who is responsible for CRA compliance?+

You, as the manufacturer, are responsible for CRA compliance of your products regardless of the distribution channel. Agricultural cooperatives distributing your products are distributors, not manufacturers. Distributors have lighter CRA obligations — mainly to verify the product bears CE marking and is accompanied by a DoC.

Our sensors use LoRaWAN — does this create any specific CRA requirements?+

LoRaWAN is a radio technology subject to the Radio Equipment Directive as well as CRA. The LoRaWAN specification (LoRa Alliance) includes security features such as end-to-end AES encryption and per-device session keys. Ensure you implement LoRaWAN security properly (OTAA activation preferred over ABP, unique per-device keys, rotate session keys regularly). Document your LoRaWAN security architecture in your CRA technical file.

Related compliance checklists

IoT Sensors & Connected Devices

Industrial & Manufacturing

→

Precision Agriculture & Smart Farming

Agriculture

→

Environmental Monitoring Sensors

Agriculture

→

Smart Greenhouse Automation

Agriculture

→

Need a CVD policy for Livestock Monitoring Systems?

Download a free CRA-compliant disclosure policy template and deploy it in minutes.

Browse templates →