CRA Compliance Checklist: Marine Electronics & Navigation Systems
Annex III Class I for safety-critical navigation systems (ECDIS, AIS, GMDSS) — Default for consumer marine electronics; intersection with IMO MSC-FAL.1/Circ.3 maritime cybersecurity guidelines
Marine electronics range from safety-critical navigation systems (ECDIS, AIS, GMDSS equipment) to consumer chartplotters and fish finders. Safety-critical navigation systems are Annex III Class I or higher due to their role in vessel safety. Consumer marine electronics are Default class. Manufacturers must also address the intersection with IMO maritime cybersecurity guidelines and flag state regulations for commercial vessels.
1. Scope & Classification
Classify marine electronics by safety criticality: ECDIS, AIS, GMDSS as Class I; consumer chartplotters and fish finders as Default
Safety-critical marine navigation systems (ECDIS, AIS Class A, GMDSS radio) installed on commercial vessels are important products. Class I is appropriate. Consumer handheld GPS and fish finders are Default.
Assess intersection with IMO Resolution MSC-FAL.1/Circ.3 on maritime cyber risk management for commercial vessel applications
IMO cybersecurity guidelines apply to maritime operators, not product manufacturers. However, your products must support the cybersecurity requirements that vessel operators need to meet IMO obligations.
Assess intersection with IEC 61162 and IEC 62443 maritime cybersecurity standards relevant to NMEA and integrated bridge systems
IEC 61162-460 addresses cybersecurity for NMEA 0183 and NMEA 2000 networks on vessels. Align your products with applicable IEC standards.
Compile SBOM for all marine electronics covering navigation software, chart databases, communication firmware, and integration middleware
Marine navigation systems use complex software stacks: chart rendering engines, NMEA parsers, AIS decoders, and weather data integrations. All must be tracked.
2. Product Security (Annex I Part I)
Implement authentication for all management and configuration interfaces on marine electronics
ECDIS and AIS configuration interfaces must be protected against unauthorised modification. A spoofed ECDIS chart or modified AIS data can cause vessel groundings or collisions.
Validate integrity of electronic chart data, AIS data feeds, and weather data — detect and reject tampered inputs
GNSS spoofing and AIS data manipulation are known attack vectors against vessels. Implement anomaly detection for navigation data inconsistencies.
Encrypt remote monitoring, fleet management, and OTA update communications for vessel-installed systems
Satellite communications links for vessel monitoring and OTA updates must be encrypted. VSAT and Iridium communications channels should use TLS or equivalent.
Implement signed firmware updates for all marine electronics — particularly for safety-critical navigation systems
Firmware updates for ECDIS and AIS systems must be cryptographically signed. Apply updates only through authenticated channels with pre-voyage testing procedures.
3. CVD Policy & Vulnerability Handling
Publish a CVD policy for marine navigation and communication system vulnerabilities
Maritime cybersecurity incidents have caused vessel groundings and near-misses. A responsive CVD process with maritime safety expertise is essential.
Provide security patches with documented vessel maintenance window procedures — patches must be verifiable before application at sea
Vessel operators cannot apply unverified patches while at sea. Provide cryptographically signed patch packages with vessel-by-vessel deployment procedures and rollback capability.
Define security support lifecycle appropriate to commercial vessel and yacht operational lifecycles — minimum 10 years
Commercial vessels operate for 20–30 years. Marine electronics installed during vessel construction need very long security support commitments. Publish per-product end-of-support dates.
4. Article 14 Incident Reporting
Define Article 14 triggers for marine electronics incidents — focus on navigation system compromise, AIS spoofing at scale, and GMDSS communication disruption
A vulnerability enabling mass AIS spoofing or ECDIS chart manipulation is a maritime safety emergency and a high-severity Article 14 trigger.
Coordinate Article 14 reporting with maritime safety authority notifications — IMO, BIMCO, and flag state authorities may need parallel notification
Maritime safety incidents have dedicated reporting channels. Pre-plan coordination between CRA Article 14 (ENISA) and maritime safety authority notifications.
5. CE Marking & Technical Documentation
Prepare technical file meeting both CRA and Marine Equipment Directive (MED 2014/90/EU) requirements for certified marine equipment
Safety-critical marine electronics installed on commercial vessels may require Marine Equipment Directive certification (wheel mark). Coordinate MED and CRA compliance.
Issue EU Declaration of Conformity referencing the CRA and MED (if applicable) before EU market placement
Marine electronics require both CRA DoC (CE mark) and, for MED-applicable products, a separate MED wheel mark conformity certificate.
Track your Marine Electronics & Navigation Systems compliance progress in CVD Portal.
Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.
Start your free portalFrequently asked
Our ECDIS is type-approved under SOLAS requirements — does CRA still apply?+
SOLAS type approval for ECDIS under IMO performance standards does not provide the same comprehensive cybersecurity requirements as CRA Annex I. Unlike MDR for medical devices, there is no established CRA exclusion for IMO type-approved equipment. Manufacturers should plan for full CRA compliance for all marine electronics placed on the EU market, regardless of IMO type approval status.
AIS uses unauthenticated broadcasts by design — how do we comply with CRA authentication requirements?+
AIS Class A and B use standardised broadcast formats defined by ITU-R M.1371, which do not include authentication. This is a known limitation of the AIS standard and a recognised maritime security risk. CRA compliance for AIS equipment should focus on what can be controlled: authenticated configuration interfaces, integrity protection of the AIS transponder firmware, and anomaly detection for suspicious AIS data. The industry is working on AIS authentication standards (e.g. VDE-2050); manufacturers should monitor these developments.
We sell consumer GPS chartplotters for recreational boating — what CRA obligations apply?+
Consumer recreational chartplotters are Default-class products with digital elements. They must meet all Annex I requirements: no insecure defaults, encrypted updates, published CVD policy, SBOM, and security support period. A DoC and CE mark are required. The conformity assessment can be self-declared for Default-class products. The Marine Equipment Directive does not apply to recreational craft under 24m.
Need a CVD policy for Marine Electronics & Navigation Systems?
Download a free CRA-compliant disclosure policy template and deploy it in minutes.