← CRA Compliance Checklists
NetworkingDeadline: September 2026

CRA Compliance Checklist: Network Attached Storage (NAS)

Default for consumer NAS — Annex III Class I for enterprise NAS products marketed as critical data infrastructure components

Network attached storage devices are high-value targets — they store critical personal, business, and infrastructure data and are frequently targeted by ransomware and data exfiltration actors. Consumer NAS is Default class; enterprise NAS marketed as critical data infrastructure may be Class I. NAS vendors have a poor historical track record on patching, making CRA obligations in this area particularly significant.

15
checklist items
15
high priority
September 2026
deadline
Networking
sector
Track progress free →
CRA Classification:Default for consumer NAS — Annex III Class I for enterprise NAS products marketed as critical data infrastructure components

1. Scope & Classification

Confirm all NAS devices with network connectivity are products with digital elements in CRA scope

highArticle 3(1)

All NAS devices — consumer, SMB, and enterprise — with network interfaces and updateable firmware are in scope. Both the hardware platform and the NAS OS software are covered.

Assess Annex III Class I for enterprise NAS products marketed as business-critical storage infrastructure

highAnnex III, Class I

Enterprise NAS products marketed for business-critical data storage, backup, or DR use may be Class I given their importance as data infrastructure.

Compile a full SBOM covering NAS OS (often Linux-based), Samba, NFS, web interface, and all bundled applications

highArticle 10(6)

NAS operating systems are complex: Linux kernel, Samba, NFS, web framework, backup agents, cloud sync clients, media servers, and more. All must be tracked.

2. Product Security (Annex I Part I)

Require unique per-device admin credentials or forced credential creation during setup — never ship with shared default passwords

highAnnex I, Part I(2)

Default NAS credentials (admin/admin, admin/password) are the primary attack vector for ransomware groups. CRA prohibits insecure defaults. Enforce unique credentials at first setup.

Disable remote (WAN) access by default — remote access must require explicit user opt-in and strong authentication

highAnnex I, Part I(5)

NAS devices directly exposed to the internet are a primary ransomware target. Remote access (QuickConnect equivalents, VPN, direct exposure) must be disabled by default and require MFA when enabled.

Implement automatic security update notifications and support for automated update installation

highAnnex I, Part I(9)

NAS vendors have a poor historical record on patching. CRA requires vulnerabilities to be remediated without undue delay. Implement prominent update notifications and consider auto-update defaults.

Implement network share access controls with least-privilege principles — prevent unauthenticated share access

highAnnex I, Part I(2)

Guest share access must be disabled by default. All shares should require authentication. Implement share-level permissions distinct from system admin credentials.

Provide ransomware resilience features — immutable snapshots, write-once storage options, and anomaly detection for mass file encryption

highAnnex I, Part I(7)

Ransomware is the primary threat to NAS devices. Immutable snapshots that cannot be deleted by ransomware significantly reduce impact. Consider making snapshot configuration prominently recommended in setup.

3. CVD Policy & Vulnerability Handling

Publish a CVD policy and security.txt — NAS platforms receive significant security researcher attention

highArticle 13(1)

NAS platforms are well-documented research targets. Multiple critical vulnerabilities have been published for major NAS vendors. A responsive CVD process is essential.

Define security support lifecycle per device model — consumer NAS minimum 5 years, enterprise NAS minimum 7 years from last sale

highAnnex I, Part II(5)

NAS devices are often used for 5–10 years. Publish per-model security support end dates prominently. Announce end-of-security-support at least 12 months in advance.

Issue CVE IDs and public advisories for all vulnerabilities fixed in NAS firmware updates

highAnnex I, Part II(2)

Generic release notes are insufficient. Formal CVE IDs and security bulletins enable customers to assess risk and prioritise patching.

4. Article 14 Incident Reporting

Monitor for active exploitation of NAS vulnerabilities — particularly pre-auth RCE and ransomware campaigns targeting your platform

highArticle 14(1)

NAS-targeting ransomware campaigns (Deadbolt, QLocker, etc.) demonstrate active exploitation patterns. Subscribe to threat intelligence feeds and monitor for your platform-specific campaigns.

Prepare and test the 24h / 72h / 14-day Article 14 notification process with named owners

highArticle 14(2)

Mass exploitation campaigns against NAS fleets require rapid response. Pre-prepare notifications and test the process before an incident occurs.

5. CE Marking & Technical Documentation

Prepare technical file with NAS OS security architecture, SBOM, penetration test results, and CVD policy documentation

highArticle 23, Annex V

Given the history of significant NAS vulnerabilities, market surveillance authorities may scrutinise NAS technical files carefully. Invest in thorough documentation.

Issue EU Declaration of Conformity and affix CE marking before EU market placement

highArticle 20, Article 22

DoC must reference the CRA. NAS products with Wi-Fi should also reference the Radio Equipment Directive.

Track your Network Attached Storage (NAS) compliance progress in CVD Portal.

Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.

Start your free portal

Frequently asked

Our NAS was placed on the market before September 2026 — do we need to issue security updates for legacy models?+

Yes, for products still within their support lifecycle. The CRA imposes obligations from September 2026 for products placed on the market from that date. For legacy products, while the CRA does not apply retroactively to the original product, security updates for products still being actively used and supported are both good practice and may be required by existing consumer protection law. When CRA-era products reach their published end-of-support date, the obligation ends.

We enable UPnP on our NAS by default to make remote access easier — is this a problem under CRA?+

UPnP enabled by default is a significant CRA compliance risk. UPnP can automatically open port forwarding on routers, exposing NAS management interfaces to the internet without user awareness. CRA Annex I Part I(5) requires that attack surfaces be minimised and unnecessary network exposure be disabled. UPnP should be disabled by default, with clear user guidance on the security implications if enabled.

Our NAS OS is open-source (e.g. based on OpenMediaVault or TrueNAS) — how does this affect our CRA obligations?+

Using open-source NAS software as a base does not reduce your CRA obligations as the product manufacturer. You are responsible for the security of the complete product you place on the market. You must include all open-source components in your SBOM, monitor them for CVEs, and deliver patches. You may contribute security fixes back upstream, but your customers look to you for security support, not the open-source project.

Related compliance checklists

Enterprise Networking Equipment

Networking & IT

Consumer Routers & Modems

Consumer Electronics

Embedded Linux Devices

Networking

Edge Computing Devices & Gateways

Networking

Need a CVD policy for Network Attached Storage (NAS)?

Download a free CRA-compliant disclosure policy template and deploy it in minutes.

Browse templates →