CRA Compliance Checklist: Perimeter Security & Smart Barriers
Annex III Class I to Class II depending on deployment — perimeter security for critical infrastructure sites is Class II; commercial perimeter systems are Class I
Perimeter security systems — including IP-connected vehicle barriers, automated gate systems, electric perimeter fencing with smart controllers, and ground radar detection systems — are safety-critical physical security products with digital elements. Systems protecting critical infrastructure sites are Annex III Class II. Commercial and industrial perimeter systems are likely Class I. Their compromise could enable physical security breaches at sensitive facilities.
1. Scope & Classification
Classify perimeter systems by deployment: Class II for critical infrastructure sites, Class I for commercial and industrial, Default for basic consumer applications
Vehicle barriers and perimeter detection at nuclear, military, utility, and government facilities are Class II. Commercial and industrial site perimeter systems are Class I.
For Class II products, engage a Notified Body with physical security and cybersecurity expertise for mandatory Type Examination
Critical infrastructure perimeter systems require Notified Body assessment. Engage bodies with both physical security system and industrial cybersecurity expertise.
Assess intersection with Construction Products Regulation for fixed perimeter infrastructure (bollards, barriers) installed in buildings or public spaces
Fixed vehicle barriers and gates installed as construction products may require CPR compliance alongside CRA. Coordinate both compliance tracks.
Compile SBOM covering barrier controller firmware, access control integration software, detection system firmware, and monitoring platform components
Perimeter security systems integrate barrier controllers, access control, CCTV, and monitoring platforms. Track all software components across the integrated system.
2. Product Security (Annex I Part I)
Implement strong authentication and authorisation for all barrier and gate control commands — prevent unauthorised barrier operation
Unauthorised control of vehicle barriers or gates could enable forced entry or trap legitimate users. All control commands must be authenticated and authorised. MFA for all remote access.
Implement hardware fail-safe behaviour — barriers must revert to a safe default state (secure-closed for access barriers) if network connection is lost or tampered
Safety and security critical perimeter hardware must have fail-safe behaviour independent of network status. Define safe defaults for each barrier type and implement in hardware.
Encrypt all perimeter system communications — barrier control commands, sensor data, and monitoring traffic
An attacker able to intercept and replay barrier control commands could operate barriers without authorisation. Encrypt all communications and implement command replay protection.
Implement tamper-evident logging for all barrier operations, configuration changes, and access events
Perimeter security audit logs are critical for security investigation and regulatory compliance. Logs must be forwarded to a centralised, tamper-evident system.
3. CVD Policy & Vulnerability Handling
Publish a CVD policy and security contact — perimeter security vulnerabilities have national security implications for critical infrastructure deployments
Perimeter security vulnerabilities are particularly sensitive. A confidential, expedited CVD process with physical security expertise is essential.
Define security support lifecycle appropriate to perimeter security infrastructure — minimum 10 years for commercial, 15 years for critical infrastructure
Perimeter security infrastructure is a long-term capital investment. Publish per-product security support end dates and provide migration planning support.
4. Article 14 Incident Reporting
Define Article 14 triggers — any exploitation affecting barrier control, perimeter detection effectiveness, or access authorisation is highest severity
Exploitation enabling unauthorised barrier operation or perimeter detection bypass at critical infrastructure is a national security incident requiring immediate Article 14 notification.
Coordinate Article 14 reporting with national security authorities for incidents at classified or critical infrastructure facilities
Perimeter security incidents at critical facilities require parallel notification to ENISA (CRA Article 14) and national security authorities. Pre-establish communication channels with relevant authorities.
5. CE Marking & Conformity Assessment
For Class II critical infrastructure systems, complete Notified Body Type Examination before CE marking and market placement
Class II perimeter security products require Notified Body certification. Do not place critical infrastructure security products on the market without this.
Prepare technical file documenting barrier control security architecture, fail-safe design, authentication mechanisms, SBOM, and cryptographic specifications
Technical documentation should clearly demonstrate fail-safe behaviour under adversarial conditions: network loss, power failure, tamper detection, and command injection attempts.
Track your Perimeter Security & Smart Barriers compliance progress in CVD Portal.
Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.
Start your free portalFrequently asked
Our vehicle barriers operate on a standalone local controller with no internet connectivity — does CRA still apply?+
Yes. CRA applies to the product as placed on the market, not its deployment configuration. A standalone barrier controller with local network connectivity is a product with digital elements. Even if the customer does not connect it to the internet, the product must meet CRA requirements. Furthermore, many 'standalone' systems have temporary connections for commissioning, configuration, or maintenance that create real attack surfaces.
We supply smart barriers to government and defence sites — does CRA apply to defence applications?+
Products designed and marketed exclusively for national security and defence purposes are excluded from CRA scope under Article 2(4). However, if your barriers are general commercial products also sold to non-defence customers, those civilian variants are in scope. Dual-use products require careful classification. If you supply the same product to both defence and commercial customers, the commercial product line is in CRA scope.
Our perimeter detection uses AI for vehicle classification — does the EU AI Act also apply?+
AI systems used in security screening and surveillance may be high-risk under EU AI Act Annex III. Perimeter detection AI that makes access control decisions or biometric identification could be subject to AI Act requirements including registration, conformity assessment, and transparency obligations. Both CRA and AI Act requirements must be met. Coordinate your compliance programmes for both regulations.
Need a CVD policy for Perimeter Security & Smart Barriers?
Download a free CRA-compliant disclosure policy template and deploy it in minutes.