Consumer ElectronicsDeadline: September 2026

CRA Compliance Checklist: Smart Appliances & White Goods

Default — smart appliances are consumer-facing products with digital elements; not listed in Annex III unless repurposed for critical infrastructure

Smart appliances — including connected washing machines, refrigerators, dishwashers, and ovens — are products with digital elements subject to the full CRA. They typically connect to home networks and cloud services, presenting risks including unauthorised access, data leakage, and as entry points for lateral movement. As consumer products they are Default class but must meet all Annex I security requirements.

checklist items

high priority

September 2026

deadline

Consumer Electronics

sector

Track progress free →

CRA Classification:Default — smart appliances are consumer-facing products with digital elements; not listed in Annex III unless repurposed for critical infrastructure

1. Scope & Classification

Confirm each smart appliance model with network connectivity is a product with digital elements in scope for CRA

highArticle 3(1)

Any appliance that connects to a home network, Wi-Fi, or Bluetooth and includes software is in scope. Non-connected variants of the same product line are not.

Assess whether any appliance model is marketed for commercial or industrial use — if so, review Annex III Class I

mediumAnnex III, Class I

Commercial-grade connected appliances (e.g. catering fridges with remote monitoring) may attract a higher classification.

Compile an SBOM for all embedded firmware, including RTOS, connectivity stacks, and cloud SDK components

highArticle 10(6)

Smart appliance firmware often includes vendor SDKs for Wi-Fi, Bluetooth, and cloud connectivity. All components must be tracked.

2. Product Security (Annex I Part I)

Eliminate factory-default shared passwords — require unique per-device credentials or forced setup during first use

highAnnex I, Part I(2)

Many white goods ship with shared default credentials. CRA explicitly prohibits this. Each device must have a unique credential or require user-set credentials before network activation.

Disable all unnecessary network services and ports — expose only those required for documented functionality

highAnnex I, Part I(5)

Appliance firmware frequently runs debug services, telnet, or UPnP that serve no consumer purpose. Disable all by default.

Implement cryptographically signed OTA firmware updates and verify signatures before installation

highAnnex I, Part I(9)

Unsigned firmware updates allow firmware replacement. Sign updates with a hardware-backed key and verify on-device before applying.

Encrypt all data in transit between the appliance and cloud services using TLS 1.2 or later

highAnnex I, Part I(3)

Usage data, scheduling data, and control commands must be encrypted in transit. Certificate pinning is recommended.

Implement a secure factory reset that removes all user credentials and cloud pairing data

mediumAnnex I, Part I(6)

Appliances are frequently resold. A complete factory reset must remove all personal data and cloud associations.

3. CVD Policy & Vulnerability Handling

Publish a coordinated vulnerability disclosure policy with a dedicated security contact

highArticle 13(1)

Security researchers increasingly target consumer appliances. A clear CVD policy and monitored contact are mandatory under CRA.

Deploy a security.txt file on your product support domain and in your companion app's privacy/security section

mediumArticle 13(1)

Use the CVD Portal security.txt generator to create a compliant file. Link from your product support pages.

Define and publish the security support lifecycle for each model — minimum 5 years from market availability recommended

highAnnex I, Part II(5)

White goods have long useful lives (10+ years). CRA requires a support period appropriate to expected use. Clearly publish end-of-security-support dates.

Acknowledge vulnerability reports within 48 hours and provide status updates at defined intervals

highArticle 13(3)

Establish a monitored security inbox. Automate acknowledgment and assign a vulnerability coordinator per report.

4. Article 14 Incident Reporting

Establish monitoring capability to detect active exploitation of vulnerabilities in deployed appliances

highArticle 14(1)

Telemetry from cloud-connected appliances can indicate exploitation. Define what constitutes an actively exploited vulnerability triggering Article 14 reporting.

Document the 24h early warning / 72h notification / 14-day final report procedure with named owners

highArticle 14(2)

Pre-prepare notification templates. Identify the competent national authority (via ENISA single reporting platform) in each EU market where you sell.

Maintain a vulnerability register and review it against Article 14 triggering criteria for each new CVE

mediumArticle 14(1)

Not every CVE triggers Article 14. Actively exploited vulnerabilities with significant impact do. Document your triage criteria.

5. CE Marking & Technical Documentation

Prepare a CRA technical file including risk assessment, SBOM, security test results, and CVD policy

highArticle 23, Annex V

The technical file must be retained for 10 years after the last product is placed on the market and made available to authorities within 10 business days.

Issue an EU Declaration of Conformity referencing the CRA and affix CE marking to the product

highArticle 20, Article 22

DoC must list the manufacturer, product, and declare conformity with CRA essential requirements in Annex I. CE mark must appear on the product and packaging.

Assess intersection with Radio Equipment Directive (RED) delegated acts if the product includes radio components

mediumArticle 6, CRA / RED Article 3(3)(d)(e)(f)

Connected appliances with Wi-Fi or Bluetooth are also subject to RED delegated cybersecurity requirements. Coordinate RED and CRA compliance to avoid duplication.

Track your Smart Appliances & White Goods compliance progress in CVD Portal.

Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.

Start your free portal

Frequently asked

Does CRA apply to a smart fridge that only connects via a companion app — not directly to the internet?+

Yes. A product that connects via Bluetooth or local Wi-Fi to a companion app, which then connects to the internet, is still a product with digital elements under the CRA. The connectivity pathway does not affect scope. The fridge and the companion app may both be separately in scope.

How long must we provide security updates for smart appliances?+

The CRA requires a support period 'appropriate to the expected use of the product.' For white goods with an expected lifespan of 10–15 years, a 5-year security support period is a reasonable minimum, though regulators may expect longer. The support period must be clearly stated in product documentation.

We sell appliances across multiple EU member states — do we need to report incidents to each national authority separately?+

No. Article 14 requires reporting to ENISA via a single reporting platform. ENISA will coordinate with the relevant national competent authorities. You submit once to the central platform, not separately to each country.

Related compliance checklists

Smart Home Devices

Consumer Electronics

→

IoT Sensors & Connected Devices

Industrial & Manufacturing

→

Consumer Routers & Modems

Consumer Electronics

→

Wearable Devices & Fitness Trackers

Consumer Electronics

→

Need a CVD policy for Smart Appliances & White Goods?

Download a free CRA-compliant disclosure policy template and deploy it in minutes.

Browse templates →