AgricultureDeadline: September 2026

CRA Compliance Checklist: Smart Greenhouse Automation

Default to Annex III Class I — smart greenhouse automation systems are products with digital elements; large-scale controlled environment agriculture may approach Class I

Smart greenhouse automation systems — including climate control, automated irrigation, LED lighting control, CO2 enrichment systems, and integrated greenhouse management platforms — are products with digital elements in scope for the CRA. They control critical agricultural production environments and their compromise could affect crop yields, food supply, and energy consumption. Most systems are Default class, but large-scale controlled environment agriculture installations may approach Class I.

checklist items

high priority

September 2026

deadline

Agriculture

sector

Track progress free →

CRA Classification:Default to Annex III Class I — smart greenhouse automation systems are products with digital elements; large-scale controlled environment agriculture may approach Class I

1. Scope & Classification

Confirm all networked greenhouse automation controllers and management platforms are in CRA scope

highArticle 3(1)

Climate controllers, irrigation controllers, LED drivers with network connectivity, and greenhouse management software are products with digital elements. Map all networked components.

Assess whether large-scale controlled environment agriculture (CEA) systems warrant Class I classification

mediumAnnex III, Class I

Very large scale CEA facilities (vertical farms, industrial greenhouses supplying national food chains) may approach Class I if compromise would significantly disrupt food supply.

Assess intersection with EU Machinery Regulation for automated handling, harvesting, or spraying systems within the greenhouse

mediumArticle 6, CRA / Machinery Regulation (EU) 2023/1230

Automated greenhouse machinery (transplanting robots, harvesting machines) are subject to the Machinery Regulation as well as CRA.

Compile SBOM for greenhouse management software, controller firmware, sensor firmware, and all connectivity components

highArticle 10(6)

Greenhouse automation platforms integrate multiple controller types (climate, irrigation, lighting) often from different vendors. Compile SBOMs for each.

2. Product Security (Annex I Part I)

Implement authentication for all greenhouse controller management interfaces — eliminate default or shared credentials

highAnnex I, Part I(2)

Unauthorised access to greenhouse climate controllers could manipulate temperature, humidity, or CO2 levels, destroying crops. Require authentication with unique per-installation credentials.

Validate all control setpoints received from management systems — reject values outside agronomically safe ranges

highAnnex I, Part I(1)

A malicious setpoint pushing greenhouse temperature to crop-damaging extremes could destroy an entire crop. Implement hard limits for all critical control parameters.

Encrypt all communications between greenhouse controllers, sensors, and management platforms

highAnnex I, Part I(3)

Greenhouse management commands and crop data should be encrypted. Use TLS for all IP communications and appropriate security for industrial protocols (Modbus TCP, BACnet/IP).

Implement signed firmware updates and verify before application to production greenhouse control systems

highAnnex I, Part I(9)

Greenhouse controllers managing active crops cannot be taken offline carelessly. Provide signed updates with staged rollout and rollback capability.

3. CVD Policy & Vulnerability Handling

Publish a CVD policy with a security contact for greenhouse automation system vulnerabilities

highArticle 13(1)

Greenhouse automation systems are an emerging security research area. A CVD policy enables responsible disclosure before vulnerabilities are exploited.

Define security support lifecycle appropriate to greenhouse automation investment — minimum 7 years

highAnnex I, Part II(5)

Greenhouse automation infrastructure is a capital investment with a long operational life. Commit to a 7-year minimum support period and publish per-product end dates.

4. Article 14 Incident Reporting

Define Article 14 triggers — focus on exploitation enabling setpoint manipulation or denial-of-service affecting climate control in active production facilities

mediumArticle 14(1)

An exploited vulnerability that disables climate control in a large greenhouse during winter could destroy the entire crop. Define your Article 14 criteria.

Prepare and test Article 14 notification procedure — assign owners for each reporting milestone

mediumArticle 14(2)

Use the CVD Portal Article 14 timeline tool to plan your notification process and test it before an incident.

5. CE Marking & Technical Documentation

Prepare CRA technical file covering controller security architecture, setpoint validation logic, SBOM, and update mechanism

highArticle 23, Annex V

Technical documentation should demonstrate that setpoint validation prevents out-of-range command injection and that all communications are protected.

Issue EU Declaration of Conformity referencing the CRA for all in-scope greenhouse automation products

highArticle 20, Article 22

DoC must reference the CRA. For wireless sensors and controllers, also reference the Radio Equipment Directive.

Track your Smart Greenhouse Automation compliance progress in CVD Portal.

Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.

Start your free portal

Frequently asked

Our greenhouse automation system uses BACnet — is this protocol compatible with CRA encryption requirements?+

BACnet/SC (Secure Connect) supports TLS encryption and certificate-based authentication, and is the recommended CRA-compliant variant. Legacy BACnet/IP does not include native security and must be protected by network-layer controls (VPN, firewall, VLAN isolation) as a compensating measure. New greenhouse automation installations should implement BACnet/SC where possible.

Our greenhouse management platform is offered as SaaS — does CRA apply?+

Purely cloud-based SaaS is generally outside CRA scope. However, if you supply on-premises controller hardware, locally installed software, or gateway devices alongside the SaaS platform, those local components are in scope. The greenhouse controllers themselves (hardware + firmware) are always in scope regardless of whether management is cloud-based.

We integrate third-party climate sensors into our greenhouse management platform — are we responsible for their CRA compliance?+

Each sensor manufacturer is responsible for their own CRA compliance. You, as the platform integrator, are responsible for the security of your platform and how it handles data from those sensors. If you sell a complete integrated system (including third-party sensors rebranded or bundled under your brand), you take on manufacturer responsibility for the system. If you merely provide integration support for third-party sensors, the sensor manufacturer retains their own CRA obligations.

Related compliance checklists

IoT Sensors & Connected Devices

Industrial & Manufacturing

→

Precision Agriculture & Smart Farming

Agriculture

→

Environmental Monitoring Sensors

Agriculture

→

Smart Home Devices

Consumer Electronics

→

Need a CVD policy for Smart Greenhouse Automation?

Download a free CRA-compliant disclosure policy template and deploy it in minutes.

Browse templates →