CRA Compliance Checklist: Smart Grid & Energy Infrastructure
Annex III Class II — smart grid components and energy infrastructure systems are critical infrastructure products requiring third-party conformity assessment
Smart grid systems — including advanced metering infrastructure (AMI), distribution automation systems, grid management software, and grid-connected energy storage controllers — are among the most critical products under the CRA. CRA Annex III Class II applies, requiring mandatory Notified Body assessment. The energy sector is NIS2-classified as essential infrastructure, creating overlapping obligations between CRA product requirements and NIS2 operator obligations.
1. Scope & Classification
Confirm smart grid components are Annex III Class II — smart meters, distribution automation systems, and grid management software are critical infrastructure products
Smart meters with bi-directional communication, distribution automation controllers, SCADA systems for grid operations, and grid energy management systems are all Annex III Class II. Third-party assessment is mandatory.
Engage a Notified Body with energy sector and industrial cybersecurity expertise — early engagement is essential given long assessment timelines
Smart grid system assessments are complex. Engage a Notified Body at least 12–18 months before target market placement date. Ensure the body has expertise in NERC CIP, IEC 62351, and IEC 61968/61970 standards.
Assess NIS2 Directive implications for energy sector customers — smart grid products must support operator NIS2 Article 21 security requirements
Energy utilities are NIS2 essential entities. Your smart grid products must support the access control, incident response, supply chain security, and cryptography requirements utilities need for NIS2 compliance.
Compile SBOM covering smart meter firmware, head-end system software, MDMS, distribution management system, and all communication stack components
Smart grid systems are architecturally complex. AMI head-end, MDMS, DRMS, ADMS, and DERMS components all require individual SBOMs. Implement SBOM management at system level.
2. Product Security (Annex I Part I)
Implement IEC 62351 security for all grid communication protocols — DNP3, IEC 61850, and ICCP must use authenticated, encrypted communications
IEC 62351 defines security for power system communications. Implementing IEC 62351 Parts 3, 5, and 6 for TLS, DNPA, and ICCP provides a strong foundation for CRA encrypted communications compliance.
Implement role-based access control with strong authentication for all grid management interfaces — separate operator, engineer, and administrator roles
Grid management access must implement the least privilege model with MFA. Emergency access procedures must be logged and reviewed. Remote access must be through an authenticated, encrypted channel.
Apply IEC 62443 Security Level 2 or higher for smart grid product security level claims
IEC 62443 Security Level 2 provides protection against deliberate violation using simple means. For critical grid infrastructure, Security Level 2 is the minimum; Security Level 3 may be required for substation automation.
Implement cryptographically signed firmware updates for all grid-connected devices — support secure offline update for air-gapped grid infrastructure
Smart meters and grid controllers must support secure OTA updates. For air-gapped grid infrastructure, provide signed update packages for secure offline delivery.
3. CVD Policy & Vulnerability Handling
Publish a CVD policy coordinated with energy sector CERTs and ICS-CERT organisations
Smart grid vulnerabilities have national energy security implications. Coordinate CVD with ENISA, national energy CERTs, and ICS-CERT organisations. Build multi-stakeholder disclosure into your CVD process.
Provide security patches with energy sector maintenance window support — grid operators have complex change management processes
Grid operators have stringent change management processes and limited maintenance windows. Provide well-tested patch packages with energy sector-specific deployment procedures.
Define a minimum 15-year security support lifecycle reflecting energy infrastructure asset lifecycles
Smart meters and grid infrastructure have 15–25 year operational lifespans. A 15-year security support commitment is appropriate for AMI and grid automation products.
4. Article 14 Incident Reporting
Define Article 14 triggers for smart grid incidents — any exploitation affecting grid stability, mass meter disconnection, or falsification of metering data is critical
Exploitation of smart grid vulnerabilities with potential to disrupt power supply is a national security emergency and an immediate Article 14 trigger. Pre-define criteria at senior management level.
Coordinate Article 14 ENISA reporting with NIS2 incident reports from energy sector customers and national energy regulatory authority notifications
A smart grid cybersecurity incident simultaneously triggers CRA Article 14 (product manufacturer's obligation), NIS2 incident reporting (utility operator's obligation), and potentially national energy regulator notifications. Pre-coordinate all notification tracks with major customers.
5. CE Marking & Conformity Assessment
Complete Notified Body Type Examination against IEC 62443 Security Level 2 as the primary technical framework
IEC 62443 is the internationally recognised standard for industrial cybersecurity. Notified Bodies for CRA will likely accept IEC 62443 SL2 compliance as a principal basis for conformity assessment.
Issue EU Declaration of Conformity referencing the CRA for all in-scope smart grid products
DoC must reference the CRA. For radio-frequency components (e.g. RF mesh smart meters), also reference the Radio Equipment Directive.
Track your Smart Grid & Energy Infrastructure compliance progress in CVD Portal.
Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.
Start your free portalFrequently asked
Smart meters are deployed by utilities to consumers — is the utility or the meter manufacturer responsible for CRA compliance?+
The meter manufacturer is responsible for CRA compliance of the smart meter as a product. The utility that deploys and operates the meters is an operator with additional security obligations (including under NIS2). The manufacturer must supply CRA-compliant meters; the utility must operate them securely. In practice, utilities drive strong security requirements through procurement, and manufacturers must meet these to win contracts.
Does NERC CIP compliance for smart grid products help with CRA?+
NERC CIP is a North American standard and does not provide a CRA exclusion or direct compliance mapping. However, NERC CIP requirements and CRA Annex I cover much of the same ground: access management, configuration management, patch management, incident reporting, and vulnerability management. Products designed to meet NERC CIP requirements will have a strong foundation for CRA compliance. Document the mapping explicitly.
Our smart grid product integrates AI for demand forecasting — does the EU AI Act apply?+
AI systems used in critical infrastructure management may be high-risk under EU AI Act Annex III. AI for energy grid demand forecasting that feeds into grid control decisions could trigger AI Act requirements including conformity assessment, registration in the EU AI database, and transparency obligations. Both CRA and AI Act compliance must be addressed. Engage with your Notified Body on an integrated assessment approach.
Need a CVD policy for Smart Grid & Energy Infrastructure?
Download a free CRA-compliant disclosure policy template and deploy it in minutes.