NetworkingDeadline: September 2026

CRA Compliance Checklist: Telecommunications Equipment

Annex III Class II for core network and 5G infrastructure equipment — Default or Class I for end-user CPE and access equipment

Telecommunications equipment ranges from consumer CPE (modems, set-top boxes) to core network infrastructure (base stations, routers, switching systems). Core network and 5G infrastructure equipment is Annex III Class II given its critical infrastructure role. End-user equipment is Default class. Manufacturers must also address the intersection with the European Electronic Communications Code (EECC) and 5G security requirements.

checklist items

high priority

September 2026

deadline

Networking

sector

Track progress free →

CRA Classification:Annex III Class II for core network and 5G infrastructure equipment — Default or Class I for end-user CPE and access equipment

1. Scope & Classification

Classify each product type: core network equipment (Class II), access infrastructure (Class I likely), CPE (Default)

highAnnex III, Class I / Class II

Base stations, core network routers, and 5G infrastructure components are Class II. DSLAM, CMTS, and network access nodes are likely Class I. Consumer CPE (modems, ONTs) are Default.

Engage Notified Body for mandatory assessment of Class II core network and 5G infrastructure equipment

highArticle 24, Annex VIII

5G and core network infrastructure requires Notified Body Type Examination. Engage early — assessment lead times for complex telecom equipment can exceed 12 months.

Assess intersection with EECC Article 40 — network security obligations for operators interact with CRA product obligations

highArticle 6, CRA / EECC Article 40

EECC imposes security obligations on electronic communications networks. Your equipment must support compliance with both EECC operator obligations and CRA product requirements.

Compile SBOM for all equipment types — telecom firmware stacks often contain hundreds of open-source components

highArticle 10(6)

Telecom equipment firmware is complex. Use automated SBOM generation and CVE scanning for all product lines. Track OpenSSL, libsrtp, WebRTC, and other telecom-specific library CVEs.

2. Product Security (Annex I Part I)

Implement zero-trust network architecture principles for equipment management interfaces

highAnnex I, Part I(2)

Telecom equipment management (via NETCONF, RESTCONF, TR-069) must use strong authentication, encrypted transport, and access controls. Eliminate unauthenticated management access.

Encrypt all management traffic and user data plane traffic where the equipment processes it

highAnnex I, Part I(3)

Management plane: TLS 1.3 for all NETCONF/RESTCONF. Control plane: IPsec or MACsec for inter-node traffic. Implement according to 3GPP security architecture for 5G.

Implement cryptographically signed software updates — ETSI NFV and 3GPP security specifications provide relevant guidance

highAnnex I, Part I(9)

Use signing frameworks aligned with ETSI NFV-SEC specifications. Software updates to live network equipment must be signed, integrity-verified, and support hitless upgrade where possible.

Provide network resilience against denial-of-service attacks targeting management interfaces and control planes

highAnnex I, Part I(5)

Telecom equipment management interfaces must implement rate limiting, connection throttling, and anomaly detection to resist DoS attacks.

3. CVD Policy & Vulnerability Handling

Publish a CVD policy with a dedicated telecom security contact and clear response timelines

highArticle 13(1)

Telecom equipment vulnerabilities can affect millions of users when exploited in carrier networks. A mature CVD process with telecom security expertise is essential.

Coordinate vulnerability disclosures with ETSI, 3GPP, and national telecom CERTs for network-wide impact vulnerabilities

highArticle 13(6)

Vulnerabilities in core network equipment may require coordinated disclosure across multiple operators and regulatory bodies. Build multi-stakeholder disclosure into your CVD process.

Define security support periods reflecting carrier network asset lifecycles — minimum 10 years for infrastructure equipment

highAnnex I, Part II(5)

Core network equipment is deployed for 10–15 years. Publish per-platform end-of-security-support dates at product launch. Provide migration guidance well before end of support.

4. Article 14 Incident Reporting

Define Article 14 triggers for telecom equipment — focus on exploits enabling call interception, network disruption, or mass data exfiltration

highArticle 14(1)

Exploitation of core network equipment is a high-severity national security event. Define and pre-approve triggers at C-level to enable fast Article 14 notification decisions.

Coordinate Article 14 ENISA reporting with national telecom regulator notifications and, where applicable, national security authorities

highArticle 14(2)

Telecom security incidents may require parallel notifications to ENISA, national telecom regulators (under EECC), and national security authorities. Pre-plan all notification tracks.

5. CE Marking & Conformity Assessment

Complete Notified Body Type Examination for Class II core network equipment — align technical file with ETSI EN 303 645 and relevant ETSI ISG standards

highArticle 24, Annex VIII

ETSI produces relevant standards for telecom equipment security. Aligning with applicable ETSI standards will streamline Notified Body assessment and provide presumption of conformity when harmonised under CRA.

Issue EU Declaration of Conformity for all equipment placed on the EU market

highArticle 20, Article 22

The DoC must reference the CRA. For radio-based telecom equipment, also reference the Radio Equipment Directive.

Track your Telecommunications Equipment compliance progress in CVD Portal.

Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.

Start your free portal

Frequently asked

Our company supplies both consumer CPE and core network equipment — do we need different compliance approaches?+

Yes. Consumer CPE (Default class) can self-declare conformity. Core network equipment (Class II) requires third-party Notified Body assessment. You should run separate compliance tracks for each product category. The Annex I technical requirements are the same across classes — only the conformity assessment procedure differs.

We manufacture equipment that is 5G-capable but currently deployed in 4G networks — how are we classified?+

Classification is based on the product's capabilities and its role in the network, not the version of network it is currently deployed in. 5G-capable equipment that will be deployed in 5G core networks is Class II. Current 4G-only deployment does not reduce the classification if the product is designed for or will be deployed in 5G infrastructure.

How does the EU 5G security toolbox interact with CRA compliance obligations?+

The EU 5G Security Toolbox is a policy framework for managing risks from high-risk suppliers in 5G networks — it operates at the operator and national level, not the product level. The CRA operates at the product level. They are complementary: the CRA ensures products meet minimum security requirements; the 5G toolbox ensures operators do not deploy products from high-risk suppliers in sensitive network functions. Both apply independently.

Related compliance checklists

Enterprise Networking Equipment

Networking & IT

→

Consumer Routers & Modems

Consumer Electronics

→

Edge Computing Devices & Gateways

Networking

→

Embedded Linux Devices

Networking

→

Need a CVD policy for Telecommunications Equipment?

Download a free CRA-compliant disclosure policy template and deploy it in minutes.

Browse templates →