CRA Compliance Checklist: Vending Machines & Interactive Kiosks
Default to Annex III Class I — connected vending machines and interactive kiosks are products with digital elements; payment-integrated kiosks may attract Class I
Connected vending machines and interactive kiosks — including self-service retail kiosks, bill payment terminals, information kiosks, and automated retail machines — are products with digital elements subject to the CRA. Those integrating payment processing overlap with PCI DSS requirements. Kiosks deployed in public spaces face specific risks including physical tampering, kiosk breakout attacks, and unauthorised data access. Most are Default class; payment kiosks may be Class I.
1. Scope & Classification
Confirm all networked vending machines and interactive kiosks with updateable software are in CRA scope
Any kiosk or vending machine with network connectivity and updateable firmware is in scope. Map all product variants — basic vending machines with remote monitoring up to full touchscreen kiosks.
Assess Class I for payment-integrated kiosks given their payment infrastructure role
Kiosks processing financial transactions may be Class I as important products processing payment card data. Assess based on transaction volumes and payment data sensitivity.
Compile SBOM covering kiosk OS (often Windows IoT or Android), kiosk application software, payment module firmware, and remote management client
Kiosk software stacks include the host OS, kiosk lockdown software, application layer, and payment terminal integration. Track all components.
2. Product Security (Annex I Part I)
Implement kiosk lockdown to prevent users accessing underlying OS, file system, or network configuration
Public kiosks face deliberate attempts to break out of the kiosk application to access the underlying OS. Implement multi-layer lockdown: app-level restrictions, OS-level controls, and physical security.
Disable all unused ports and services — physical USB ports, debugging interfaces, remote desktop, and unnecessary network services
Public-facing kiosks must have all unused USB ports disabled (physically or via OS policy), developer mode disabled, and only necessary network services running.
Implement hardware tamper detection for payment-integrated kiosks — detect skimming device attachment and physical access attempts
Payment kiosks face skimming attacks. Implement tamper-evident seals, enclosure intrusion detection, and regular physical inspection protocols. Align with PCI PTS for payment components.
Implement encrypted management communications and authenticated remote access for all kiosk management operations
Remote management of deployed kiosks must be encrypted and authenticated. Eliminate plaintext remote management protocols (VNC without TLS, unencrypted HTTP management).
3. CVD Policy & Vulnerability Handling
Publish a CVD policy for kiosk software and hardware vulnerabilities — kiosks face both remote and physical attack vectors
Kiosk security research covers both software vulnerabilities and physical attacks. A CVD policy must address both reporting types.
Provide remote patch deployment capability for deployed kiosk fleets — minimise the need for on-site technician visits for security patches
Kiosks are deployed at scale in public locations. Remote patch delivery is essential for timely security remediation. Implement a fleet management console with patch deployment tracking.
Define security support lifecycle for kiosk hardware — minimum 5 years from last unit production
Kiosk deployments last 5–10 years. Publish per-model security support end dates and provide hardware refresh guidance as end of support approaches.
4. Article 14 Incident Reporting
Define Article 14 triggers — focus on mass kiosk compromise, payment data exfiltration, or persistent malware in kiosk fleet
An exploit achieving persistent code execution across a fleet of deployed kiosks, particularly payment kiosks, is a high-severity Article 14 trigger.
Coordinate Article 14 reporting with PCI incident response for payment kiosk incidents
Payment data breaches on kiosks require parallel notifications: CRA Article 14 (ENISA), GDPR Article 33 (DPA), and payment brand notifications. Pre-plan all notification tracks.
5. CE Marking & Technical Documentation
Prepare CRA technical file including kiosk lockdown architecture, tamper detection design, SBOM, and remote management security
Technical documentation should demonstrate the multi-layer security of public-facing kiosks: physical security, OS lockdown, application security, and network security.
Issue EU Declaration of Conformity referencing the CRA — include payment module compliance documentation for payment kiosks
DoC must reference the CRA. For payment-integrated kiosks, also reference any applicable payment regulation compliance (PCI PTS) in the technical documentation.
Track your Vending Machines & Interactive Kiosks compliance progress in CVD Portal.
Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.
Start your free portalFrequently asked
Our kiosk runs Windows IoT — does Microsoft's security patches satisfy our CRA obligations?+
Microsoft provides Windows IoT security patches, but applying them is your responsibility as the kiosk manufacturer. You must establish a process to receive Microsoft patches, test them against your kiosk application, and deploy them to your installed fleet. Microsoft's own CRA compliance for Windows IoT does not transfer to your kiosk product — you are responsible for the security of the complete product you place on the market.
A customer installs our kiosk software on their own hardware — are we still the CRA manufacturer?+
If you supply software that a customer installs on their own hardware, you are the manufacturer of the software product. Your CRA obligations relate to the software — CVD policy, SBOM, security updates. The customer who assembles the complete kiosk from your software and their hardware may take on manufacturer obligations for the integrated product. Your software licence should clearly address CRA responsibilities and security requirements for deployment.
Our vending machines are operated by a third-party operator after installation — who is responsible for applying security patches?+
You, as the manufacturer, are responsible for making security patches available. The operator is responsible for applying them in their deployed fleet. Your support contract with the operator should clearly define patch notification obligations, patch availability timelines, and the operator's obligation to apply critical patches within defined timescales. Remote patch deployment capability significantly reduces the operational burden on the operator.
Need a CVD policy for Vending Machines & Interactive Kiosks?
Download a free CRA-compliant disclosure policy template and deploy it in minutes.