IndustrialDeadline: September 2026

CRA Compliance Checklist: Warehouse Automation & Logistics Systems

Annex III Class I — warehouse automation systems with networked safety-critical control elements; Class II if integrated into critical supply chain infrastructure

Warehouse automation systems — including autonomous guided vehicles (AGVs), conveyor control systems, warehouse management systems (WMS), and robotic picking systems — are networked products with safety-critical digital elements subject to the CRA. Their classification as Annex III Class I reflects their safety implications and importance to supply chains. Systems forming part of critical logistics infrastructure may be Class II.

checklist items

high priority

September 2026

deadline

Industrial

sector

Track progress free →

CRA Classification:Annex III Class I — warehouse automation systems with networked safety-critical control elements; Class II if integrated into critical supply chain infrastructure

1. Scope & Classification

Confirm all networked warehouse automation components — AGVs, conveyor controllers, WMS, picking systems — are in scope

highArticle 3(1)

Every networked component in a warehouse automation system with updatable software is a product with digital elements. Map the full system and identify all CRA-scoped components.

Assess Class I vs Class II classification based on integration into critical supply chain or logistics infrastructure

highAnnex III, Class I / Class II

Warehouse systems serving pharmaceutical distribution, food supply, or other critical supply chains may be classified as Class II given their potential for widespread societal impact.

Assess intersection with EU Machinery Regulation for AGVs and robotic picking systems — both CRA and Machinery Regulation apply

highArticle 6, CRA / Machinery Regulation (EU) 2023/1230

AGVs and robotic arms are machinery subject to the Machinery Regulation. Coordinate your safety and cybersecurity compliance programmes.

Compile SBOM for all system components including fleet management software, WMS, navigation algorithms, and communication middleware

highArticle 10(6)

Warehouse systems often integrate components from multiple vendors. Obtain SBOMs from all software component suppliers.

2. Product Security (Annex I Part I)

Implement authentication and authorisation for all AGV fleet management, WMS, and conveyor control interfaces

highAnnex I, Part I(2)

Unauthorised access to AGV fleet controllers could cause collisions or disrupt warehouse operations. Enforce role-based access control with MFA for all management interfaces.

Encrypt all communications between AGVs, fleet controllers, and WMS over warehouse networks

highAnnex I, Part I(3)

AGV navigation commands and sensor data should be encrypted. An attacker able to intercept and inject navigation commands could cause physical incidents.

Implement network segmentation to isolate automation control networks from corporate IT and public internet

highAnnex I, Part I(5)

Warehouse automation networks should operate in isolated network segments. Remote access for maintenance must be through authenticated, encrypted VPN connections.

Ensure safety functions (emergency stops, collision avoidance) are implemented in hardware or safety-rated firmware independent of network commands

highAnnex I, Part I(7)

Safety functions must not be defeatable via software commands over the network. Hardware safety interlocks must be independent of the networked control system.

3. CVD Policy & Vulnerability Handling

Publish a CVD policy and security contact for warehouse automation and logistics system vulnerabilities

highArticle 13(1)

Warehouse automation systems are increasingly targeted. A CVD policy with logistics automation expertise enables effective vulnerability handling.

Provide security patches with minimal downtime requirements — support offline or delta update mechanisms

highAnnex I, Part II(1)

Warehouse operations run 24/7. Patches must be deployable during shift changes or scheduled maintenance with minimal disruption to operations.

Define security support lifecycle appropriate to warehouse automation asset lifecycles — minimum 10 years

highAnnex I, Part II(5)

Warehouse automation systems are capital investments with 10–15 year lifecycles. Publish per-product security support end dates at launch.

4. Article 14 Incident Reporting

Define Article 14 triggers for warehouse automation incidents — focus on safety system compromise, supply chain disruption, and data exfiltration from logistics systems

highArticle 14(1)

A vulnerability enabling remote manipulation of AGV navigation or conveyor systems represents a significant Article 14 trigger. Define and document your criteria.

Document and test the Article 14 notification procedure — 24h, 72h, 14-day milestones with named owners

highArticle 14(2)

Use the CVD Portal Article 14 timeline tool to plan and document your process. Assign named owners for each reporting milestone.

5. CE Marking & Technical Documentation

Prepare an integrated CRA and Machinery Regulation technical file for AGVs and robotic systems

highArticle 23, Annex V

AGV technical files typically already exist for Machinery Regulation compliance. Extend with CRA cybersecurity risk assessment, SBOM, and CVD policy.

Issue EU Declaration of Conformity referencing the CRA for all warehouse automation products

highArticle 20, Article 22

Each product in the warehouse automation portfolio needs its own or family DoC. Ensure the CRA is explicitly listed.

Track your Warehouse Automation & Logistics Systems compliance progress in CVD Portal.

Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.

Start your free portal

Frequently asked

Our AGVs use proprietary wireless protocols — do they still need to meet CRA requirements?+

Yes. The CRA requirements in Annex I apply regardless of the wireless protocol used. Proprietary protocols must meet the same security standards as standard protocols — encrypted communications, authenticated access, and protection against interference. If the proprietary protocol lacks encryption, you must implement encryption at the application layer.

We supply WMS software only — not the hardware. Does CRA apply to pure software products?+

Yes. The CRA explicitly covers software products with digital elements, including standalone software. WMS software that connects to warehouse networks and controls automation equipment is in scope. All Annex I requirements apply. Software-only manufacturers must publish CVD policies, maintain SBOMs, and provide security updates.

Our warehouse system is deployed in a single customer site and customised for them — is it 'placed on the market'?+

If you supply the system commercially to a customer, it is placed on the market and CRA applies. Bespoke custom development for a single customer is still market placement. The only exception is software developed entirely in-house by the end user for their own use — that operator would then hold CRA-equivalent obligations as the manufacturer.

Related compliance checklists

Industrial Robotics & Collaborative Robots

Industrial

→

Industrial Controllers & PLCs

Industrial & Manufacturing

→

CNC Machines & Industrial 3D Printers

Industrial

→

IoT Sensors & Connected Devices

Industrial & Manufacturing

→

Need a CVD policy for Warehouse Automation & Logistics Systems?

Download a free CRA-compliant disclosure policy template and deploy it in minutes.

Browse templates →