EU Cyber Resilience Act Guide for Access Control & Physical Security Vendors

Access control products within CRA scope include network-connected door controllers, smart card and RFID readers, biometric terminals (fingerprint, face recognition, iris scanners), visitor management platforms, electronic lock hardware with management software, and integrated physical security management systems.

Annex III explicitly identifies identity management and access control products as Important Class I. This means virtually all networked access control products — from a single door controller with IP connectivity to an enterprise-scale physical security management system — require third-party conformity assessment. Products that process biometric data are subject to additional obligations under GDPR in parallel with CRA cybersecurity requirements. Vendors must address both sets of obligations: GDPR's data protection by design requirements and CRA's cybersecurity by design requirements simultaneously.

Access control products must satisfy CRA Annex I requirements that directly address the security vulnerabilities historically prevalent in physical security systems:

• Elimination of default credentials: Access control panels, door controllers, and management software that ship with default administrative passwords are prohibited. Per-device unique credentials or enforced first-use configuration is required.
• Encrypted communications: Communication between door controllers, readers, and management servers must be encrypted. Legacy Wiegand interfaces are unencrypted by design — vendors using OSDP (Open Supervised Device Protocol) are better positioned.
• Firmware integrity: All firmware updates to access control hardware must be cryptographically signed and verified before installation.
• Biometric data protection: Where biometric data is stored on-device (e.g., fingerprint templates), it must be stored in encrypted, tamper-resistant storage.
• Audit logging: All access events, credential modifications, and administrative actions must be logged with attribution and timestamps, accessible to authorised facility security staff.

Physical security vendors have traditionally been reluctant to engage with vulnerability disclosure due to concerns about competitor exploitation of disclosed weaknesses and customer alarm. Article 13 makes this avoidance legally untenable — a formal, publicly accessible CVD policy is mandatory for all products with digital elements.

• Specify the scope of products covered
• Provide a secure submission channel (encrypted email or web form)
• Define a response timeline — particularly important for physical security where a disclosed vulnerability can directly enable facility intrusion
• Commit to coordinated disclosure with customers before public publication, given the physical security implications of unpatched access control vulnerabilities

The CVD policy need not publish technical details that would enable immediate physical attacks. The CRA requires a disclosure process, not immediately weaponisable security advisories. CSAF advisories can be structured to provide patch availability information and risk ratings without full vulnerability details.

Active exploitation of access control vulnerabilities is a particularly serious class of security incident because it can enable physical security breaches — unauthorised access to data centres, government facilities, or critical infrastructure. Article 14's 24-hour ENISA notification requirement applies when exploitation is confirmed.

• Exploitation of management interface vulnerabilities to remotely unlock doors or disable alarm systems
• Cloning of card credentials due to weak authentication protocol implementations
• Compromise of biometric systems to create fraudulent identity enrolments

Vendors must maintain monitoring capabilities that can detect exploitation signals and must have escalation procedures that can generate an ENISA notification within 24 hours. The notification must identify the affected product, the nature of the exploitation, and any immediate mitigations (e.g., network isolation, temporary alternative access procedures). Customer notification in parallel with ENISA reporting is essential given the physical security implications.

All networked access control products classified as Important Class I require third-party conformity assessment under Article 24. Vendors should plan assessment scope to cover:

1. Annex I Part I technical security requirements — particularly authentication, encryption, and update integrity
2. Biometric data security provisions (in conjunction with GDPR data protection impact assessment)
3. CVD policy operational status
4. SBOM completeness, including firmware components and management software dependencies
5. Supported lifetime declaration and patch delivery process

Vendors with products certified under IEC 62443 (for industrial-grade access control), FIDO (for biometric authentication), or ONVIF Profile A (for access control interoperability) can leverage those certifications as supporting evidence. Access control vendors serving government and high-security facility markets may also face national security evaluation requirements (e.g., UK NCSC's CAPSS, German BSI schemes) that provide additional conformity evidence.