EU Cyber Resilience Act Guide for Professional Audio-Visual Equipment Vendors

Professional AV equipment within CRA scope includes: IP-networked audio digital signal processors (DSPs), videoconferencing endpoints and room systems, streaming encoders and decoders, AV-over-IP distribution systems, broadcast routing and switching hardware, digital media players and signage controllers, and AV control systems with network management interfaces.

Most professional AV hardware with IP connectivity and management software falls into Default Class. However, AV systems deployed in security-sensitive environments — government facilities, boardrooms handling sensitive discussions, critical infrastructure control rooms — and AV management platforms controlling large distributed AV networks may be classified as Important Class I depending on their network connectivity and data processing capabilities. Vendors must assess each product's network exposure and management capabilities to determine appropriate classification.

Professional AV equipment has traditionally been managed by AV integrators rather than IT security teams, with many installations using factory default credentials on AV processors and control systems connected to the enterprise network. CRA Annex I directly addresses this systemic weakness:

• No default credentials: AV processors, conference room systems, and streaming hardware must require credential configuration at first use. The widespread practice of using default credentials (e.g., admin/admin on AV processors) is prohibited.
• Encrypted management interfaces: Web management interfaces and API control channels must use HTTPS with valid certificates. Unencrypted HTTP management access must not be enabled by default.
• Authenticated firmware updates: AV hardware firmware updates must be cryptographically authenticated before installation. Unsigned firmware upload capability must be restricted.
• Network segmentation support: AV hardware must support operation in network-segmented AV VLANs without requiring access to corporate IT network resources.
• SBOM maintenance: AV equipment running embedded Linux with AV processing libraries and network management frameworks requires comprehensive SBOM documentation.

Professional AV vendors have traditionally not maintained formal CVD programmes, with security issues often handled informally through integrator channels. Article 13 requires a formal, publicly accessible CVD policy for all products with digital elements.

• Cover all IP-networked AV products
• Be publicly accessible via the corporate security.txt and security pages
• Provide a submission channel for security researchers and enterprise IT security teams who may discover vulnerabilities in AV equipment installed on their networks
• Define response timelines and advisory publication process

AV vendors should recognise that enterprise IT security teams — responsible for all devices on the corporate network including AV equipment — increasingly conduct security assessments of AV systems and will require a formal disclosure channel to report findings. The CVD policy enables a professional relationship with these internal and external researchers. CVD Portal provides the intake infrastructure for vendors establishing CVD programmes for the first time.

Article 14 incident reporting for AV vendors covers active exploitation of vulnerabilities in networked AV hardware or management software. AV equipment on enterprise networks has been used as an attack vector for lateral movement in documented enterprise security incidents — a compromised conference room AV system can provide a foothold on the corporate network.

• Exploitation of AV processor web management vulnerabilities for unauthorised access to enterprise networks
• Use of compromised AV equipment for eavesdropping on conference room audio or video
• Firmware replacement on AV hardware to establish persistent network access

The 24-hour ENISA notification must be triggered when active exploitation is confirmed through threat intelligence or customer reports. Vendors should maintain a process for receiving exploitation reports from enterprise IT security teams, who are often the first to detect AV equipment compromise within their environments.

Default Class professional AV products may use Module A self-assessment. The technical file for professional AV hardware must address the specific network management security architecture that has historically been a weakness in this product category.

1. Document the classification rationale — confirm Default Class or justify Class I if applicable
2. Assess the product against Annex I Part I, with specific attention to default credentials, management interface security, and firmware update authentication
3. Prepare a threat model that accounts for AV equipment as a network-connected device on enterprise infrastructure
4. Maintain an SBOM for firmware and management software components
5. Issue the EU Declaration of Conformity

Vendors with products used in government, defence, or security-sensitive facilities should consider voluntary Class I assessment even where Default Class applies, as government procurement processes are increasingly requiring third-party security certification evidence.