EU Cyber Resilience Act Guide for Electronic Lock & Smart Door Manufacturers

Electronic access control products placed on the EU market — including smart padlocks, Bluetooth door locks, Wi-Fi enabled deadbolts, NFC access card readers, cloud-based access management platforms, and networked door access controllers — are products with digital elements under Article 3(1). Classification analysis must consider the deployment context: consumer smart locks for residential use are likely Important Products Class I. Enterprise access control systems integrated with building management, alarm, and CCTV infrastructure may qualify as Class II Important Products depending on their role in the building security architecture. Access control systems protecting critical infrastructure facilities — data centres, utilities, government buildings — carry elevated risk profiles that may support Class II classification. Consumer smart locks are also subject to the RED Delegated Act cybersecurity requirements from August 2025, creating a pre-CRA compliance baseline that manufacturers should leverage.

Smart locks and electronic access systems present a unique security challenge: the consequence of a cybersecurity failure is physical access to protected spaces. This elevates the risk profile significantly compared to purely digital products. Annex I requires: eliminating default shared credentials — each device must be uniquely provisioned or require credential setup before activation; implementing cryptographic authentication for all lock/unlock commands, whether delivered via Bluetooth, Wi-Fi, NFC, or cloud API; protecting against replay attacks on wireless unlock signals; ensuring firmware update mechanisms are authenticated and cannot be used to deliver malicious firmware; implementing rollback protection preventing downgrade to vulnerable firmware versions; providing transparent access logs to device owners; and designing for graceful failure — the device behaviour on network or power failure must be documented and controllable. The SBOM must cover all wireless communication stacks and cloud connectivity libraries.

Article 13 requires a published CVD policy. For electronic lock manufacturers, the CVD programme is particularly important because vulnerabilities in smart locks — authentication bypass, Bluetooth replay attacks, firmware downgrade attacks — directly enable physical crime. Security researchers actively scrutinise smart lock products, and multiple high-profile disclosure events have demonstrated the reputational damage that results from inadequate CVD practices. The CVD policy must: establish a dedicated security reporting channel; commit to rapid response timelines given the physical security implications of lock vulnerabilities; specify how security updates are delivered to consumer products where users may not actively check for updates; and address how vulnerabilities are communicated to building managers and enterprise customers responsible for large-scale access control deployments. Coordinating with law enforcement where active exploitation is enabling physical crime is a prudent addition to the CVD policy.

Article 14 requires notification to the relevant national CSIRT within 24 hours of confirmed active exploitation. For smart lock manufacturers, active exploitation — a vulnerability being used to gain unauthorised physical access to properties — may simultaneously constitute a criminal offence requiring law enforcement notification. The incident response plan must address both regulatory notification and law enforcement notification channels. Because smart lock exploits enabling physical crimes may not be immediately visible to the manufacturer (unlike cloud service exploits that generate server-side logs), vendors should implement telemetry that provides visibility into unusual unlock patterns, failed authentication attempts, and anomalous firmware query behaviour that might indicate active exploitation at scale. Consumer products require different monitoring approaches than enterprise access systems.

Physical access control hardware has a long expected product lifetime — smart locks installed in residential properties or commercial buildings are commonly expected to last 5–10 years. Annex I Part II requires manufacturers to support products with security updates for the expected lifetime or 5 years, whichever is shorter. For smart lock manufacturers, this means maintaining cloud-side update infrastructure, backend authentication services, and security patch development pipelines for products sold over a long period. The support period must be clearly communicated at point of sale. When a product reaches end-of-support, manufacturers must notify customers in advance and cannot leave consumers with connected devices that are no longer receiving security updates without providing migration options. For cloud-dependent smart locks, the implications of cloud service termination for product functionality must be explicitly disclosed.