EU Cyber Resilience Act Guide for Firewall & Network Security Appliance Manufacturers

Annex III of the CRA explicitly lists firewalls and intrusion detection/prevention systems as Important Products Class II. This classification is non-negotiable for manufacturers of network firewalls, next-generation firewalls (NGFW), unified threat management (UTM) appliances, and hardware-based network intrusion prevention systems sold to EU customers. Class II status mandates third-party conformity assessment by a notified body — self-declaration of conformity is not permitted. Manufacturers of virtual firewall appliances and software-defined perimeter products sold as standalone commercial products are also captured. Products sold exclusively for use in products that are themselves not placed on the EU market are out of scope. Manufacturers must begin notified body engagement immediately, as assessment capacity is finite and the September 2026 deadline is firm.

The CRA's Annex I requirements are particularly demanding for security appliance manufacturers, given the irony that these products — which protect customer networks — are themselves high-value attack targets. Core obligations include: eliminating default administrator credentials entirely, requiring strong password setup during initial configuration; enforcing encrypted management interfaces with support for current TLS versions and disabling deprecated protocols; ensuring firmware update packages are signed and verifiable; implementing authenticated boot processes; providing comprehensive audit logging with tamper-evident storage; and documenting all network services exposed by the management plane. Annex I also requires vendors to minimise the attack surface — every unnecessary service, port, and protocol enabled by default must be justified or disabled. Manufacturers must publish hardening guides covering all supported deployment models.

Security appliance manufacturers are held to a higher standard in the vulnerability research community — researchers and threat intelligence teams actively scrutinise firewall products, and CVD programme quality is publicly evaluated. Article 13 requires a published CVD policy with a dedicated reporting channel, defined acknowledgment and response timelines, and a commitment to notify affected customers when security updates are available. For manufacturers whose products are deployed in critical infrastructure, financial services, and government networks, the CVD policy must address the interaction with national CSIRTs and sector-specific information sharing and analysis centres (ISACs). The policy should explicitly state how zero-day vulnerabilities are handled, including whether exploit details are shared with government cybersecurity agencies under coordinated multi-party disclosure frameworks. CVD Portal provides enterprise CVD programme management that meets Article 13 requirements.

Firewall and security appliance manufacturers face a disproportionate Article 14 reporting burden because their products are among the most actively exploited in the cybersecurity landscape. High-severity vulnerabilities in perimeter security appliances — authentication bypass, remote code execution, credential extraction — are routinely weaponised within days of disclosure. Article 14 requires manufacturers to notify the relevant national CSIRT within 24 hours of becoming aware of active exploitation, even if a patch is not yet available. This requires a standing incident response capability with pre-authorised notification procedures. Manufacturers with large installed bases must also have processes for rapidly identifying which customers are running vulnerable versions, enabling targeted customer notification alongside regulatory reporting. Delayed notification exposes the manufacturer to market surveillance authority scrutiny.

Class II firewall products require assessment under Module H (full quality assurance) or Module B+C (EU-type examination plus conformity to type). Under Module H, the notified body assesses the manufacturer's entire quality management system, including the secure product development lifecycle, security testing methodology, and vulnerability management programme. This assessment must be repeated at defined intervals. Under Module B, the notified body examines the design and tests representative product configurations; under Module C, it oversees the production quality system. For manufacturers who already hold ISO 27001 certification and operate a documented secure development lifecycle (SDL), the notified body assessment is significantly easier to pass. Manufacturers should begin pre-assessment gap analysis in 2025 to allow time for remediation before engaging a notified body formally.

Annex I Part II requires manufacturers to actively monitor for vulnerabilities in products throughout their declared support period and issue security updates without undue delay. For firewall appliances deployed in enterprise and government networks, support periods of 5–10 years are standard customer expectations. Manufacturers must maintain security update pipelines for all supported firmware branches, not only the latest major release. When a security update cannot be issued — for example, because a vulnerability exists in a component for which no patch is available — the manufacturer must document this in customer-facing security advisories and provide compensating configuration guidance. Support period end-of-life must be clearly communicated at point of sale and at least 12 months before support termination, with customer migration pathways documented.