EU Cyber Resilience Act Guide for Livestock Monitoring & Precision Livestock Farming

Precision livestock farming products placed on the EU market — including RFID and GPS ear tags with cellular data transmission, accelerometer-based activity and rumination monitors, automated milking system management software, indoor climate monitoring sensor networks, electronic identification (EID) readers with cloud connectivity, and livestock health monitoring platforms — are products with digital elements under Article 3(1) where they incorporate internet connectivity or communication with other networked devices. The CRA classification for most PLF devices will be Default (non-important), subject to standard security requirements. However, automated systems that directly control feeding, medication dispensing, or milking processes — where software errors or cyberattacks could affect animal welfare or food safety — may qualify as Important Products Class I. Vendors should document their classification analysis, noting any integrations with automated control systems.

PLF devices present typical agricultural technology challenges: outdoor deployment with weathering and physical access risks, long battery life requirements constraining available processing power for cryptographic operations, cellular or LPWAN connectivity with limited bandwidth, and deployment by farmers who are not IT professionals. Annex I requirements for PLF vendors include: implementing device authentication for cloud connectivity — using unique device credentials rather than shared secrets; encrypting livestock health and location data in transit; providing firmware update mechanisms that can deliver updates over cellular or LoRaWAN connections automatically; eliminating default shared credentials on farm management platforms; securing APIs used by farm management software and third-party integrations (e.g. veterinary health records, milk recording organisations); and providing clear end-user documentation on network security configuration. The SBOM must cover device firmware and cloud platform components. Data minimisation is particularly important given that livestock location and farm operational data can reveal commercially sensitive farm management practices.

Article 13 requires a published CVD policy with a dedicated security reporting channel. For PLF vendors — many of whom are growth-stage companies or established agricultural equipment manufacturers diversifying into digital services — establishing a CVD programme is often a new capability requirement. The CVD policy must specify: a security contact email and machine-readable security.txt file; acknowledgment timelines for vulnerability reports; the process for issuing and communicating security updates to farmer customers who may not actively monitor vendor communications; and coordination with relevant agricultural sector authorities for vulnerabilities with animal welfare implications. CVD Portal provides hosted CVD programme management that meets Article 13 requirements for vendors without dedicated security teams. The policy should also address how customers are notified when end-of-support dates for devices or cloud services are approaching.

Article 14 requires CSIRT notification within 24 hours of confirmed active exploitation. For PLF vendors, exploitation scenarios are primarily concerned with data access (livestock tracking data, herd health records, farm operational data) and, for automated systems, potential interference with feeding or medication dispensing. The 24-hour notification obligation requires a designated person within the vendor organisation with authority to make regulatory notifications, and pre-established contact details for the relevant national CSIRT. Agricultural technology incidents are less likely than energy or transport sector incidents to trigger concurrent notifications to other regulatory bodies, but for automated feeding or medication systems with animal welfare implications, consultation with relevant veterinary or food safety authorities is prudent. Notification procedures should be documented, tested annually, and include customer notification templates.

Most PLF devices qualify as Default-category products and may use manufacturer self-declaration. The most applicable harmonised standard is ETSI EN 303 645 (IoT device cybersecurity), which covers the key requirements for connected agricultural sensors and monitors including default credential elimination, update mechanisms, and vulnerability disclosure. The technical file for PLF products must include: product security architecture documentation; SBOM for device firmware and cloud platform; evidence of security testing including at minimum a structured vulnerability assessment; CVD policy documentation; update and support period policy; and the declaration of conformity. For vendors selling products across multiple EU member states, the technical file may need to be available in multiple languages on request from market surveillance authorities. Agricultural market surveillance authorities are likely to focus on CRA compliance as part of their broader oversight of precision farming technology markets.