EU Cyber Resilience Act Guide for Private 5G & Industrial Wireless Vendors

Private 5G gNBs (base stations), 5G core network components (AMF, SMF, UPF), network management systems (NMS), and industrial wireless access points — when placed on the EU market as standalone commercial products — are products with digital elements subject to the CRA. The Radio Equipment Directive (RED) Delegated Act (EU 2022/30) imposes cybersecurity requirements on internet-connected radio equipment, including privacy, fraud protection, and network harm prevention requirements. From August 2025, RED delegated act compliance is mandatory for affected radio equipment, and the CRA adds further security requirements from September 2026. Vendors must map their obligations under both frameworks: RED covers radio-specific consumer equipment; the CRA covers all products with digital elements including enterprise and industrial network infrastructure. Products subject to both must comply with both.

Private 5G network infrastructure is itself security-critical — it provides the connectivity layer for industrial IoT, robotics, automated guided vehicles, and operational technology systems in factories and logistics facilities. Annex I requirements for 5G vendors include: implementing authenticated and encrypted management plane communications for all gNB and core network management interfaces; eliminating default administrative credentials and requiring strong credential setup on initial deployment; providing cryptographically signed firmware updates with rollback protection; supporting network slicing isolation controls where applicable; maintaining audit logs of all configuration changes and management access events; and implementing network-level security controls protecting attached devices from attacks routed through the private 5G network. The SBOM must cover all software components in the gNB and core network, including open-source 5G stack components (e.g. OpenAirInterface, free5GC) that are increasingly used in private 5G implementations.

Article 13 mandates a published CVD policy. Telecommunications infrastructure vendors face active security research communities — 5G protocol vulnerabilities are regularly published at academic and industry security conferences. The CVD policy must: establish a dedicated security reporting channel separate from general customer support; define researcher acknowledgment timelines and disclosure handling procedures; address coordination with national CSIRTs for telecommunications infrastructure vulnerabilities, given the critical infrastructure implications; and specify how security updates and advisories are communicated to operators of deployed private 5G networks. For vendors with both enterprise and carrier-grade 5G product lines, the CVD policy should address differences in disclosure handling between consumer-facing and operator-grade products. GSMA's Coordinated Vulnerability Disclosure guidelines provide a useful framework complement to the CRA requirements.

Article 14 requires notification to the relevant national CSIRT within 24 hours of confirmed active exploitation. For private 5G vendors, exploitation of a gNB or core network vulnerability could compromise the connectivity of an entire industrial facility — affecting manufacturing operations, autonomous vehicle guidance, or industrial control system communications depending on what runs over the private 5G network. The downstream consequences of a private 5G network compromise depend entirely on the applications it supports, and vendors must communicate this amplification risk to customers in security advisories. Vendors with products deployed in critical infrastructure sectors — energy, water, healthcare — should maintain pre-established contact channels with the relevant sector CSIRTs in addition to the general national CSIRT notification process.

Private 5G equipment subject to both RED delegated act and CRA conformity requirements should coordinate assessments to leverage shared technical documentation. For radio equipment, RED conformity may use harmonised standards that overlap with CRA Annex I requirements. The CRA technical file must additionally cover: SBOM; CVD policy; Article 14 notification procedures; and post-market vulnerability monitoring specific to CRA obligations. Core network software components (AMF, SMF, UPF) that are sold as software-only products are not covered by RED but remain fully in scope under CRA. Class II products require notified body assessment; Class I products may self-declare. Vendors should verify their CRA classification before the RED delegated act compliance deadline of August 2025, as the two compliance deadlines are in close sequence.