EU Cyber Resilience Act Guide for Smart Meter & AMI Manufacturers

Smart meters (electricity, gas, water), data concentrators, AMI head-end systems, meter data management systems (MDMS), and in-home display units with network interfaces are products with digital elements within CRA scope. The energy-critical infrastructure context of smart metering places these products firmly in Important Class I.

The scale of smart meter deployment — each unit communicating metering data and receiving remote commands from the DSO — makes the CRA's security requirements particularly consequential. A vulnerability affecting a widely deployed smart meter model could potentially be exploited at scale across millions of installations. Manufacturers must assess each product generation independently: the communication module (RF mesh, PLC, cellular), the meter head firmware, the data concentrator, and any associated AMI software are all products with digital elements requiring compliance.

Smart meter security has been subject to industry standards for years — DLMS/COSEM, PRIME, G3-PLC, and various national metering security specifications. CRA Annex I formalises and extends these requirements:

• Authenticated metering data: All metering data transmitted to DSO head-end systems must be authenticated and integrity-protected. DLMS/COSEM security suites provide the mechanism; compliance must be mandatory, not optional.
• Encrypted command channels: Remote disconnect, tariff management, and firmware update commands must be encrypted and authenticated. Unauthenticated disconnect commands in metering protocols are a known attack vector.
• Firmware update authentication: Over-the-air firmware updates via RF mesh or PLC must be cryptographically signed. Broadcast firmware updates are prohibited.
• Key management: Long-lived symmetric keys shared across meter populations represent a systemic risk. Manufacturers should support unique per-device keys or PKI-based asymmetric authentication.
• Tamper detection: Physical tamper events must be logged and reported to the DSO management system.

Smart meter manufacturers typically supply products to distribution system operators (DSOs) under tightly specified procurement contracts. This B2B-only distribution model does not exempt manufacturers from Article 13's CVD policy requirement — the policy must be publicly accessible regardless of the customer base.

• Cover all products including meter heads, communication modules, data concentrators, and head-end software
• Be accessible to energy sector security researchers and national CERTs who monitor metering infrastructure
• Define a response process that coordinates with DSO customers, who are the operators of the metering systems and have independent NIS2 obligations for their infrastructure security
• Commit to security advisory publication in CSAF 2.0 format, enabling automated processing by DSO vulnerability management systems

Given the scale of deployment, meter manufacturers should establish direct notification relationships with major DSO customers to ensure that patches reach the field before public disclosure where possible.

An actively exploited smart meter vulnerability affecting millions of units simultaneously constitutes a potential critical infrastructure incident. Article 14's 24-hour ENISA notification requirement must be integrated into a multi-track incident response process:

1. ENISA (CRA Article 14 — 24 hours)
2. National energy regulatory authority (NIS2 critical infrastructure — 24 hours for significant incidents)
3. DSO customers — immediate direct notification, as DSOs may need to implement emergency operational procedures
4. National CSIRT — particularly where mass exploitation across the metering estate is possible

Manufacturers should pre-agree incident response coordination protocols with their major DSO customers so that Article 14 notifications and operational responses are synchronised. The 72-hour detailed ENISA report must describe the affected product versions, exploitation method, and available mitigations including any emergency firmware update availability.

Smart meter manufacturers face a complex standards landscape: OIML (measurement accuracy), IEC 62056 (DLMS/COSEM), EN 62052/62053 (metering standards), and national metering standards coexist with the CRA's cybersecurity conformity requirements. The CRA conformity assessment is additive to measurement accuracy certification — both are required for market placement.

1. The metering product's digital elements (communication module, firmware) must be assessed against Annex I Part I requirements
2. The vulnerability management process (Annex I Part II) must demonstrate SBOM maintenance, patch delivery capability, and CVD policy operation
3. The technical file must document the security architecture, including the key management approach and communication protocol security configuration

Manufacturers supplying into multiple EU member states must be aware that some national smart metering specifications include cybersecurity requirements that may be more stringent than the CRA minimum. Where national requirements exceed CRA requirements, both must be satisfied. Begin notified body engagement by Q1 2026 to allow adequate time for assessment before the September 2026 deadline.