EU Cyber Resilience Act Guide for Telecom Equipment Vendors
Important Class I for CPE and access products; Critical Class II for core network and infrastructure equipment
Telecom equipment vendors manufacturing base station hardware, optical transport systems, CPE devices, SIM-based modules, and network management systems for the EU market face Important Class I or Critical Class II classification under the CRA. Telecommunications infrastructure is explicitly recognised as critical infrastructure under EU law, elevating the compliance burden for vendors whose products underpin mobile and fixed network operations across the bloc.
CRA Scope and Classification for Telecom Equipment
Telecom equipment within CRA scope includes customer premises equipment (CPE — routers, modems, ONTs), base station hardware (eNB, gNB), optical transport nodes, network management systems (NMS), SIM-based IoT modules, small cells, and enterprise telephony systems. Annex III identifies network infrastructure equipment as Important Class I by default.
Core network equipment — serving gateways, packet core components, IMS infrastructure — may be assessed as Critical Class II depending on the vendor's assessment of the product's role in telecommunications critical infrastructure. Vendors operating in the EU 5G security framework (EECC Article 40, NIS2) will already have cybersecurity obligations for their products; the CRA adds product-level conformity requirements on top of the operator-focused NIS2 framework. CPE products sold to consumers (home routers, broadband modems) are subject to separate classification but are also within CRA scope.
Technical Security Requirements for Telecom Products
Telecom equipment vendors face Annex I requirements that must be met across hardware generations and deployment scales:
- Authenticated management interfaces: All EMS/NMS management interfaces (NETCONF, RESTCONF, TR-069/TR-369) must require strong authentication. Default credentials in CPE devices are prohibited.
- Secure software update mechanisms: Base station and CPE firmware updates must be cryptographically signed and verified. Remote update procedures must protect against downgrade attacks.
- Network function isolation: Virtualised network functions (VNFs) and containerised network functions (CNFs) must be isolated from each other and from the underlying infrastructure.
- Supply chain security: Given the sensitivity of telecom supply chains, vendors must maintain SBOMs and demonstrate that components from suppliers are free from known vulnerabilities.
- Audit logging: All management operations, configuration changes, and software updates must be logged with operator attribution and timestamps.
CVD Policy and Article 13 for Telecom Vendors
Telecom equipment vendors typically already operate security response programmes, but the quality and public accessibility of these programmes varies significantly. GSMA's Coordinated Vulnerability Disclosure programme provides an industry framework that aligns substantially with CRA Article 13 requirements.
- Publicly accessible without registration or NDA
- Explicitly scoped to cover all CRA-applicable products
- Supported by a
security.txtfile at the corporate domain - Aligned with GSMA CVD guidelines where the vendor participates in GSMA programmes
Telecom vendors should note that the GSMA CVD programme, while valuable, may not cover all products within the vendor's CRA scope. Ensure that CPE products, IoT modules, and enterprise telephony products are explicitly included in the CVD policy scope, not only mobile network infrastructure.
Article 14 Incident Reporting for Telecom Infrastructure
Article 14 incident reporting for telecom equipment vendors intersects with multiple existing reporting frameworks. Telecom operators subject to NIS2 and EECC Article 40 are required to report network security incidents to national regulatory authorities. Telecom equipment vendors under CRA Article 14 must report actively exploited product vulnerabilities to ENISA.
- Exploitation of a CPE vulnerability used to compromise end-user networks at scale
- Active exploitation of base station management interface vulnerabilities
- Supply chain compromises affecting firmware integrity
Vendors should establish a joint protocol with their major telecom operator customers to ensure that Article 14 CRA notifications and EECC/NIS2 operator notifications are coordinated and consistent. Contradictory or incomplete notifications across different regulatory frameworks create additional legal and reputational risk.
Conformity Assessment and 5G Security Framework
Class I telecom products require third-party conformity assessment. Class II core network products require the most rigorous assessment procedure under Annex VIII. Vendors should note that the EU 5G toolbox and ENISA 5G security guidelines create an additional security assessment framework for 5G network equipment that operates in parallel with CRA conformity assessment.
- ENISA's 5G security certification scheme (under ENISA's EU cybersecurity certification framework) may eventually create a pathway to CRA conformity presumption for 5G products
- Until harmonised standards or certification schemes are in place, vendors must conduct formal CRA conformity assessment independent of any 5G security evaluations
- Evidence from 3GPP security specifications compliance testing may support but does not substitute for CRA Annex I conformity assessment
Begin notified body engagement by Q4 2025 for complex Class II core network products, which require the longest assessment timelines.
CVD Portal handles your CRA Article 13 obligations automatically.
Public CVD submission portal, 48-hour acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for Telecom Equipment Vendors.
Start your free portalFrequently asked
Are CPE devices (home routers and modems) subject to the CRA separately from the Radio Equipment Directive?+
Yes. CPE devices with radio interfaces are already subject to the Radio Equipment Directive (RED), including the cybersecurity delegated act requirements applicable from August 2025. The CRA applies in addition to RED and introduces further requirements: a formal CVD policy (Article 13), ENISA incident reporting for actively exploited vulnerabilities (Article 14), an SBOM, and a declared supported lifetime. RED and CRA compliance share common technical ground under Annex I, so vendors should harmonise their compliance programmes. RED CE marking does not satisfy CRA requirements; a separate CRA conformity assessment is required.
How do we handle security vulnerabilities in third-party chipsets embedded in our equipment?+
Third-party chipset vulnerabilities that affect your product are your responsibility under the CRA. You must maintain the SBOM for your product — including chipset firmware and microcode — and monitor for vulnerabilities in those components. When a chipset vulnerability is disclosed, you must assess its impact on your product, obtain updated firmware from the chipset supplier, and issue a security update to your customers. This requires supply chain security contracts that compel chipset suppliers to provide timely security notifications and patch delivery throughout your product's supported lifetime.
Does virtualised (NFV/SDN) network equipment require separate conformity assessment from hardware appliances?+
Virtual network functions (VNFs) and software-defined networking platforms distributed as software products are products with digital elements within CRA scope when they are placed on the EU market as commercial products. They require conformity assessment independently from the underlying hardware on which they run. The classification of a VNF depends on its function — a virtual firewall or virtual security gateway managing network security is likely Class I. Vendors distributing both hardware appliances and software editions of the same product must ensure both are compliant, potentially requiring separate technical files and conformity assessments.
Compliance checklists for your products
Key CRA articles for Telecom Equipment Vendors
Need a CVD policy template for Telecom Equipment Vendors?
Download a free CRA-compliant vulnerability disclosure policy and deploy it in minutes.