EU Cyber Resilience Act Guide for Video Surveillance & CCTV Vendors

IP cameras, network video recorders (NVRs), digital video recorders (DVRs), video management software (VMS), cloud-based video surveillance platforms, and AI-based video analytics appliances are all products with digital elements within CRA scope. Networked surveillance products processing video data and connected to IP networks are categorised as Important Class I under Annex III.

The classification reflects the documented exploitation history of IP cameras and the privacy implications of compromised surveillance systems. An attacker gaining access to a building's IP camera infrastructure can surveil occupants, gain intelligence for physical security bypass, or use compromised cameras as botnet nodes. Vendors must assess each product line: a standalone analog PTZ camera with no network interface is outside scope; a WiFi-connected IP camera with cloud recording is firmly within scope and Class I.

IP camera and NVR vendors have historically faced severe criticism for default credentials, unencrypted video streams, and absent update mechanisms. CRA Annex I Part I directly mandates remediation of these systemic weaknesses:

• No default credentials: Each camera or NVR must ship with a unique device-specific credential or must require credential configuration at first setup. Shared default passwords are prohibited and have been responsible for mass exploitation events.
• Encrypted video streams: Video data transmitted over IP networks must be encrypted. Unencrypted RTSP streams are a privacy violation and a CRA non-conformity.
• Authenticated firmware updates: Camera firmware updates must be cryptographically authenticated. Firmware delivered without signature verification is a persistent exploit path used by threat actors to install persistent malware on IP cameras.
• ONVIF security profile compliance: Cameras supporting ONVIF should implement ONVIF Security Profile compliance where relevant.
• SBOM maintenance: Camera firmware typically contains extensive open-source components including embedded Linux distributions, media processing libraries, and network stacks. Complete SBOM documentation is required.

Video surveillance vendors have historically been slow to establish CVD programmes, with many vulnerability disclosures going unacknowledged or met with legal threats rather than coordinated remediation. Article 13 makes a formal, publicly accessible CVD policy a legal requirement for all products with digital elements.

• Be publicly accessible via a security.txt file and a dedicated disclosure page
• Cover all IP-enabled surveillance products
• Provide a secure submission channel accessible to security researchers and facility security operators who may identify anomalous camera behaviour
• Commit to acknowledgement within 5 business days and to security update delivery
• Include a process for notifying end-users and system integrators who may have deployed vulnerable products

Given the scale of deployed IP camera installations, vendors should invest in automated update delivery mechanisms that can push security patches to installed camera populations without requiring manual intervention by end-users. The CVD policy advisory process must include direct operator notification, not only passive advisory publication.

IP cameras are among the most commonly exploited IoT devices globally. Article 14 requires manufacturers to notify ENISA within 24 hours of confirming active exploitation of a product vulnerability. For surveillance vendors, exploitation events often occur at massive scale due to the large installed base of devices and the historical prevalence of default credentials.

• Mass scanning and exploitation of a product vulnerability is confirmed (e.g., via threat intelligence feeds)
• A researcher or national CERT provides evidence of active exploitation in customer installations
• Unusual firmware replacement activity indicating malware installation is detected via product telemetry

Vendors should implement telemetry collection (where legally permissible under GDPR) that can detect exploitation signals across the installed base. The 72-hour ENISA detailed report must include the affected product versions, the exploitation method, and the status of patch availability. For large installed bases, the 30-day final report should address the deployment rate of the remediation patch.

Class I video surveillance products require third-party CRA conformity assessment. For vendors of cameras with AI-based analytics (facial recognition, behaviour analysis), CRA conformity assessment is additive to the GDPR privacy obligations and, where applicable, the EU AI Act obligations for high-risk AI systems.

1. Authentication and credential management mechanisms
2. Encrypted communication for video streams and management traffic
3. Firmware update authentication and delivery mechanism
4. SBOM for embedded firmware components
5. CVD policy operational status and advisory publication history

Vendors should be aware that market surveillance authorities are expected to focus particularly on the surveillance sector given its documented exploitation history. Products that cannot demonstrate remediation of default credential and unencrypted stream issues by September 2026 will face market withdrawal risk. Plan conformity assessment with sufficient lead time — Class I assessment processes typically require 3–6 months.