Network Equipment Under the CRA
Routers, switches, and firewalls face some of the strictest CRA requirements. Network equipment is the backbone of connectivity β a vulnerability here affects every device behind it.
Classification
| Equipment | CRA Class | Standard |
|---|---|---|
| Consumer routers/modems | Important Class I | EN 304 627 |
| Physical/virtual network interfaces | Important Class I | EN 304 625 |
| Firewalls, IDS/IPS | Important Class II | EN 304 636 |
| Telecom network functions | Critical | EN 304 642 |
Key Requirements for EN 304 627 (Routers/Switches)
Authentication and Access Control
- No default credentials β unique per-device or user-set on first boot
- Strong password requirements β minimum complexity enforcement
- Encrypted management interfaces β HTTPS/SSH only, no telnet/HTTP
- Failed login protection β account lockout or progressive delays
Firmware Security
β
Signed firmware updates (cryptographic verification)
β
Secure boot chain (prevent unauthorized firmware)
β
Rollback protection (prevent downgrade attacks)
β
Automated update notification (inform users of available patches)
β
OTA update capability (remote patching without physical access)Network Security
- Default firewall rules β deny inbound by default
- No unnecessary services β UPnP, WPS disabled by default
- DNS-over-HTTPS/TLS β encrypted DNS as default
- Network segmentation β VLAN/guest network support
Data Protection
- Encrypted storage β credentials, certificates, and configuration
- Factory reset β complete data wipe capability
- Minimal data collection β collect only whatβs needed for operation
For Firewall/IDS Manufacturers (Class II)
EN 304 636 adds requirements:
- Detection efficacy testing β documented detection rates for known attacks
- Rule update mechanism β secure, signed, and verified
- Logging integrity β tamper-evident security logs
- High availability β security device failure must not create security gaps
The Telecom Challenge (Critical Products)
Network functions for telecom (EN 304 642) face the highest bar:
- Mandatory EU-type examination (third-party certification)
- Continuous monitoring and assessment
- Coordinated with existing telecom regulations (EECC)
Practical Checklist
For router/switch manufacturers:
- Eliminate all default passwords
- Implement signed firmware updates
- Enable HTTPS-only management interface
- Generate SBOM for all firmware components
- Disable unnecessary services by default
- Document security update support period (min 5 years)
- Establish vulnerability disclosure process
- Prepare technical documentation for conformity assessment
Manufacturing network equipment for the EU market? I help organizations prepare for CRA compliance. Get in touch.