Are Smart Cameras Important Products Under the CRA?

Smart security cameras are classified as Important Products (Class I) under CRA Annex III. What this means for manufacturers, importers and distributors.

CRA Evidence Team Published February 25, 2026 Updated May 31, 2026
Blog preview card with the title 'Are Smart Cameras Important Products Under the CRA?' on the CRA Evidence regulatory template
In this article

While a connected toaster can follow the basic CRA compliance path, smart security cameras don't get that luxury. The EU has explicitly placed them in Annex III as Important Products, Class I, a step above most consumer IoT, with stricter conformity requirements that change the game for anyone manufacturing, importing, or distributing these devices.

A common misconception floating around is that cameras are "Critical Products." They're not. But Important Class I is already a significant step up.

Summary

  • Smart security cameras are Important Products, Class I under CRA Annex III, Item 17. Not "Critical Products"
  • Class I allows self-assessment only if harmonised standards are fully applied; otherwise, third-party audit is required
  • Default passwords are banned. Unique credentials or secure authentication must be enforced at first use
  • Manufacturers must handle vulnerabilities and ship security updates for at least 5 years
  • An SBOM (Software Bill of Materials) is mandatory
  • Importers are personally liable for verifying manufacturer compliance before EU market placement
  • All obligations apply from 11 December 2027
150,000+
Compromised cameras
and DVRs, Mirai botnet peak (2016 onwards)
77%
Reported cyber incidents
were DDoS in 2024-2025
5 years
Minimum support period
for Class I cameras (Art. 13(8))
11 Dec 2027
Full CRA application
CE marking and conformity required

Sources: ENISA Threat Landscape 2020 and 2025; Regulation (EU) 2024/2847, Articles 13 and 71.

What the CRA Actually Says About Cameras

There's a lot of confusion about CRA product categories, so let's be precise. The regulation creates three tiers:

CRA product tiers placing smart security cameras in Important Class I, Annex III, Item 17. Default covers most consumer IoT such as smart speakers and thermostats. Class I covers smart home security cameras, smart door locks, baby monitors, alarm systems, routers, modems, operating systems and password managers. Class II covers firewalls and intrusion detection and prevention systems. Critical, Annex IV, covers hardware security modules, smart meter gateways and smartcards.
Where smart security cameras sit in the CRA's product classification.

The Exact Legal Text

Annex III, Class I, Item 17 of Regulation (EU) 2024/2847:

"Smart home products with security functionalities, including smart door locks, security cameras, baby monitoring systems and alarm systems"

The Commission's Implementing Regulation (EU) 2025/2392 further clarifies the technical scope, using "camera systems", slightly broader than the parent regulation's "security cameras."

One important qualifier: the product must have "security functionalities" in a smart home context. A standalone webcam for video calls doesn't automatically land in Class I. A connected surveillance camera monitoring your home or business does.

Why the EU Singled Out Cameras

This wasn't an arbitrary decision. IP cameras have earned their reputation as the weakest link in network security, and the data backs it up:

  • The Mirai botnet (2016 onwards) built armies of over 150,000 compromised cameras and DVRs to launch massive DDoS attacks (ENISA Threat Landscape 2020:Botnet Report)
  • DDoS attacks made up 77% of all reported cyber incidents in 2024–2025, many powered by hijacked IoT devices (ENISA Threat Landscape 2025)
  • Mirai variants are still active and were found exploiting GeoVision cameras as recently as April 2025
  • About 7.7 million new IoT devices come online every day; only 1 in 20 sits behind a firewall

The pattern is clear: cameras are always on, always connected, often poorly secured, and they sit on sensitive data (your video feeds). That's exactly the risk profile the CRA targets.

What Class I Means for Conformity Assessment

Under Article 32(2), Class I manufacturers get two paths, and which one you can take depends on something that's still in flux.

Path 1: Self-Assessment (Module A)

You can do internal self-assessment, but only if you apply harmonised standards covering all essential cybersecurity requirements. Partial coverage doesn't cut it. Miss one requirement, and you're on Path 2.

The catch: as of February 2026, the harmonised standards under the CRA are still being finalised by CEN/CENELEC. Until they're published in the Official Journal, most manufacturers won't be able to use this path.

Path 2: Third-Party Assessment

Without full harmonised standards coverage, you need either:

  • Module B + C: EU-type examination by a notified body, then conformity to type
  • Module H: full quality assurance system certified by a notified body

Both options cost more and take longer than self-assessment. And notified body capacity will tighten as we get closer to December 2027. Everyone will be rushing at the same time.

Essential Requirements for Smart Cameras

Every connected camera must meet the CRA's essential cybersecurity requirements (Annex I), regardless of which conformity path you take. The ones that hit camera manufacturers hardest:

1. No Default Passwords

Article 13 and Annex I, Part I require "secure by default" configuration. In plain terms:

  • No more admin/admin or admin/password shipped on every unit
  • Each device needs a unique password, or must force secure credential setup on first use
  • Multi-factor authentication where technically feasible

This alone will force redesigns across a huge number of camera product lines.

2. Vulnerability Handling (5-Year Minimum)

Annex I, Part II means manufacturers must:

  • Set up a coordinated vulnerability disclosure (CVD) policy
  • Give security researchers a clear way to report issues
  • Patch vulnerabilities without delay for the full support period
  • Support the product for at least 5 years from market placement
  • Report actively exploited vulnerabilities within 24 hours, simultaneously to the CSIRT designated as coordinator and ENISA via the Single Reporting Platform (this kicks in 11 September 2026)

Five years of mandatory patching is a big shift for camera manufacturers used to "ship and forget."

3. Software Bill of Materials (SBOM)

Every software component in your camera firmware needs to be documented: the Linux kernel, RTSP streaming libraries, web interface framework, TLS stack, all of it. The SBOM must:

  • Use a machine-readable format (CycloneDX or SPDX)
  • Cover at minimum the top-level dependencies
  • Be part of the technical documentation
  • Stay updated throughout the support period

4. Secure Update Mechanism

Cameras need secure, authenticated firmware updates:

  • Delivered over encrypted channels
  • Firmware integrity verified before installation
  • Automatic security updates enabled by default (users can opt out)
  • Rollback capability recommended

5. Data Minimisation and Privacy

Cameras collecting video data must:

  • Only process data necessary for the product's function
  • Encrypt stored and transmitted data
  • Let users securely delete their data
  • Protect data at rest against physical access

The Role of Importers and Distributors

Importers: You're the EU Gatekeeper

If you're importing cameras from outside the EU (and let's be honest, most smart cameras are manufactured in Asia), Article 19 puts you on the hook. You are personally liable for verifying the manufacturer did their compliance work before that product enters the EU market.

Your verification checklist before placing a camera on the EU market:

  • [ ] Manufacturer completed the appropriate conformity assessment (Class I)
  • [ ] EU Declaration of Conformity (DoC) exists and references the CRA
  • [ ] CE marking is correctly applied
  • [ ] Technical documentation is available and adequate
  • [ ] Manufacturer's contact information is on the product or packaging
  • [ ] SBOM is available as part of the technical documentation

If any check fails, you cannot legally sell the product. Full stop. You must inform the manufacturer, and if there's a cybersecurity risk, notify market surveillance authorities.

Penalties for importers: Up to EUR 10 million or 2% of global annual turnover (Article 64).

Distributors: Lighter Obligations, Real Consequences

Distributors have less to verify under Article 20, but the obligations are still binding:

  • CE marking is present on the product
  • Manufacturer and importer names and contact details are visible
  • Storage and transport conditions don't compromise compliance
  • Don't sell products you have reason to believe are non-compliant

Penalties for distributors: Up to EUR 10 million or 2% of global annual turnover (Article 64(3); Article 20 distributor obligations fall within the Articles 18–23 range).

The Rebranding Trap

Watch out: if you import a camera and sell it under your own brand name, or if you make substantial modifications to the firmware or digital elements, the CRA treats you as the manufacturer. That means the full set of manufacturer obligations: conformity assessment, SBOM, 5-year vulnerability handling, the lot.

Compliance Timeline 

SMART CAMERA CRA TIMELINE

11 Sep 2026 --- Vulnerability reporting obligations begin
                (24h reporting to the coordinator CSIRT and ENISA)

11 Dec 2027 --- Full CRA compliance required
                (All essential requirements, conformity assessment,
                 CE marking, SBOM, technical documentation)

If you're manufacturing or importing smart cameras and haven't started your compliance work yet, you're already behind. Harmonised standards are still being developed, notified body slots are filling up, and December 2027 is closer than it looks.

Important

Smart cameras with security functionality (surveillance, monitoring) are classified as Important Class I under Annex III, Part I.

Tip

Default passwords on cameras are explicitly prohibited under the CRA. Each device must have a unique credential or require user setup.

Official Sources

Frequently Asked Questions

Are smart security cameras Class I or Critical under the CRA?

Class I. Annex III, Class I, Item 17 of Regulation (EU) 2024/2847 lists "smart home products with security functionalities, including smart door locks, security cameras, baby monitoring systems and alarm systems". Critical Products sit in Annex IV and cover hardware security modules, smart meter gateways and smartcards, not cameras. The Commission's Implementing Regulation (EU) 2025/2392 uses the slightly broader phrase "camera systems" for the same category. Standalone webcams for video calls do not automatically land here; the qualifier is a smart home context with a security function.

Can camera manufacturers self-assess under Module A, or is a notified body required?

Self-assessment is allowed only if harmonised standards covering all essential cybersecurity requirements are applied in full. Partial coverage forces the third-party route: either Module B+C (EU-type examination by a notified body, then conformity to type) or Module H (full quality assurance system certified by a notified body). As of February 2026 the CRA harmonised standards are still being finalised by CEN/CENELEC, so most manufacturers will not yet be able to take the self-assessment path.

Are default passwords actually banned on smart cameras?

Yes. Article 13 and Annex I, Part I require a "secure by default" configuration. In practice this means no more shared admin/admin or admin/password shipped on every unit. Each device needs a unique credential, or must force the user through secure credential setup on first use, with multi-factor authentication where technically feasible. This single requirement alone will force redesigns across a large share of the camera market.

How long must a camera manufacturer ship security updates?

At least five years from market placement, under Article 13(8), or the expected product lifetime if that is shorter. During that period, manufacturers must run a coordinated vulnerability disclosure (CVD) policy, give security researchers a clear route to report issues, and patch vulnerabilities without delay. Updates must be delivered over authenticated channels with firmware integrity verified before installation, and automatic security updates enabled by default (users may opt out).

What is an importer's liability when placing cameras on the EU market?

Under Article 19, importers are personally liable for verifying that the manufacturer has completed the conformity assessment, that an EU Declaration of Conformity references the CRA, that CE marking is correctly applied, that the technical documentation and SBOM are available, and that the manufacturer's contact details are on the product or packaging. If any check fails, the product cannot lawfully be placed on the market. Penalties reach EUR 10 million or 2% of global annual turnover (Article 64). An importer who rebrands a camera or makes substantial modifications is treated as the manufacturer and inherits the full manufacturer obligations.

When does the 24-hour vulnerability reporting obligation start for cameras?

11 September 2026. From that date, actively exploited vulnerabilities must be reported within 24 hours under Article 14, simultaneously to the CSIRT designated as coordinator and ENISA via the Single Reporting Platform. Full CRA application, including CE marking, conformity assessment, SBOM and technical documentation, follows on 11 December 2027. Manufacturers and importers who have not yet scoped their Article 14 pipeline are already behind the curve: harmonised standards are still in development and notified body capacity will tighten as 2027 approaches.

Next Steps

What to do before December 2027

  1. Classify your product against Annex III Item 17. Smart home context with a security function means Class I; professional CCTV may fall under general CRA scope instead.
  2. Remove default passwords across your entire camera line. Each unit ships with a unique credential, or forces secure setup on first use.
  3. Generate a CycloneDX or SPDX SBOM for your firmware. Cover at minimum the top-level dependencies and keep it updated for the full 5-year support period.
  4. Publish a coordinated vulnerability disclosure policy and a security.txt with a reachable contact.
  5. Decide your conformity path. If the CEN/CENELEC harmonised standards will not be final in time, engage a notified body now. See the conformity assessment decision guide.
  6. If you import cameras manufactured outside the EU, audit each supplier's conformity evidence before market placement. See the importer obligations verification guide.

This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, consult with qualified legal counsel.

CRA IoT Product Classes Importers
Share

Related Articles

Back to all articles

Does the CRA apply to your product?

Answer 6 simple questions to find out if your product falls under the EU Cyber Resilience Act scope. Get your result in under 2 minutes.

Check Now

Ready to achieve CRA compliance?

Start managing your SBOMs and compliance documentation with CRA Evidence.

Start 14-Day Free Trial

Deep dive into CRA topics

Evergreen guides covering the specific requirements, processes, and roles defined by the Cyber Resilience Act.

EU Declaration of Conformity

What the Declaration of Conformity must contain, who signs it, and when it is required.

Read guide →
Conformity Assessment

How conformity assessment works under the CRA and when a notified body is required.

Read guide →
Technical Documentation

What CRA technical documentation must contain (Annex VII section by section) and how manufacturers should structure it.

Read guide →
Products

How the CRA classifies products by risk level, with product-specific classification guides.

Read guide →
SBOM Requirements

What the CRA requires for SBOMs and how BSI TR-03183 defines quality criteria.

Read guide →
Vulnerability Reporting

How the 24-hour ENISA notification requirement works and what counts as an actively exploited vulnerability.

Read guide →
Importer Obligations

What Article 19 requires of importers and how to verify manufacturer compliance.

Read guide →
Support Period Planning

What the CRA support period obligation means for security updates and end-of-life planning.

Read guide →
View full CRA compliance guide