Are Smart Cameras Important Products Under the EU Cyber Resilience Act?

While a connected toaster can follow the basic CRA compliance path, smart security cameras don't get that luxury. The EU has explicitly placed them in Annex III as Important Products, Class I, a step above most consumer IoT, with stricter conformity requirements that change the game for anyone manufacturing, importing, or distributing these devices.

A common misconception floating around is that cameras are "Critical Products." They're not. But Important Class I is already a significant step up.

What the CRA Actually Says About Cameras

There's a lot of confusion about CRA product categories, so let's be precise. The regulation creates three tiers:

CRA PRODUCT CLASSIFICATION

DEFAULT CATEGORY (Self-assessment, Module A):
  → Most consumer IoT: smart speakers, thermostats, etc.

IMPORTANT PRODUCTS (Annex III):
  Class I (Self-assessment with harmonised standards OR third-party):
    → Smart home security cameras  ← CAMERAS ARE HERE
    → Smart door locks, baby monitors, alarm systems
    → Routers, modems, operating systems, password managers
  Class II (Third-party required):
    → Firewalls, intrusion detection/prevention systems

CRITICAL PRODUCTS:Annex IV (Third-party required, always):
  → Hardware security modules, smart meter gateways, smartcards

The Exact Legal Text

Annex III, Class I, Item 17 of Regulation (EU) 2024/2847:

"Smart home products with security functionalities, including smart door locks, security cameras, baby monitoring systems and alarm systems"

The Commission's Implementing Regulation (EU) 2025/2392 further clarifies the technical scope, using "camera systems", slightly broader than the parent regulation's "security cameras."

One important qualifier: the product must have "security functionalities" in a smart home context. A standalone webcam for video calls doesn't automatically land in Class I. A connected surveillance camera monitoring your home or business does.

Why the EU Singled Out Cameras

This wasn't an arbitrary decision. IP cameras have earned their reputation as the weakest link in network security, and the data backs it up:

• The Mirai botnet (2016 onwards) built armies of over 150,000 compromised cameras and DVRs to launch massive DDoS attacks (ENISA Threat Landscape 2020:Botnet Report)
• DDoS attacks made up 77% of all reported cyber incidents in 2024–2025, many powered by hijacked IoT devices (ENISA Threat Landscape 2025)
• Mirai variants are still active and were found exploiting GeoVision cameras as recently as April 2025
• About 7.7 million new IoT devices come online every day; only 1 in 20 sits behind a firewall

The pattern is clear: cameras are always on, always connected, often poorly secured, and they sit on sensitive data (your video feeds). That's exactly the risk profile the CRA targets.

What Class I Means for Conformity Assessment

Under Article 32(2), Class I manufacturers get two paths, and which one you can take depends on something that's still in flux.

Path 1: Self-Assessment (Module A)

You can do internal self-assessment, but only if you apply harmonised standards covering all essential cybersecurity requirements. Partial coverage doesn't cut it. Miss one requirement, and you're on Path 2.

The catch: as of February 2026, the harmonised standards under the CRA are still being finalised by CEN/CENELEC. Until they're published in the Official Journal, most manufacturers won't be able to use this path.

Path 2: Third-Party Assessment

Without full harmonised standards coverage, you need either:

• Module B + C: EU-type examination by a notified body, then conformity to type
• Module H: full quality assurance system certified by a notified body

Both options cost more and take longer than self-assessment. And notified body capacity will tighten as we get closer to December 2027. Everyone will be rushing at the same time.

Essential Requirements for Smart Cameras

Every connected camera must meet the CRA's essential cybersecurity requirements (Annex I), regardless of which conformity path you take. The ones that hit camera manufacturers hardest:

1. No Default Passwords

Article 13 and Annex I, Part I require "secure by default" configuration. In plain terms:

• No more admin/admin or admin/password shipped on every unit
• Each device needs a unique password, or must force secure credential setup on first use
• Multi-factor authentication where technically feasible

This alone will force redesigns across a huge number of camera product lines.

2. Vulnerability Handling (5-Year Minimum)

Annex I, Part II means manufacturers must:

• Set up a coordinated vulnerability disclosure (CVD) policy
• Give security researchers a clear way to report issues
• Patch vulnerabilities without delay for the full support period
• Support the product for at least 5 years from market placement
• Report actively exploited vulnerabilities to ENISA within 24 hours (this kicks in 11 September 2026)

Five years of mandatory patching is a big shift for camera manufacturers used to "ship and forget."

3. Software Bill of Materials (SBOM)

Every software component in your camera firmware needs to be documented: the Linux kernel, RTSP streaming libraries, web interface framework, TLS stack, all of it. The SBOM must:

• Use a machine-readable format (CycloneDX or SPDX)
• Cover at minimum the top-level dependencies
• Be part of the technical documentation
• Stay updated throughout the support period

4. Secure Update Mechanism

Cameras need secure, authenticated firmware updates:

• Delivered over encrypted channels
• Firmware integrity verified before installation
• Automatic security updates enabled by default (users can opt out)
• Rollback capability recommended

5. Data Minimisation and Privacy

Cameras collecting video data must:

• Only process data necessary for the product's function
• Encrypt stored and transmitted data
• Let users securely delete their data
• Protect data at rest against physical access

The Role of Importers and Distributors

Importers: You're the EU Gatekeeper

If you're importing cameras from outside the EU (and let's be honest, most smart cameras are manufactured in Asia), Article 19 puts you on the hook. You are personally liable for verifying the manufacturer did their compliance work before that product enters the EU market.

Your verification checklist before placing a camera on the EU market:

• [ ] Manufacturer completed the appropriate conformity assessment (Class I)
• [ ] EU Declaration of Conformity (DoC) exists and references the CRA
• [ ] CE marking is correctly applied
• [ ] Technical documentation is available and adequate
• [ ] Manufacturer's contact information is on the product or packaging
• [ ] SBOM is available as part of the technical documentation

If any check fails, you cannot legally sell the product. Full stop. You must inform the manufacturer, and if there's a cybersecurity risk, notify market surveillance authorities.

Penalties for importers: Up to EUR 10 million or 2% of global annual turnover (Article 64).

Distributors: Lighter Obligations, Real Consequences

Distributors have less to verify under Article 20, but the obligations are still binding:

• CE marking is present on the product
• Manufacturer and importer names and contact details are visible
• Storage and transport conditions don't compromise compliance
• Don't sell products you have reason to believe are non-compliant

Penalties for distributors: Up to EUR 5 million or 1% of global annual turnover (Article 64).

The Rebranding Trap

Watch out: if you import a camera and sell it under your own brand name, or if you make substantial modifications to the firmware or digital elements, the CRA treats you as the manufacturer. That means the full set of manufacturer obligations: conformity assessment, SBOM, 5-year vulnerability handling, the lot.

Compliance Timeline

SMART CAMERA CRA TIMELINE

11 Sep 2026 ─── Vulnerability reporting obligations begin
                (24h active exploitation reporting to ENISA)

11 Dec 2027 ─── Full CRA compliance required
                (All essential requirements, conformity assessment,
                 CE marking, SBOM, technical documentation)

If you're manufacturing or importing smart cameras and haven't started your compliance work yet, you're already behind. Harmonised standards are still being developed, notified body slots are filling up, and December 2027 is closer than it looks.

What to Do Now

Manufacturers

1. Classify your product. Security camera in a smart home context? That's Class I. Professional CCTV may fall under general CRA scope but not necessarily Annex III Item 17.
2. Kill default passwords. Across your entire product line, now.
3. Build your SBOM. CycloneDX or SPDX format. Start with your camera firmware's dependency tree.
4. Set up a CVD policy. A security.txt file and a clear vulnerability reporting channel.
5. Choose your conformity path. Watch CEN/CENELEC for harmonised standards progress. If they won't be ready in time, talk to a notified body early.
6. Price in 5 years of support. Ongoing security patching isn't optional anymore, so bake it into your margins.

Importers

1. Audit your suppliers. Request conformity evidence, SBOMs, and Declarations of Conformity from every camera manufacturer you work with.
2. Update your procurement contracts. Add CRA compliance clauses before the deadline, not after.
3. Check your own brand products. Selling cameras under your name? You might be the manufacturer under CRA.

Distributors

1. Flag Class I products in your catalogue. Know which cameras carry higher compliance requirements.
2. Collect CE marking and DoC evidence from your supply chain.
3. Plan withdrawal procedures for products that won't be compliant by December 2027.

Related Guides

• CRA Product Classification Guide
• Consumer IoT and EN 303 645 Guide
• SBOM Requirements Under the CRA

Official Sources

• Regulation (EU) 2024/2847:Cyber Resilience Act (full text)
• Commission Implementing Regulation (EU) 2025/2392:Technical descriptions of Annex III/IV categories
• CRA Conformity Assessment:EU Digital Strategy
• ENISA Threat Landscape 2020:Botnet Report
• ENISA Threat Landscape 2025
• ENISA CRA Requirements Standards Mapping