The CRA Guide to Smart Meter Gateways and Energy Metering
Summary
A smart meter gateway is the one energy product the CRA puts in its very top tier, the level it labels Critical. That changes the work. A Critical product cannot just self-declare its own compliance the way an ordinary router can. It has to be signed off by an outside assessor. Whether your device is really that gateway, or only a standard connected meter, comes down to one record you write first: the metering-boundary memo.
Not every metering device is Critical. A submeter, a heat-cost allocator, a water-meter radio module or a consumer energy bridge is still covered by the CRA, but it is not automatically a smart meter gateway. The Critical label is for the gateway that acts as the communication unit of a smart metering system, and for devices sold to do a security job. A 2025 EU rule made this binding and confirmed it reaches gas and heat gateways too, not just electricity. A meter does not become Critical just because it measures usage or uses encryption.
In the German model, a separate communication box sits between the meters and the network. France, Spain and Italy do it differently: the meter measures and communicates in one unit and talks to a data concentrator in the local substation, with no in-home box. There the Critical question moves to the concentrator.
The memo names the parts of the system: the meter, the gateway, the link down to the meters, the home and wide-area connections, the security module that holds the keys, the administrator that manages the fleet, the update service, the reading-privacy data, the installer workflow and who does what between maker and utility. That one decision sets the conformity route.
Two things shape the file before the conformity route even starts. First, a CRA assessment does not sign off the sealed metrology function: a security update still needs a metrology-impact check before it touches legally relevant measuring software. Second, the reporting duties for actively exploited vulnerabilities and severe incidents start on 11 September 2026, ahead of the full CRA on 11 December 2027, and they reach products already on the market, so an installed meter or gateway fleet can carry a live reporting obligation even where the rest of the CRA only applies after a substantial modification.
| Product variant | Likely CRA route | Why |
|---|---|---|
| Smart meter gateway in a smart metering system | Critical-product route | The CRA places smart meter gateways within smart metering systems in its Critical tier |
| Connected electricity submeter, gas, heat or water submeter or radio module | Standard in-scope route unless another listed function applies | A connected metering product, not the gateway that is the communication unit of a smart metering system |
| Head-end software supplied with the gateway | Boundary-dependent | May be part of the product when necessary for the intended function |
| Energy data bridge for consumers | Standard route | Usually displays or forwards readings |
| Device sold for an advanced security purpose, including secure cryptoprocessing | Critical-product route | The advanced security purpose, not ordinary use of cryptography, drives the route |
| Integrated DSO meter (Linky, Spanish or Italian model) | Standard route in most designs | A connected endpoint meter, not the system's communication unit |
| Data concentrator in the secondary substation | Critical-route candidate, confirmed in the boundary memo | The aggregation and communication-control node of the metering system |
What the CRA Requires for Smart Meter Gateways
The CRA treats a smart meter gateway as one product made of many digital elements. The product can include the meter firmware, the gateway operating system, the communication module, the DLMS/COSEM (the standard metering-data protocol) or proprietary meter-protocol stack, the SIM, eSIM or radio credential, the key store, the head-end connector (the link to the utility's central collection system), the local display, a mobile app, a cloud portal, the update service, the installer tool and the vulnerability-handling process. It normally excludes the utility's billing system, the legal metrology approval, the grid-operation systems and the customer energy contract, unless the same manufacturer supplies those as part of the product.
That boundary is the heart of the file. The evidence has to keep cybersecurity separate from legal metrology, while still documenting the interfaces between the gateway, the meters and the head-end. Metrology approval under the Measuring Instruments Directive and the national metering rules answers a different question from the CRA. One proves the measurement is correct and sealed. The other proves the connected product resists attack across its support period. A maker that blurs the two ends up with a file that satisfies neither reviewer.
| Requirement area | What a smart meter gateway maker should capture |
|---|---|
| Intended purpose | Gateway in a smart metering system, submeter, allocator, radio module, consumer bridge, or a device sold for an advanced security purpose |
| Critical check | Whether the product is a gateway within a smart metering system, or another connected metering product on the standard route |
| Product boundary | Meter interface, gateway, communication module, security module, head-end connector, local display, installer tool, update service and the excluded utility systems |
| Secure-by-default state | Mutual authentication on every link, no shared batch secret, signed updates, downgrade rejection, minimised data exposure and locked debug access |
| Key lifecycle | Per-device identity, certificate provisioning, rotation, revocation, commissioning and decommissioning, with the security module as the trust anchor |
| Reading privacy | Interval data, tamper and outage events, occupancy inference, processing profiles, pseudonymisation, retention and support export |
| Update path | Signed firmware, metrology-impact decision, staged fleet rollout, recovery and fallback |
| Role split | Meter maker, gateway maker, utility, gateway administrator, installer, importer and any private-label responsibilities |
| Support and reporting | Support-period statement, security-update availability, a single vulnerability contact and the reporting workflow under Article 14 |
The cybersecurity requirements and the technical file that proves them work the same for every CRA product, and the technical-documentation guide covers those. This page sticks to what is specific to a metering gateway: the Critical classification, the conformity route, the gateway architecture, and the metering-specific evidence.
Is Your Device in the Critical Tier?
The Critical label is narrow, and a metering product can sit on either side of it. A device is the Critical gateway when it is the communication unit of the metering system: it controls the link to utilities, processes the meter and personal data, runs the cryptography, and can firewall the system and control other devices. A meter that only measures and reports stays on the standard route, and using strong cryptography to protect an ordinary function does not make a device Critical either. Commission Implementing Regulation (EU) 2025/2392 (the Implementing Regulation), binding since 21 December 2025, sets that test and extends it to gas and heat gateways, not only electricity. Settle the answer once in the boundary memo. The Summary table above maps the common variants to their route.
How the Architecture Differs Across the EU
Germany uses a separate-gateway model with a discrete communication unit, the model the Critical listing was drawn around. France, Spain and Italy do not meter that way. They run integrated meters that measure and communicate in one sealed unit and reach a data concentrator in the secondary substation directly, with no in-home gateway box. The concentrator handles the aggregation and the upstream link, so the CRA evidence still attaches, but to different devices, and the Critical-route question moves with it. The German model gets its own section below.
The shape is the same in all three markets: an integrated meter at the customer, narrowband power-line carrier up the low-voltage line, a concentrator in the distribution substation, then a cellular link to the operator. What changes is the power-line technology, the consumer channel and, in Italy, a second radio interface. In each, the concentrator is the node that aggregates many meters and controls the communication with authorised third parties. The integrated meter is normally a standard-route connected product. Neither call is automatic. The Implementing Regulation turns the category on core functionality, so a meter whose own functions match the gateway description can be argued into the Critical tier, and the maker fixes the split in the boundary memo rather than assuming it.
France: Enedis Linky
The Linky meter does both jobs. It measures consumption and it communicates upstream from a single unit, reaching a concentrator in the HTA/BT (medium- to low-voltage) secondary substation directly rather than through an in-home gateway. The link is narrowband power-line carrier in the CENELEC A band, the low-frequency utility band, predominantly the G3-PLC profile, with a portion of the fleet on the first-generation S-FSK scheme. The concentrator backhauls to the Enedis central system over public cellular, GPRS in the original design. Enedis is the distribution system operator that runs the system, not the meter maker. The consumer interface is optional: the meter exposes a TIC information port that an in-home display can read through a separate radio module, an add-on rather than standard Enedis equipment. The rollout began in 2015 and reached around 35 million meters.
Spain: PRIME and Meters and More
Spain runs the same three-tier shape: an integrated DLMS meter at the premises, a concentrator in the centro de transformación, and a head-end at the DSO. The low-voltage power-line technology splits by operator. Iberdrola (i-DE) and UFD run PRIME, while Endesa (e-distribución) runs Meters and More. The concentrator aggregates the meters, relays commands and supervises the low-voltage grid, and it talks to the head-end over the STG-DC supervisor protocol. It backhauls over a public network link, commonly cellular and often over a VPN. The legal backbone is Orden ITC/3860/2007, which required replacing meters with remote-management units, so Spain reached near-complete coverage early, at around 27 million low-voltage meters.
Italy: e-distribuzione Open Meter
Italy was the first large EU rollout, with the Telegestore first generation from 2001, and is now on the Open Meter second generation, around 30 million meters installed by 2023. ARERA allows Chain 1 to run over power-line band A, a 169 MHz radio interface or other telecom technologies, and the Open Meter carries a double Chain 1 interface combining power-line band A and 169 MHz radio. A separate Chain 2 power-line channel in band C reaches optional consumer User Devices, standardised by the CEI TS 13-82 to 13-85 series and mandated by ARERA resolution 87/2016. The concentrator in the MT/BT (medium- to low-voltage) substation is, in e-distribuzione's own words, the information hub and actuator for network automation, and it backhauls over the public GSM, GPRS, UMTS or PSTN network.
| Market | Meter form | Low-voltage link | Aggregation node | Backhaul | Consumer channel | Critical-route candidate |
|---|---|---|---|---|---|---|
| Germany (SMGW) | Separate gateway plus meters | Local metrological network to the gateway | The gateway | Wide-area cellular or other | Home-area network and consumer display | The gateway |
| France (Linky) | Integrated meter | G3-PLC, CENELEC A band | Concentrator in the HTA/BT substation | Cellular, GPRS originally | Optional TIC port and radio display | The concentrator |
| Spain (PRIME, Meters and More) | Integrated DLMS meter | PRIME or Meters and More PLC | Concentrator in the centro de transformación | Cellular, some fibre or radio | Not detailed here | The concentrator |
| Italy (Open Meter) | Integrated meter | PLC band A and 169 MHz RF | Concentrator in the MT/BT substation | GSM, GPRS, UMTS or PSTN | Chain 2 PLC band C to User Devices | The concentrator |
None of this declares the concentrator a Critical product. It is usually the stronger candidate. The determination is device-and-use specific, it turns on the core-functionality description in the Implementing Regulation, and it belongs in the maker's boundary memo. The decision below is the short version of that test.
How a Separate-Gateway System Is Built (the German model)
This is the separate-gateway model, the one with a discrete communication unit as its own box. In the integrated-meter markets described above, France, Spain and Italy, these same evidence boundaries exist, but they collapse into the meter and the grid concentrator rather than a discrete gateway. A smart meter gateway is the central communication unit of an intelligent metering system. The BSI describes it as the central component that receives and stores data from meters and processes it for the market participants entitled to see it. The Federal Network Agency (Bundesnetzagentur) calls it the heart of the system. The gateway sits between three networks, and the trust anchor for all of them is a dedicated security module. Each boundary is where a piece of CRA evidence attaches, so the architecture is worth drawing precisely.
The three networks each carry a different risk and a different control:
- The local metrological network (LMN) connects the gateway to the meters, electricity, gas, water or heat, of one or more final consumers. This is where readings enter the product. The evidence here covers how the gateway authenticates a meter, how it rejects readings from an unauthorised meter, and how the meter-to-gateway link is paired and protected.
- The home-area network (HAN) connects the gateway to controllable local systems such as rooftop solar, combined heat and power, heat pumps and EV charging, to a service technician during maintenance, and to the consumer who is entitled to view their own consumption. The evidence here covers isolation between the consumer view and the device secrets, and the scope of any control commands that reach a local system.
- The wide-area network (WAN) connects the gateway to external market participants, the energy suppliers, grid operators and the metering point operator, and to the gateway administrator. This is the fleet path. The evidence here covers mutual authentication, certificate custody, the pseudonymisation of meter data before it reaches a market participant, and the processing profiles that decide which data goes where.
The security module is the trust anchor. The BSI defines it as the secure storage location for the cryptographic key material, providing the cryptographic core routines for signature creation and verification, key generation, key agreement and random-number generation. If the security module is sound, the gateway can prove who it is on every network. If it is weak, every other control downstream rests on sand. The CRA file should treat the security module as a named component with its own supplier evidence, its own update story and its own boundary in the diagram.
The gateway administrator (GWA) configures, administers and monitors the gateway remotely over the wide-area network. It pushes firmware, sets configuration and processing profiles, and watches the fleet. From a CRA point of view the gateway administrator is a privileged remote-control path, much like the auto-configuration server on a router. The file has to record the administrator's identity, the scope of the commands it can issue, the trust anchor it authenticates against, and the audit trail it leaves.
Several controls then layer on the wire, and each one is a separate piece of evidence in the file.
The wide-area link is secured with TLS, protecting the channel between the gateway and the entity it talks to.
Meter content destined for external market participants is additionally secured end to end with CMS, the Cryptographic Message Syntax, so the payload stays protected past the transport endpoint.
Readings are pseudonymised before they reach a market participant, and processing profiles decide which dataset is minimised, aggregated and routed to which recipient.
Physical tamper protection guards the device against manipulation in the field.
National scheme, separate track. Germany already runs a detailed national regime for this device under the Metering Point Operation Act, built on a stack of BSI standards:
- TR-03109-1: interoperability requirements for the communication unit, in the wider TR-03109 family. Now at version 2.0.
- TR-03109-4: the Smart Metering public-key infrastructure.
- BSI-CC-PP-0073: Common Criteria protection profile for the gateway. V2.0 certified December 2024.
- BSI-CC-PP-0077: Common Criteria protection profile for the security module.
The earlier PP-0073 v1.3 and TR-03109-1 v1.1 baselines stay valid through 31 December 2027.
The CRA does not adopt TR-03109. Its route runs through its own harmonised standards developed under the Commission standardisation request. The point of mentioning the German scheme is honest framing: regulators already demand this depth of security architecture from the very device the CRA now lists as Critical, so the bar a gateway maker has to clear is not theoretical. Germany is not the only pre-2027 bar either. A radio-equipped meter already owes the RED cybersecurity requirements today, in every market, as the overlap with RED, MID, GDPR and NIS2 sets out below.
| Architecture checkpoint | Evidence prompt |
|---|---|
| Meter-to-gateway link (LMN) | Document the optical, wired, wireless, DLMS/COSEM or proprietary link, and how the gateway authenticates a meter and rejects an unauthorised one. |
| Home-area network (HAN) | Show isolation between the consumer view, the service-technician access and the controllable-local-system commands, so a household view cannot reach device secrets. |
| Wide-area network (WAN) | Show mutual authentication, certificate and key custody, reconnect behaviour, and which market participant receives which dataset. |
| Security module | Treat the key store and crypto routines as a named component with supplier evidence, an update story and tamper resistance. |
| Gateway administrator | Record the administrator identity, command scope, trust anchor and audit trail for remote configuration and firmware. |
| Pseudonymisation and profiles | Show where readings are pseudonymised and which processing profile minimises and routes each dataset. |
| Metrology boundary | Separate cybersecurity updates from legally relevant metrology software, and document where an adjacent metrology approval is needed. |
How the Conformity Route Works for a Critical Product
Because a gateway is Critical, the self-declaration route an Important Class I router can use is closed. It takes the external route under Article 32: a third-party examination or a full quality-assurance audit, or a European cybersecurity certification scheme once one applies under Article 8. No scheme has been made mandatory for gateways yet, so today the route is the third-party or quality-system assessment, with the scheme as a future trigger to track. The mechanics of each procedure are in the conformity-assessment guide. The metering-specific catch is the metrology boundary: a CRA assessment does not sign off the legally relevant measurement function, so keep the conformity evidence and the metrology approval as separate records.
What Evidence the Technical File Should Contain
The file should let a reviewer follow the gateway from product identity to security controls without guessing. The table below lists the file-specific records that the requirements table above did not already cover: identity, the Critical determination, the conformity output and the component inventory. The two records that carry most of the weight for a metering gateway, the key and certificate lifecycle and the split between metrology-relevant and cybersecurity-only changes, are drawn in full below it.
| Evidence area | Metering evidence to keep |
|---|---|
| Product identity | Meter and gateway model, metrology firmware, communication module, security-module part and hardware revision |
| Critical determination | Whether the product is a gateway within a smart metering system or another connected metering product, with the reasoning recorded |
| Conformity output | The notified-body EU-type examination certificate or full-quality-assurance approval, the EU declaration of conformity, and the CE marking, with the notified body's number added only where the body runs the full-quality-assurance route |
| Component inventory | Versioned list of the shipped digital elements, with named owners and a supplier-advisory watch |
The security module makes the key lifecycle different from a generic IoT key story. A per-device secret is injected at the factory and never leaves the module in the clear. At installation, the installer binds the gateway to its meters and to the operator role without ever handling a batch key, so a leaked installer credential cannot impersonate a fleet. In operation, the gateway authenticates to the head-end with the configured trust anchor and records every reading, tamper event and update. Rotation is scheduled, incident-driven or triggered by a role change, and it updates both the gateway and the operator's record. At retirement, the old binding is revoked and the keys are destroyed or disabled, so a returned or swapped gateway cannot continue to act as a live meter gateway.
The second metering-specific record is the split between legally relevant metrology software and cybersecurity-only changes. A gateway maker will ship security fixes far more often than metrology changes, and the file has to show that a security update did not quietly alter the approved measurement function. The matrix below is the decision aid: it tells the maker where to record the cybersecurity decision, and where an adjacent metrology approval or an operator-coordinated change window is needed.
Metrology versus cybersecurity update split. Security fixes must be assessed against legally relevant software without pretending the CRA replaces metrology approval.
| Change area | Example change | Decision question | Release path | Evidence |
|---|---|---|---|---|
| Legally relevant metrology | Measurement calculation or sealed meter firmware | Does this affect the approved metrology function? | Hold for a metrology-impact decision | Impact assessment and approval record |
| Gateway security | TLS, pairing, update agent or key-store fix | Can the fix ship without changing measurement logic? | Signed security update with rollback | Metrology-impact decision record, test result and customer notice |
| Communications module | Cellular modem firmware or protocol-library patch | Does the supplier update change exposed services or credentials? | Staged field update | Supplier-advisory decision and compatibility test |
| Head-end connector | Export format, trust anchor or pairing workflow | Will the operator need a coordinated change window? | Operator-coordinated rollout | Operator instruction and migration log |
Decision gate: this split is not a shortcut around metrology or utility approval. It tells the maker where to record the cybersecurity decision, and where an adjacent approval or operator hold is needed. The question it answers: can this fix ship as a cybersecurity update, or does it touch legally relevant metrology software? Artifact: metrology-impact decision record per release.
What a Real Metering Risk Assessment Looks Like
Use this as an example of the depth a Critical-tier file needs. The maker still has to run the assessment against its real gateway, security module, meter-protocol stack, communication module, supplier components, update ownership, sales claims and support-period promise.
Asset Inventory
Example product: ExampleCo GridMeter G2, a smart meter gateway paired with electricity meters, a cellular communication module, a hardware security module, a utility head-end connector, a consumer display interface, signed firmware updates and an installer commissioning tool.
The product boundary includes the gateway hardware, the security module, the meter interface, the communication module, the key store, the head-end connector, the consumer display interface, the firmware update service, the installer tool, the coordinated-disclosure intake and the advisory process. It excludes the utility's billing system, the legal metrology approval, the grid-operation systems and the customer energy contract, unless the same operator supplies them as part of the product.
| Asset | Why it matters | Where it lives |
|---|---|---|
| Meter-to-gateway link (LMN) | Carries metering data into the product and must reject unauthorised meters | Meter interface, pairing material, LMN protocol stack |
| Hardware security module and key store | Holds the keys that prove the gateway's identity on every network | Security module, key store, provisioning records |
| Head-end and WAN connection | Privileged path to market participants and the gateway administrator | Cellular module, WAN credentials, certificate store |
| Gateway-administrator command path | A fleet-control path can act on many gateways at once | WAN management, administrator credentials, command audit |
| Firmware-signing trust anchor | Protects the update channel against rollback and tampering | Bootloader, secure storage, OTA update service |
| Interval reading and privacy data | Fine-grained consumption can reveal occupancy and behaviour | Reading store, processing profile, support export |
| Installer commissioning workflow | Commissioning authority binds the gateway to the meter and operator role | Installer tool, installer portal, pairing attestation |
| Communication-module firmware | Modem vulnerabilities affect availability and exposure | Cellular module, vendor SDK, supplier advisories |
| Metrology boundary | A security update must not silently touch legally relevant measuring software | Sealed metrology function, release process, metrology-impact record |
Document the role split and the excluded utility systems.
Route check | product file | risk file | support-period statement
Key lifecycle, privacy review, firmware tests and utility acceptance evidence.
Protocol-library watch, modem firmware evidence, key-store tests and supplier advisory notices.
Revocation procedure, installer instructions, spare-part update path and customer notification record.
A gateway's most privacy-sensitive output is the interval reading. Fine-grained consumption data can reveal occupancy, appliance use and behaviour, so the file needs a clear minimisation choke point and a clear answer to what support can see during an investigation. The flow below ties that back to the pseudonymisation and processing-profile controls from the architecture section.
Reading cadence is operator- or market-specific. The gateway records only the supported data set.
A processing profile keeps only what the stated function needs, and readings are pseudonymised before they reach a market participant.
Consumer and operator views are separated from raw device secrets and pairing material.
A support export removes keys, precise topology and unnecessary personal detail. Artifact: support-bundle redaction list.
Trust Boundaries
| Environment | Expected exposure | Risk consequence |
|---|---|---|
| Meter link (LMN) | Reachable from installed meters in the field | An unauthorised or spoofed meter can inject false readings |
| Home-area network (HAN) | Shared with consumer displays and controllable local systems | Weak isolation can leak readings or reach control functions |
| Wide-area network (WAN) | Continuously exposed to external market participants and the administrator | Credential or certificate compromise can scale across the fleet |
| Gateway-administrator path | Privileged remote configuration and update channel | Excess command scope or a compromised administrator affects many gateways |
| Security module interface | Reached by every operation that signs, verifies or stores keys | A weak module undermines every downstream control |
| Update and recovery path | Receives privileged firmware images | Weak signing or rollback reintroduces known vulnerabilities |
| Support and reading export | Crosses from the device to operators and support staff | Unredacted exports can expose keys, topology or personal consumption data |
Threat Scenarios
| ID | Threat scenario | Asset at risk | Entry point |
|---|---|---|---|
| M1 | Gateway accepts meter readings from an unauthorised meter | Reading integrity | Meter link |
| M2 | Head-end certificate or device key is reused across batches | Fleet authentication | Provisioning |
| M3 | Firmware rollback reintroduces a known vulnerability | Firmware integrity | Update agent |
| M4 | Interval data leaks occupancy through a support export | Reading privacy | Support bundle |
| M5 | Installer account remains active after contractor offboarding | Commissioning authority | Installer portal |
| M6 | Consumer interface exposes another household's readings | Privacy | Cloud or local API |
| M7 | Metrology-impacting update ships without separation from the security fix | Metrology boundary | Release process |
| M8 | Cellular modem vulnerability is not triaged during support | Gateway availability | Supplier module |
| M9 | Factory reset does not revoke the utility binding or old keys | Ownership, keys | Replacement or return |
| M10 | Gateway-administrator command scope exceeds the assessed profile | Fleet control | WAN management |
Initial Risk Register
| ID | Likelihood | Impact | Initial decision | Rationale |
|---|---|---|---|---|
| M1 | Low | High | Treat before release | Reading integrity is central |
| M2 | Low | Severe | Treat before release | Key reuse can scale across the fleet |
| M3 | Low | Severe | Treat before release | Update weakness undermines support |
| M4 | Medium | Medium | Treat before release | Metering data is privacy-sensitive |
| M5 | Medium | High | Treat before release | Installers affect many devices |
| M6 | Low | High | Treat before release | A cross-household leak is severe |
| M7 | Medium | High | Treat before release | Metrology and cybersecurity updates interact |
| M8 | Medium | Medium | Treat before release | Communication modules age quickly |
| M9 | Medium | High | Treat before release | Replacement and return are normal |
| M10 | Medium | Severe | Treat before release | A fleet-control path can affect many gateways |
Control and Evidence Mapping
| Threats | Design control | Evidence the manufacturer should keep |
|---|---|---|
| M1, M2 | Mutual authentication, per-device keys anchored in the security module, provisioning audit | Key-injection record, pairing tests |
| M3 | Signed updates, anti-rollback, recovery verification | Update tests, downgrade rejection |
| M4, M6 | Data minimisation, processing profiles, pseudonymisation, tenant isolation, support redaction | Privacy review, API tests |
| M5, M9 | Installer role separation, offboarding, replacement and revocation workflow | Role tests, return checklist |
| M7 | Metrology-impact assessment and release separation | Release decision record |
| M8 | Component inventory and supplier-advisory watch | Advisory log, patch decision |
| M10 | Least-privilege administrator profile, certificate inventory, command audit | Profile review, command-audit sample |
Residual Risk After Controls
| Residual area | Why it remains | Operating evidence |
|---|---|---|
| Utility systems | Billing and head-end operations may sit outside the product maker's control | Role-split memo |
| Privacy inference | Fine-grained readings can still reveal behaviour | Retention and minimisation record |
| Certification route | Critical-product treatment depends on the scheme and the future delegated act | Route-decision log, scheme-watch note |
What Goes in a Smart Meter Gateway SBOM?
The generic SBOM mechanics, format choice and signing live in the SBOM guide, the HBOM guide and the BSI TR-03183 guide. What is specific to a gateway is the shape of the tree. It is a hardware product that ships many digital elements on separate update cycles, rarely fewer than ten and often closer to twenty top-level components, each with its own supplier, update cadence and advisory feed. List them as one product-level inventory with element-separated sections, or one inventory per shipped element, as long as it stays machine-readable and covers the top-level dependencies.
| Component | Function in the gateway | Concrete example |
|---|---|---|
| Secure bootloader and root of trust | Verifies and starts the signed firmware chain | A measured or verified-boot first stage that checks signatures before the operating system loads and rejects downgraded images |
| Operating system and kernel | The platform the gateway runs on | An embedded Linux built with Yocto/OpenEmbedded on a long-term-support kernel, or a hardened RTOS |
| Metrology firmware | The sealed, legally relevant measurement function | Meter measuring firmware sealed under the Measuring Instruments Directive (2014/32/EU) and national metrology law. In the gateway boundary only when the meter is part of the placed-on-market product, otherwise it sits in the meter and is identified per the WELMEC 7.2 software guide |
| Meter-protocol stack (LMN) | Reads meters over the local metrological network | A DLMS/COSEM (Device Language Message Specification / Companion Specification for Energy Metering) stack (IEC 62056). In German deployments, SML (Smart Message Language) and Wireless M-Bus (EN 13757-4) with OMS (Open Metering System) profiles |
| Communication-module firmware (WAN) | Carries the wide-area link to market participants | Supplier baseband firmware on an NB-IoT or LTE-M cellular module (e.g. from u-blox or Quectel). Some grids use power-line backhaul instead |
| Head-end connector / client | Talks to the head-end system and the gateway administrator | A WAN client implementing the operator protocol (in Germany, the TR-03109-1 link to the gateway administrator) |
| Security-module firmware and key store | The trust anchor: key storage and the crypto core | A secure element or HSM (hardware security module) evaluated against a Common Criteria protection profile (in Germany, BSI PP-0077) |
| PKI / certificate-management client | Enrols, renews and revokes the device certificates | A certificate client (e.g. EST or CMP) against the operator PKI. In Germany, the TR-03109-4 Smart Metering PKI |
| TLS library | Protects the WAN channel | mbedTLS, wolfSSL or OpenSSL |
| CMS layer | End-to-end content protection of readings past the transport endpoint | A Cryptographic Message Syntax (RFC 5652) implementation that signs and encrypts meter content for the entitled recipient |
| Over-the-air update agent | Applies signed firmware with rollback | An A/B update client such as SWUpdate, Mender or RAUC, with signature verification and anti-rollback |
| Processing-profile and configuration engine | Minimises and routes each dataset to the recipient entitled to it | The component that applies processing profiles and pseudonymises readings before they leave the gateway |
| Event and tamper-logging subsystem | Records readings, tamper and update events for the audit trail | An append-only event log feeding the operator audit trail and billing-dispute evidence |
| Secure time source | Provides trusted time for certificates, logs and tariffs | A synchronised clock, such as authenticated NTP, underpinning certificate-validity and tamper-event timestamps |
| Local display / HAN interface | The consumer transparency view and the controllable-local-system link | A local web view for the final consumer, or an EEBus / OMS interface to home-area systems |
| Installer / commissioning tool | Pairs, provisions and replaces gateways in the field | A field app or laptop tool that binds the gateway to its meters and operator role without handling a batch key |
Keep the obligation honest. The CRA asks for a machine-readable inventory covering at least top-level dependencies, refreshed across the support period, with supplier-advisory monitoring so a known vulnerability in the modem firmware or the protocol library is triaged rather than missed. It does not yet mandate one fixed format or a depth beyond top-level dependencies. Mirror that wording rather than inventing a stricter rule.
The inventory is not a passive list. Article 13 makes you exercise due diligence when you integrate a third-party component, including open-source, so it does not weaken the gateway's cybersecurity. It goes further on vulnerabilities. When you find one in an integrated component, you report it to the entity that manufactures or maintains that component, you fix it in your product under the Annex I vulnerability-handling rules, and where you have built a software or hardware fix you share the relevant code or documentation back with that maintainer. The cellular module and the security module are not just line items. Each is a product with digital elements in its own right, carrying its own CRA obligations, so the modem baseband advisory and the security-module errata are part of your watch and your upstream reporting, not someone else's problem.
How Should Support, Updates and Reporting Work?
A meter fleet outlives most consumer electronics. Gateways stay in walls for a decade or more, so the support model is part of the file, not an afterthought. Support evidence should cover the metrology firmware, the gateway firmware, the security module, the communication module, the head-end connector and the installer tools. Long-lived fleets also need evidence for certificate-authority continuity, signing-key expiry, spare-gateway baselines, and the separation between legally relevant metrology software and cybersecurity-only updates.
| Operating area | Evidence to prepare |
|---|---|
| Support period and update availability | The generic floors are in the support-period guide. For a meter fleet, plan a window that matches a multi-year deployment rather than the floor, show the month-and-year end date at purchase, and keep recovery images, hashes and release notes for spare-gateway baselines. |
| Metrology-impact separation | A per-release decision record showing whether a change touched the approved metrology function, and where an adjacent approval or operator hold was needed. |
| Single vulnerability contact | A direct vulnerability-reporting contact for the manufacturer of record, not only an automated channel. Where the utility is manufacturer for a branded gateway, the utility owns an intake route. |
| Component due diligence | Supplier-advisory monitoring for the kernel, the protocol stack, the modem firmware, the security module, the TLS and CMS libraries and the update agent, with triage and fix propagation. |
| Active-exploitation and severe-incident reporting | Notify through the single platform to the coordinating CSIRT and ENISA on the CRA clock, then add the gateway-specific overlay: coordinate the user notice and any mitigation with the utility, and record the metrology impact of the fix. The early-warning, notification and final-report deadlines are the cross-product ones detailed in the vulnerability-handling guide and the coordinated vulnerability disclosure guide. |
Security updates have to be coordinated with the utilities and the gateway administrator so the field rollout, the metrology impact and the user notice are traceable. A gateway maker cannot push a fleet update the way a phone app does. The operator owns the change window, and the file should show that coordination rather than assume it. The reporting duties under Article 14 start on 11 September 2026, so the disclosure policy and the single contact should be working before then, while the rest of the CRA applies from 11 December 2027, the date by which the conformity route and the technical file have to be complete.
One transitional rule matters more to a meter fleet than to almost any other product. A product placed on the market before the application date is caught by the full CRA only if it is substantially modified afterwards, so a meter installed years earlier does not retroactively need the conformity route. One duty breaks that rule. The reporting of actively exploited vulnerabilities and severe incidents reaches every in-scope product already on the market, deployed fleet included (Article 69). So the maker of meters fielded years ago still owes that reporting for its deployed fleet, and a utility carries it only where it is the manufacturer of record, for example after re-branding or a substantial modification. Map the deployed fleet against this split early, because the reporting obligation lands before the rest of the file.
What Importers, Distributors and Utilities Must Check
A gateway often splits its roles across more economic operators than a consumer product: a meter maker, a gateway maker, a utility that may re-brand or operate the fleet, a gateway administrator and an installer. The handoff map below shows who owns each pre-sale check and what stops the gateway at each role.
The generic importer and distributor duties apply as for any product. The metering-specific checks are about the build and the keys. Importers and distributors should confirm the received build is the assessed build, not a re-branded fork. Utilities and installers should check key provisioning, the firmware baseline, the revocation and replacement workflow and the gateway-administrator profile before accepting a batch. A utility that places the gateway under its own name, runs the management cloud, or substantially modifies the firmware takes on manufacturer obligations for that branded fleet, including the vulnerability-reporting contact.
A non-EU meter or module maker may appoint an EU authorised representative under Article 18. The article says "may", so it is an option, not a duty, and you should not record an authorised representative as mandatory. The routing is what is not optional. An own-brand or substantially-modified product turns whoever placed or changed it into the manufacturer. The file has to name who receives a vulnerability report and who keeps the documentation available when the maker sits outside the EU. Decide that routing in the boundary work, not at the border.
How This Sits Alongside RED, MID, GDPR and NIS2
The CRA does not land on an empty desk. A smart meter already carries other CE obligations, and the utility that runs the fleet has its own duties. Four overlaps decide how much of the file is genuinely new.
| Regime | Lands on | What it adds, and how it meets the CRA |
|---|---|---|
| Radio Equipment Directive (2014/53/EU) | A radio-equipped meter | Safety and EMC objectives through Art. 3(1), so the LVD and EMC Directive are not listed separately. Cybersecurity through Delegated Regulation (EU) 2022/30, in force since 1 August 2025, ahead of the CRA. |
| Measuring Instruments Directive (2014/32/EU) | The measuring function | Metrology approval that the measurement is correct and sealed, a separate question from cybersecurity. |
| GDPR | The interval reading data | Data-protection duties on top of the CRA, with a smart-grid impact-assessment template to follow. |
| NIS2 (2022/2555) | The operator, not the box | The distribution system operator's own incident-reporting and risk-management duties, beside the maker's CRA reporting. |
A single EU declaration of conformity lists every act that applies, RED, MID, RoHS and the CRA among them. Two things catch makers out.
RED cybersecurity already binds a radio meter today. It has to meet the standards EN 18031-1, -2 and -3 now, ahead of the CRA. Keep meeting both until Delegated Regulation (EU) 2026/339 repeals the RED cybersecurity rules on 11 December 2027, the CRA application date.
EMC and the Low Voltage Directive are not listed twice. On a radio meter, RED already carries the EMC and safety objectives. Those two directives apply on their own only to a non-radio variant.
Frequently Asked Questions
Is every smart meter Critical under the CRA?
No. The Critical listing is focused on smart meter gateways within smart metering systems, and on devices whose purpose is advanced security including secure cryptoprocessing. A submeter, a heat-cost allocator, a water-meter radio module or a consumer bridge is an in-scope product with digital elements, but it does not become Critical merely because it measures consumption or uses cryptography. Each of those needs its own boundary and intended-use analysis on the standard route.
Can a smart meter gateway use the internal-control route like a router?
No. A Class I router can self-declare on internal control once it has fully applied the relevant harmonised standards. A Critical gateway cannot. Article 32 sends it to a certification scheme where one applies, or to a third-party examination or full quality assurance. Plan for an external assessment of the product or the process, not a self-signed declaration.
Does the gateway need a cybersecurity certificate today?
Not yet, and this is the most common overclaim. Article 8 lets the Commission make a substantial-level certificate mandatory for a Critical product, but only once a suitable scheme exists and is available. No such scheme is in force, so keep mandatory certification as a tracked future condition rather than claiming a certificate against a scheme that has not been adopted.
Does the German BSI scheme satisfy the CRA?
No. BSI TR-03109 and the protection profiles PP-0073 and PP-0077 are a German national regime under the Metering Point Operation Act. The CRA does not adopt them. The CRA route runs through its own harmonised standards developed under the Commission standardisation request. The German scheme is useful context, because it shows the security-architecture depth regulators already expect of this device, but a TR-03109 certificate is not a CRA conformity route.
Does metrology approval satisfy the CRA?
No. Metrology approval proves the measurement is correct and sealed. The CRA proves the connected product resists attack across its support period. They interact, because a security update must be checked against the legally relevant metrology software, but one does not replace the other. Keep the two records separate and document the interface between them.
Is interval-reading privacy part of the CRA assessment?
Yes. Fine-grained interval data can reveal occupancy and behaviour, so the assessment should consider confidentiality and data minimisation. The gateway should pseudonymise readings before they reach a market participant, use processing profiles to send only what each recipient needs, and keep a schema and a redaction test for any support export. The general data-protection regime applies on top of the CRA, not instead of it.
What is the first evidence item a gateway maker should create?
The metering-boundary and Critical-route memo for the exact gateway: the meter interface, the home and wide-area connections, the security module, the head-end connector, the gateway administrator and the key lifecycle. That one record fixes the Critical determination and lets the conformity route, the supplier contracts and the importer pack reference the same decision.
Does this apply if my country has no separate gateway, like France, Spain or Italy?
Yes. Those markets run integrated meters that measure and communicate in one unit and reach a data concentrator in the secondary substation directly, so there is no in-home gateway box in between. The Annex IV analysis does not disappear, it moves to the concentrator, which aggregates meters and controls the communication between the metering system and authorised third parties. That is the function the Implementing Regulation's description points at, so the concentrator is usually the stronger Critical-route candidate, not an automatic answer. An integrated meter whose own core functions match that description could itself be argued in. Run the boundary memo against the real device, as set out in how the architecture differs across the EU.