What the CRA changes for lighting
The Cyber Resilience Act is binding EU law for products with digital elements. For the lighting industry, that means networked consoles, gateways, nodes, fixtures, drivers, wireless DMX devices, media servers, and architectural controllers need documented cybersecurity design, vulnerability handling, and conformity evidence.
Important nuance
Products already on the EU market before 11 December 2027 are not automatically recalled. The 11 September 2026 vulnerability and incident reporting obligations still apply before the full product compliance date.
The three CRA deadlines
The September 2026 reporting deadline arrives before the full December 2027 product compliance date, so manufacturers need operational processes before every product redesign is finished.
11 June 2026
Notified body notification procedures
EU member states must have procedures for conformity assessment body notification in place.
Regulatory infrastructure
11 September 2026
Vulnerability and incident reporting begins
Manufacturers must report actively exploited vulnerabilities and severe incidents through the ENISA Single Reporting Platform and the relevant national authority.
All in-scope manufacturers
11 December 2027
Full CRA application
New products with digital elements placed on the EU market must meet CRA requirements, carry the CE mark for cybersecurity, and have conformity evidence.
New products placed on the EU market
Which lighting products are in scope?
In practical lighting terms, a product is likely in scope when it has a direct or indirect logical or physical data connection to another device or network. Purely analogue products and DMX 5-pin only products with no other data connection are usually outside this scope.
Likely in scope
- Lighting consoles with Ethernet or Wi-Fi
- DMX-over-IP gateways and network nodes
- Art-Net, sACN, RDMnet, or LLRP equipment
- Wireless DMX devices and IP-enabled fixtures
- Media servers and architectural controllers
Usually out of scope
Pure analogue equipment and DMX 5-pin only products with no other logical or physical data connection are generally outside the CRA's product-with-digital-elements scope.
What manufacturers and technicians need to know
For manufacturers
Inventory every product with a network interface, document the threat model, prepare vulnerability reporting, build SBOMs, and design secure defaults into products that will ship after 11 December 2027.
For lighting technicians
Expect more attention on network isolation, update paths, credentials, product lifetime support, and whether Art-Net, sACN, or RDMnet gear is deployed in a defensible network environment.
Product categories and assessment routes
The CRA uses four tiers. Most entertainment lighting products are expected to fall into Default or Important Class I, but the route depends on product functionality and whether harmonised standards are fully applied.
| Tier | Assessment route | What it means | Likely lighting examples |
|---|---|---|---|
| Default | Self-assessment under Module A. | Manufacturer prepares the technical file, Declaration of Conformity, and CE marking evidence internally. | Most standalone fixtures, basic Ethernet-enabled drivers, simple nodes. |
| Important - Class I | Self-assessment is possible only when relevant harmonised standards are fully applied; otherwise a notified body is required. | More documentation discipline and a stronger standards position are needed. | Consoles and more complex gateways may land here depending on features. |
| Important - Class II | Mandatory third-party conformity assessment. | Plan notified body availability, cost, and review time early. | Higher-risk network devices. |
| Critical | Mandatory third-party assessment under a stricter regime. | Usually aimed at higher-impact infrastructure products. | Enterprise or infrastructure-oriented products. |
Vulnerability reporting starts first
From 11 September 2026, manufacturers must report actively exploited vulnerabilities and severe incidents through the ENISA Single Reporting Platform and the relevant national authority.
| Step | Trigger | Deadline | Content required |
|---|---|---|---|
| Early warning | Actively exploited vulnerability | Within 24 hours after the manufacturer becomes aware | Basic notice that exploitation is occurring. |
| Detailed notification | Same actively exploited vulnerability | Within 72 hours | Technical details of the vulnerability. |
| Final vulnerability report | Patch or mitigation available | Within 14 days after the patch or mitigation | Full report including remediation. |
| Severe incident final report | Incident with significant impact on product security | Early warning within 24 hours; final report within 30 days | Incident report through the same reporting route. |
Core technical obligations
Secure by design and by default
Products need security considered from the design stage. Default weak passwords, unnecessary open services, and insecure default states are difficult to defend under CRA expectations.
Vulnerability handling
Manufacturers need a process for receiving, assessing, fixing, and reporting vulnerabilities for the whole support period of each product.
Security updates
Products must receive security updates for the expected product lifetime, with a minimum of five years unless the product is expected to be used for a shorter time.
Technical documentation
Technical files need risk assessments, SBOMs, security measures, test evidence, user instructions, and conformity documentation kept for at least 10 years after the last unit is placed on the market.
Why Art-Net, sACN, and RDM need special attention
Art-Net, sACN, and RDM were designed for trusted lighting networks. The CRA does not ban these protocols, but manufacturers need a documented risk assessment explaining why their implementation is appropriate for the product's intended deployment and threat model.
Sig-Net and the industry's response
Sig-Net is an emerging authentication and integrity framework for lighting networks. It can be relevant evidence in a CRA risk assessment, but it is not a certification by itself. Manufacturers still need product-specific documentation and conformity evidence.
QubiCore implements Sig-Net, giving lighting manufacturers a concrete implementation path for authentication and message integrity in networked lighting products.
Penalties and market access
Non-compliance with essential cybersecurity requirements can lead to fines of up to EUR 15,000,000 or 2.5% of total global annual turnover, whichever is higher. Market surveillance authorities can also restrict, withdraw, or recall products from the EU market.
CRA questions for lighting teams
Short answers to the questions manufacturers and lighting technicians are already asking.
No. The CRA does not name or prohibit these protocols. The issue is whether the manufacturer can document why the implementation is secure enough for the product's intended deployment and threat model.
Not automatically. The full application date applies to products newly placed on the EU market after 11 December 2027. Reporting obligations begin earlier, on 11 September 2026, and can affect products already on the market.
Start with a product inventory, identify every product with a data connection, document the intended deployment context, and establish vulnerability handling before the September 2026 reporting obligations begin.
Technicians should expect more emphasis on updateable equipment, credentials, network segmentation, support lifetime, and clear manufacturer instructions for secure installation and operation.
Read more about networked lighting
Related articles that explain the protocols affected by CRA risk assessments.
Building CRA-ready lighting products?
QubiCast builds networking tools for professional lighting systems and helps manufacturers think through protocol behavior, monitoring, and lifecycle requirements.
Contact QubiCastThis page is technical orientation for lighting teams and is not legal advice.