For European video operators, the EU Cyber Resilience Act (CRA) is no longer a distant regulatory concept. Mandatory vulnerability reporting starts in September 2026, and the implications for set-top boxes (STB) and video security are significant.

The CRA is the first regulation to treat cybersecurity as a continuous obligation across the full lifecycle of digital products, rather than a one-off certification before deployment. This shift exposes uncomfortable truths about how video security has been handled for years.

CRA is not just about new set-top boxes

It is a mistake to assume the CRA only applies to devices placed on the market after 2027. From September 2026, vulnerabilities in deployed and supported products must be handled and reported. If an STB is still in operation, it is in scope. Legacy deployments are no longer invisible. This fundamentally changes the conversation.

DRM and CA vulnerabilities are now regulatory risks

Under the CRA, vulnerabilities are not limited to traditional IT threats. Any weakness affecting the security, integrity, or trust of a product matters.

This includes:

  • DRM vulnerabilities.
  • Conditional Access weaknesses.
  • Key extraction paths.
  • Trust-chain and TEE-related vulnerabilities.

These issues have long been treated as content protection problems. Under the CRA, known vulnerabilities that are not addressed may constitute non-compliance, with potentially substantial sanctions. 

Unmanaged devices might be out, but the operator’s STBs are in

Unmanaged retail devices generally fall outside operator responsibility. Operator-provided STBs do not.

If an operator supplies, brands, or manages a device, it is responsible for it as a Product with Digital Elements (PDE). The reality is well-known: many deployed STBs receive few or no security updates today. From a CRA perspective, that represents a growing liability.

Offline does not mean out of scope

Connectivity is not a prerequisite under the CRA.

The regulation applies equally to one-way STBs, including satellite and terrestrial deployments. Broadcast-only environments that have historically avoided scrutiny may now face audits if vulnerabilities are known and devices remain in operation.

CRA exposes an operational gap

The real challenge is not understanding the regulation. It is operational readiness.

Some operators are sitting on:

  • Legacy STB fleets.
  • DRM and CA technologies with known vulnerabilities.
  • Dependencies on third-party update cycles.
  • Devices that are difficult or impossible to patch.

As reporting obligations approach, the key question to ask is, “What is the plan when vulnerabilities can no longer be ignored?”

Verimatrix ReAccess: A practical response to CRA pressure

When devices can’t be properly patched for vulnerabilities, the CRA might force hard decisions, but it does not have to force hardware replacement.

Verimatrix ReAccess enables operators to renew and replace security in the field, upgrading DRM and CA protection across OTT, IPTV, and DVB deployments without swapping out devices. It provides a practical path to address vulnerabilities, maintain studio-grade security, and reduce regulatory exposure.

In a world where lifecycle security is mandatory, renewability is no longer optional.

The clock is ticking

With vulnerability reporting starting in September 2026, the Cyber Resilience Act is about to test long-standing assumptions in the video industry.

Operators who believe legacy STBs, offline deployments, or known DRM and CA vulnerabilities are out of scope are likely to be surprised. Those who act now to modernize security and enable renewability will be in a far stronger position.

The CRA is not waiting. The question is whether the industry is.